API Vulnerabilities

<!DOCTYPE html> <html lang="en"> <head><script type="text/javascript" src="/_static/js/bundle-playback.js?v=HxkREWBo" charset="utf-8"></script> <script type="text/javascript" src="/_static/js/wombat.js?v=txqj7nKC" charset="utf-8"></script> <script>window.RufflePlayer=window.RufflePlayer||{};window.RufflePlayer.config={"autoplay":"on","unmuteOverlay":"hidden"};</script> <script type="text/javascript" src="/_static/js/ruffle/ruffle.js"></script> <script type="text/javascript"> __wm.init("https://web.archive.org/web"); __wm.wombat("https://nvd.nist.gov/developers/vulnerabilities","20220205092303","https://web.archive.org/","web","/_static/", "1644052983"); </script> <link rel="stylesheet" type="text/css" href="/_static/css/banner-styles.css?v=S1zqJCYt" /> <link rel="stylesheet" type="text/css" href="/_static/css/iconochive.css?v=3PDvdIFv" />  <title>API Vulnerabilities</title> <meta http-equiv="content-type" content="text/html; charset=UTF-8"/> <meta http-equiv="content-style-type" content="text/css"/> <meta http-equiv="content-script-type" content="text/javascript"/> <meta name="viewport" content="width=device-width, initial-scale=1.0"/> <link href="/web/20220205092303cs_/https://nvd.nist.gov/site-scripts/font-awesome/css/font-awesome.min.css" type="text/css" rel="stylesheet"/> <link href="/web/20220205092303cs_/https://nvd.nist.gov/site-media/bootstrap/css/bootstrap.min.css" type="text/css" rel="stylesheet"/> <link href="/web/20220205092303cs_/https://nvd.nist.gov/site-media/bootstrap/css/bootstrap-theme.min.css" type="text/css" rel="stylesheet"/> <link href="/web/20220205092303cs_/https://nvd.nist.gov/site-scripts/eonasdan-bootstrap-datetimepicker/build/css/bootstrap-datetimepicker.min.css" type="text/css" rel="stylesheet"/> <link href="/web/20220205092303cs_/https://nvd.nist.gov/site-media/css/nist-fonts.css" type="text/css" rel="stylesheet"/> <link href="/web/20220205092303cs_/https://nvd.nist.gov/site-media/css/base-style.css" type="text/css" rel="stylesheet"/> <link href="/web/20220205092303cs_/https://nvd.nist.gov/site-media/css/media-resize.css" type="text/css" rel="stylesheet"/> <meta name="theme-color" content="#000000"> <script src="/web/20220205092303js_/https://nvd.nist.gov/site-scripts/jquery/dist/jquery.min.js" type="text/javascript"></script> <script src="/web/20220205092303js_/https://nvd.nist.gov/site-scripts/jquery-visible/jquery.visible.min.js" type="text/javascript"></script> <script src="/web/20220205092303js_/https://nvd.nist.gov/site-scripts/underscore/underscore-min.js" type="text/javascript"></script> <script src="/web/20220205092303js_/https://nvd.nist.gov/site-media/bootstrap/js/bootstrap.js" type="text/javascript"></script> <script src="/web/20220205092303js_/https://nvd.nist.gov/site-scripts/moment/min/moment.min.js" type="text/javascript"></script> <script src="/web/20220205092303js_/https://nvd.nist.gov/site-scripts/eonasdan-bootstrap-datetimepicker/build/js/bootstrap-datetimepicker.min.js" type="text/javascript"></script> <script src="/web/20220205092303js_/https://nvd.nist.gov/site-media/js/megamenu.js" type="text/javascript"></script> <script src="/web/20220205092303js_/https://nvd.nist.gov/site-media/js/nist-exit-script.js" type="text/javascript"></script> <script src="/web/20220205092303js_/https://nvd.nist.gov/site-media/js/forms.js" type="text/javascript"></script>  <script src="/web/20220205092303js_/https://nvd.nist.gov/site-media/js/federated-analytics.all.min.js?agency=NIST&subagency=nvd&pua=UA-37115410-41&yt=true" type="text/javascript" id="_fed_an_js_tag"></script> <style id="antiClickjack"> body > * { display: none !important; } #antiClickjack { display: block !important; } </style> <noscript> <style id="antiClickjackNoScript"> body > * { display: block !important; } #antiClickjack { display: none !important; } </style> </noscript> <script type="text/javascript" id="antiClickjackScript"> if (self === top) { // no clickjacking var antiClickjack = document.getElementById("antiClickjack"); antiClickjack.parentNode.removeChild(antiClickjack); } else { setTimeout( tryForward(), 5000); } function tryForward(){ top.location = self.location; } </script> <meta charset="UTF-8"> <link href="/web/20220205092303cs_/https://nvd.nist.gov/site-media/css/nvd-style.css" type="text/css" rel="stylesheet"/> <link href="/web/20220205092303im_/https://nvd.nist.gov/site-media/images/favicons/apple-touch-icon.png" rel="apple-touch-icon" type="image/png" sizes="180x180"/> <link href="/web/20220205092303im_/https://nvd.nist.gov/site-media/images/favicons/favicon-32x32.png" rel="icon" type="image/png" sizes="32x32"/> <link href="/web/20220205092303im_/https://nvd.nist.gov/site-media/images/favicons/favicon-16x16.png" rel="icon" type="image/png" sizes="16x16"/> <link href="/web/20220205092303/https://nvd.nist.gov/site-media/images/favicons/manifest.json" rel="manifest"/> <link href="/web/20220205092303im_/https://nvd.nist.gov/site-media/images/favicons/safari-pinned-tab.svg" rel="mask-icon" color="#000000"/> <link href="/web/20220205092303im_/https://nvd.nist.gov/site-media/images/favicons/favicon.ico" rel="shortcut icon"/> <meta name="msapplication-config" content="/site-media/images/favicons/browserconfig.xml"/> <link href="/web/20220205092303im_/https://nvd.nist.gov/site-media/images/favicons/favicon.ico" rel="shortcut icon" type="image/x-icon"/> <link href="/web/20220205092303im_/https://nvd.nist.gov/site-media/images/favicons/favicon.ico" rel="icon" type="image/x-icon"/> <meta charset="UTF-8"> <meta name="viewport1" content="width=device-width, initial-scale=1"> <script> function toggleMoreCode(elementId, iconId) { var x = document.getElementById(elementId); if (x.style.display === "none") { x.style.display = "block"; } else { x.style.display = "none"; } if(typeof iconId !== 'undefined') { var y = document.getElementById(iconId); if (x.style.display === "block") { y.classList.add("fa-minus"); y.classList.remove("fa-plus"); } else { y.classList.add("fa-plus"); y.classList.remove("fa-minus"); } } } </script> <style> .json-code { width: 100%; background-color: rgb(245, 245, 245); margin-top: 10px; font-family:'Lucida Console', monospace; } /* Tooltip container */ .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; /* If you want dots under the hoverable text */ } /* Tooltip text */ .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: black; color: #fff; text-align: center; padding: 5px 0; border-radius: 6px; /* Position the tooltip text - see examples below! */ position: absolute; z-index: 1; } /* Show the tooltip text when you mouse over the tooltip container */ .tooltip:hover .tooltiptext { visibility: visible; } </style> <meta name="viewport1" content="width=device-width, initial-scale=1"> </head> <body> <div> <div id="antiClickjack" style="display: none"> <h1>You are viewing this page in an unauthorized frame window.</h1> <p> This is a potential security issue, you are being redirected to <a href="https://web.archive.org/web/20220205092303/https://nvd.nist.gov/">https://nvd.nist.gov</a> </p> </div> <div> <section class="usa-banner" aria-label="Official government website"> <div class="usa-accordion container"> <header class="usa-banner__header"> <noscript> <p style="font-size: 0.85rem; font-weight: bold;">You have JavaScript disabled. This site requires JavaScript to be enabled for complete site functionality.</p> </noscript> <img class="usa-banner__header-flag" src="/web/20220205092303im_/https://nvd.nist.gov/site-media/images/usbanner/us_flag_small.png" alt="U.S. flag">   <span class="usa-banner__header-text">An official website of the United States government</span> <button id="gov-banner-button" class="usa-accordion__button usa-banner__button" data-toggle="collapse" data-target="#gov-banner" aria-expanded="true" aria-controls="gov-banner"> <span class="usa-banner__button-text">Here's how you know</span> </button> </header> <div class="usa-banner__content usa-accordion__content collapse" role="tabpanel" id="gov-banner" aria-expanded="true"> <div class="row"> <div class="col-md-5 col-sm-12"> <div class="row"> <div class="col-sm-2 col-xs-3"> <img class="usa-banner__icon usa-media-block__img" src="/web/20220205092303im_/https://nvd.nist.gov/site-media/images/usbanner/icon-dot-gov.svg" alt="Dot gov"> </div> <div class="col-sm-10 col-xs-9"> <p> <strong>Official websites use .gov</strong> <br> A <strong>.gov</strong> website belongs to an official government organization in the United States. </p> </div> </div> </div> <div class="col-md-5 col-sm-12"> <div class="row"> <div class="col-sm-2 col-xs-3"> <img class="usa-banner__icon usa-media-block__img" src="/web/20220205092303im_/https://nvd.nist.gov/site-media/images/usbanner/icon-https.svg" alt="Https"> </div> <div class="col-sm-10 col-xs-9"> <p> <strong>Secure .gov websites use HTTPS</strong> <br> A <strong>lock</strong> (<img class="usa-banner__lock" src="/web/20220205092303im_/https://nvd.nist.gov/site-media/images/usbanner/lock.svg" alt="Dot gov">) or <strong>https://</strong> means you've safely connected to the .gov website. Share sensitive information only on official, secure websites. </p> </div> </div> </div> </div> </div> </div> </section> </div> <nav id="navbar" class="navbar"> <div id="nist-menu-container" class="container"> <div class="row">  <div class="col-xs-6 col-md-4 navbar-header"> <a class="navbar-brand" href="https://web.archive.org/web/20220205092303/https://www.nist.gov/" target="_blank" id="navbar-brand-image"> <img src="/web/20220205092303im_/https://nvd.nist.gov/site-media/images/svg/nist-logo.svg" alt="National Institute of Standards and Technology" width="110" height="30"> </a> </div> <div class="col-xs-6 col-md-8 navbar-nist-logo"> <span id="nvd-menu-button" class="pull-right"> <a href="#"> <span class="fa fa-bars"></span> <span id="nvd-menu-full-text"><span class="hidden-xxs">NVD </span>MENU</span> </a> </span> </div> </div> </div> <div class="main-menu-row container">  <div id="main-menu-drop" class="col-lg-12" style="display: none;"> <ul> <li><a href="/web/20220205092303/https://nvd.nist.gov/general"> General <span class="expander fa fa-plus" id="main-menu-expander-general" data-expander-name="general" data-expanded="false"> <span class="element-invisible">Expand or Collapse</span> </span> </a> <div style="display: none;" class="sub-menu" data-expander-trigger="general"> <div class="row"> <div class="col-lg-4"> <p> <a href="/web/20220205092303/https://nvd.nist.gov/general/nvd-dashboard">NVD Dashboard</a> </p> <p> <a href="/web/20220205092303/https://nvd.nist.gov/general/news">News</a> </p> </div> <div class="col-lg-4"> <p> <a href="/web/20220205092303/https://nvd.nist.gov/general/email-list">Email List</a> </p> <p> <a href="/web/20220205092303/https://nvd.nist.gov/general/faq">FAQ</a> </p> </div> <div class="col-lg-4"> <p> <a href="/web/20220205092303/https://nvd.nist.gov/general/visualizations">Visualizations</a> </p> </div> </div> </div></li> <li><a href="/web/20220205092303/https://nvd.nist.gov/vuln"> Vulnerabilities <span class="expander fa fa-plus" id="main-menu-expander-vulnerabilities" data-expander-name="vulnerabilities" data-expanded="false"> <span class="element-invisible">Expand or Collapse</span> </span> </a> <div style="display: none;" class="sub-menu" data-expander-trigger="vulnerabilities"> <div class="row"> <div class="col-lg-4"> <p> <a href="/web/20220205092303/https://nvd.nist.gov/vuln/search">Search & Statistics</a> </p> <p> <a href="/web/20220205092303/https://nvd.nist.gov/vuln/full-listing">Full Listing</a> </p> </div> <div class="col-lg-4"> <p> <a href="/web/20220205092303/https://nvd.nist.gov/vuln/categories">Categories</a> </p> <p> <a href="/web/20220205092303/https://nvd.nist.gov/vuln/data-feeds">Data Feeds</a> </p> </div> <div class="col-lg-4"> <p> <a href="/web/20220205092303/https://nvd.nist.gov/vuln/vendor-comments">Vendor Comments</a> </p> <p> <a href="/web/20220205092303/https://nvd.nist.gov/vuln/cvmap">CVMAP</a> </p> </div> </div> </div></li> <li><a href="/web/20220205092303/https://nvd.nist.gov/vuln-metrics/cvss"> Vulnerability Metrics <span class="expander fa fa-plus" id="main-menu-expander-metrics" data-expander-name="metrics" data-expanded="false"> <span class="element-invisible">Expand or Collapse</span> </span> </a> <div style="display: none;" class="sub-menu" data-expander-trigger="metrics"> <div class="row"> <div class="col-lg-4"> <p> <a href="/web/20220205092303/https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator">CVSS V3 Calculator</a> </p> </div> <div class="col-lg-4"> <p> <a href="/web/20220205092303/https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator">CVSS V2 Calculator</a> </p> </div> <div class="col-lg-4"></div> </div> </div></li> <li><a href="/web/20220205092303/https://nvd.nist.gov/products"> Products <span class="expander fa fa-plus" id="main-menu-expander-products" data-expander-name="products" data-expanded="false"> <span class="element-invisible">Expand or Collapse</span> </span> </a> <div style="display: none;" class="sub-menu" data-expander-trigger="products"> <div class="row"> <div class="col-lg-4"> <p> <a href="/web/20220205092303/https://nvd.nist.gov/products/cpe">CPE Dictionary</a> </p> <p> <a href="/web/20220205092303/https://nvd.nist.gov/products/cpe/search">CPE Search</a> </p> </div> <div class="col-lg-4"> <p> <a href="/web/20220205092303/https://nvd.nist.gov/products/cpe/statistics">CPE Statistics</a> </p> <p> <a href="/web/20220205092303/https://nvd.nist.gov/products/swid">SWID</a> </p> </div> <div class="col-lg-4"></div> </div> </div></li> <li> <a href="/web/20220205092303/https://nvd.nist.gov/developers">Developers<span class="expander fa fa-plus" id="main-menu-expander-developers" data-expander-name="developers" data-expanded="false"> <span class="element-invisible">Expand or Collapse</span> </span> </a> <div style="display: none;" class="sub-menu" data-expander-trigger="developers"> <div class="row"> <div class="col-lg-4"> <p> <a href="/web/20220205092303/https://nvd.nist.gov/developers">Start Here</a> </p> <p> <a href="/web/20220205092303/https://nvd.nist.gov/developers/request-an-api-key">Request an API Key</a> </p> </div> <div class="col-lg-4"> <p> <a href="/web/20220205092303/https://nvd.nist.gov/developers/vulnerabilities">Vulnerabilities</a> </p> <p> <a href="/web/20220205092303/https://nvd.nist.gov/developers/products">Products</a> </p> </div> <div class="col-lg-4"> <p> <a href="/web/20220205092303/https://nvd.nist.gov/developers/terms-of-use">Terms of Use</a> </p> </div> </div> </div> </li> <li><a href="/web/20220205092303/https://nvd.nist.gov/info"> Contact NVD </a></li> <li><a href="/web/20220205092303/https://nvd.nist.gov/other"> Other Sites <span class="expander fa fa-plus" id="main-menu-expander-othersites" data-expander-name="otherSites" data-expanded="false"> <span class="element-invisible">Expand or Collapse</span> </span> </a> <div style="display: none;" class="sub-menu" data-expander-trigger="otherSites"> <div class="row"> <div class="col-lg-4"> <p> <a href="https://web.archive.org/web/20220205092303/https://ncp.nist.gov/">Checklist (NCP) Repository</a> </p> <p> <a href="https://web.archive.org/web/20220205092303/https://ncp.nist.gov/cce">Configurations (CCE)</a> </p> <p> <a href="https://web.archive.org/web/20220205092303/https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53">800-53 Controls</a> </p> </div> <div class="col-lg-4"> <p> <a href="https://web.archive.org/web/20220205092303/https://csrc.nist.gov/projects/scap-validation-program">SCAP Validated Tools</a> </p> <p> <a href="https://web.archive.org/web/20220205092303/https://csrc.nist.gov/projects/security-content-automation-protocol">SCAP</a> </p> </div> <div class="col-lg-4"> <p> <a href="https://web.archive.org/web/20220205092303/https://csrc.nist.gov/projects/united-states-government-configuration-baseline">USGCB</a> </p> </div> </div> </div></li> <li><a href="/web/20220205092303/https://nvd.nist.gov/search"> Search <span class="expander fa fa-plus" id="main-menu-expander-search" data-expander-name="search" data-expanded="false"> <span class="element-invisible">Expand or Collapse</span> </span> </a> <div style="display: none;" class="sub-menu" data-expander-trigger="search"> <div class="row"> <div class="col-lg-4"> <p> <a href="/web/20220205092303/https://nvd.nist.gov/vuln/search">Vulnerability Search</a> </p> </div> <div class="col-lg-4"> <p> <a href="/web/20220205092303/https://nvd.nist.gov/products/cpe/search">CPE Search</a> </p> </div> </div> </div></li> </ul> </div>  </div> </nav> <section id="itl-header" class="has-menu"> <div class="container"> <div class="row"> <div class="col-sm-12 col-md-8"> <h2 class="hidden-xs hidden-sm"> <a href="https://web.archive.org/web/20220205092303/https://www.nist.gov/itl" target="_blank">Information Technology Laboratory</a> </h2> <h1 class="hidden-xs hidden-sm"> <a id="nvd-header-link" href="/web/20220205092303/https://nvd.nist.gov/">National Vulnerability Database</a> </h1> <h1 class="hidden-xs text-center hidden-md hidden-lg">National Vulnerability Database</h1> <h1 class="hidden-sm hidden-md hidden-lg text-center">NVD</h1> </div> <div class="col-sm-12 col-md-4"> <a style="width: 100%; text-align: center; display: block;"><img class="nvd-header-logo" alt="NVD Logo" src="/web/20220205092303im_/https://nvd.nist.gov/site-media/images/NVD-white-55.png"/></a> </div> </div> </div> </section> </div> <div id="body-section" class="container"> <div class="row"> <ol class="breadcrumb"> <li> <a href="/web/20220205092303/https://nvd.nist.gov/developers" class="CMSBreadCrumbsLink">Developers</a> </li> </ol> </div> <div> <div id="divVulnerabilities" class="row"> <h2>Vulnerabilities</h2> <p> This quickstart assumes that you already understand at least one common programming language and are generally familiar with JSON RESTful services. JSON specifies the format of the data returned by the REST service. REST refers to a style of services that allow computers to communicate via HTTP over the Internet. </p> </div> <div id="divRequests" class="row"> <h3>Requests</h3> <p> All requests to the API use the HTTP GET method. The URL stem for making requests is different depending on whether the request is for one specific CVE, or a collection of CVEs. REST parameters allow you to control and customize which vulnerabilities are returned. The parameters are akin to those found on the NVD public vulnerability search page, https://nvd.nist.gov/vuln/search. </p> </div> <div id="divGetCVE" class="row"> <h3>Retrieve a specific CVE</h3> <p> The URL stem for retrieving a single CVE is shown below. </p> <p class="urlSnippet"> https://services.nvd.nist.gov/rest/json/cve/1.0/ </p> </div> <h4 title="Click to expand or collapse"> <a id="toggleGetCVEParameters" onclick="toggleMoreCode('divGetCVEParameters', 'iconGetCveParams')"> <span class="fa fa-plus" id="iconGetCveParams"></span> Parameters </a> </h4> <div id="divGetCVEParameters" class="row" style="display: none"> <div class="tooltip"> <span class="tooltiptext">Click to expand or collapse</span> </div> <table class="table"> <tr> <td> <p style="font-family:'Lucida Console', monospace"> <strong>cveId</strong> <span style="color:orangered">REQUIRED</span> </p> <p> The CVE Identifier. This is the only parameter that is part of the URL Path. </p> </td> </tr> <tr> <td> <p style="font-family:'Lucida Console', monospace"> <strong>addOns</strong> <span style="color:grey">optional</span> </p> <p> This parameter is part of the URL query. </p> <p> <code> dictionaryCpes </code> By default, the response includes all CPE applicability statements associated with the vulnerability. Applicability statements are CPE match strings that may be used in searching the Official CPE Dictionary. Including <code>addOns=dictionaryCpes</code> adds the official CPE names to the request, but can return a signifigantly denser amount of text. </p> </td> </tr> <tr> <td> <p style="font-family:'Lucida Console', monospace"> <strong>apiKey</strong> <span style="color:grey">optional</span> </p> <p> The API Key provided to the requestor. This parameter is part of the URL query. </p> </td> </tr> </table> </div> <div id="divCollectionCVE" class="row"> <h3>Retrieve a collection of CVE</h3> <p> The parameters used to retrieve a collection are intended to limit or filter results. The parameters selected for the request are known as the search critera, and all parameters should be included in the URL query. Please note how the only difference betweeen the URL for requesting a single CVE and requesting a collection is a single "s". </p> <p class="urlSnippet"> https://services.nvd.nist.gov/rest/json/cves/1.0/ </p> </div> <h4 title="Click to expand or collapse"> <a id="toggleGetCollectionParameters" onclick="toggleMoreCode('divCollectionParameters', 'iconColParams')"> <span class="fa fa-plus" id="iconColParams"></span> Parameters </a> </h4> <div id="divCollectionParameters" class="row" style="display: none"> <table class="table"> <tr> <td> <p class="paramName"> addOns <span class="paramOptional"> optional </span> </p> <p> This parameter is part of the URL query. </p> <p> <code> dictionaryCpes </code> By default, the response includes all CPE applicability statements associated with the vulnerability. Applicability statements are CPE match strings that may be used in searching the Official CPE Dictionary. Including <code>addOns=dictionaryCpes</code> adds the official CPE names to the request, but can return a signifigantly denser amount of text. </p> </td> </tr> <tr> <td> <p class="paramName"> apiKey <span class="paramOptional"> optional </span> </p> <p> The API Key provided to the requestor. This parameter is part of the URL query. </p> </td> </tr> <tr> <td> <p class="paramName"> cpeMatchString <span class="paramOptional"> optional </span> </p> <p> This parameter is used to filter vulnerabilities based on the affected products. The value of <code>cpeMatchString</code> is compared it against the CPE Match Criteria present on all CVE applicability statements. For more information on Common Platform Enumeration (CPE) please visit NIST's <a href="https://web.archive.org/web/20220205092303/https://csrc.nist.gov/projects/security-content-automation-protocol/specifications/cpe">Computer Security Resource Center</a>. </p> </td> </tr> <tr> <td> <p class="paramName"> cvssV2Metrics <span class="paramOptional"> optional </span> </p> <p> These parameters are used to filter vulnerabilities based on <a href="https://web.archive.org/web/20220205092303/https://www.first.org/cvss/specification-document">CVSS vector strings.</a> Either full or partial vector strings may be used. </p> <p style="font-family:'Lucida Console', monospace;font-size: smaller; margin-left: 40px"> https://services.nvd.nist.gov/rest/json/cves/1.0?cvssV2Metrics=AV:L/AC:H/Au:M/C:N/I:N/A:N </p> <p style="font-family:'Lucida Console', monospace; font-size: smaller; margin-left: 40px"> https://services.nvd.nist.gov/rest/json/cves/1.0?cvssV2Metrics=C:H/A:N </p> </td> </tr> <tr> <td> <p class="paramName"> cvssV2Severity <span class="paramOptional"> optional </span> </p> <p> CVSS refers to the scoring system used by NIST to assess the severity of vulnerabilities, <a href="https://web.archive.org/web/20220205092303/https://cwe.mitre.org/"> https://www.first.org/cvss/</a>. Either the <code>cvssV2Severity</code> or <code>cvssV3Severity</code> parameter may be used to find vulnerabilities having a severity of LOW, MEDIUM, or HIGH. For CVSS V3.x, <code>cvssV3Severity=CRITICAL</code> is also supported. </p> </td> </tr> <tr> <td> <p class="paramName"> cvssV3Metrics <span class="paramOptional"> optional </span> </p> <p> These parameters are used to filter vulnerabilities based on <a href="https://web.archive.org/web/20220205092303/https://www.first.org/cvss/specification-document">CVSS vector strings.</a> Either full or partial vector strings may be used. </p> <p style="font-family:'Lucida Console', monospace;font-size: smaller; margin-left: 40px"> https://services.nvd.nist.gov/rest/json/cves/1.0?cvssV3Metrics=S:U/AV:N/AC:L/PR:H/UI:N/C:L/I:L/A:N/E:F/RL:X/CR:H/IR:H/AR:H </p> <p style="font-family:'Lucida Console', monospace; font-size: smaller; margin-left: 40px"> https://services.nvd.nist.gov/rest/json/cves/1.0?cvssV3Metrics=S:U/AV:N/AC:L/PR:H/UI:N/C:L/I:L/A:N/E:F/RL:X </p> </td> </tr> <tr> <td> <p class="paramName"> cvssV3Severity <span class="paramOptional"> optional </span> </p> <p> CVSS refers to the scoring system used by NIST to assess the severity of vulnerabilities, <a href="https://web.archive.org/web/20220205092303/https://cwe.mitre.org/"> https://www.first.org/cvss/</a>. Either the <code>cvssV2Severity</code> or <code>cvssV3Severity</code> parameter may be used to find vulnerabilities having a severity of LOW, MEDIUM, or HIGH. For CVSS V3.x, <code>cvssV3Severity=CRITICAL</code> is also supported. </p> </td> </tr> <tr> <td> <p class="paramName"> cweId <span class="paramOptional"> optional </span> </p> <p> CWE refers to the classification of vulnerabilities used by NIST and managed by MITRE at <a href="https://web.archive.org/web/20220205092303/https://cwe.mitre.org/"> https://cwe.mitre.org/</a>. NVD analysts associate one or more CWE to each vulnerability during the analysis process. </p> </td> </tr> <tr> <td> <p class="paramName"> includeMatchStringChange <span class="paramOptional"> optional </span> </p> <p> <code> true </code> By default, the <code>modStartDate</code> and <code>modEndDate</code> parameters include only a collection of CVE where the CVE information was modified. The modification of product names by NIST in the Official CPE Dictionary does not modify related CVE. <code>includeMatchStringChange=true</code> returns a collection of CVE where either the vulnerabilities or the associated product names were modified. </p> </td> </tr> <tr> <td> <p class="paramName"> isExactMatch <span class="paramOptional"> optional </span> </p> <p> <code> true </code> If the keyword is a phrase, i.e., contains more than one term, including <code>isExactMatch=true</code> retrieves records matching the exact phrase. Otherwise, the results contain any record having any of the terms. </p> </td> </tr> <tr> <td> <p class="paramName"> keyword <span class="paramOptional"> optional </span> </p> <p> This parameter is used to retrieve records where a word or phrase is found in the vulnerability description or reference links. </p> </td> </tr> <tr> <td> <p class="paramName"> modStartDate <span class="paramOptional"> optional </span> </p> <p class="paramName"> modEndDate <span class="paramOptional"> optional </span> </p> <p> These parameters specify a collection of CVE that were modified during the period. If filtering by the modification date, both <code>modStartDate</code> and <code>modEndDate</code> are <span style="font-family:'Lucida Console', monospace; color:orangered">REQUIRED</span>. Filtering with only one parameter will return a successful response without data. The maximum allowable range when using the date range parameters is 120 consecutive days. Date range parameters are in the form: </p> <p class="urlSnippet"> yyyy-MM-ddTHH:mm:ss:SSS Z </p> <p> The T is a literal to separate the date from the time. The Z indicates an offset-from-UTC. If a positive Z value is used (such as +01:00 for Central European Time) then the "+" should be encoded in the request as "%2B". This may be handled automatically by the user agent. An example is provided below showing a +01:00 offset-from-UTC. </p> <p style="font-family:'Lucida Console', monospace; font-size: smaller; margin-left: 40px"> https://services.nvd.nist.gov/rest/json/cves/1.0/?modStartDate=2021-08-04T13:00:00:000 UTC%2B01:00&modEndDate;=2021-10-22T13:36:00:000 UTC%2B01:00 </p> </td> </tr> <tr> <td> <p class="paramName"> pubStartDate <span class="paramOptional"> optional </span> </p> <p class="paramName"> pubEndDate <span class="paramOptional"> optional </span> </p> <p> These parameters specify a collection of CVE that were added to the NVD (i.e., published) during the period. If filtering by the publication date, both <code>pubStartDate</code> and <code>pubEndDate</code> are <span style="font-family:'Lucida Console', monospace; color:orangered">REQUIRED</span>. Filtering with only one parameter will return a successful response without data. The maximum allowable range when using the date range parameters is 120 consecutive days. Date range parameters are in the form: </p> <p class="urlSnippet"> yyyy-MM-ddTHH:mm:ss:SSS Z </p> <p> The T is a literal to separate the date from the time. The Z indicates an offset-from-UTC. If a positive Z value is used (such as +01:00 for Central European Time) then the "+" should be encoded in the request as "%2B". This may be handled automatically by the user agent. An example is provided below showing a -05:00 offset-from-UTC. </p> <p style="font-family:'Lucida Console', monospace; font-size: smaller; margin-left: 40px"> https://services.nvd.nist.gov/rest/json/cves/1.0/?pubStartDate=2021-08-04T13:00:00:000 UTC-05:00&pubEndDate;=2021-10-22T13:36:00:000 UTC-05:00 </p> </td> </tr> <tr> <td> <p class="paramName"> resultsPerPage <span class="paramOptional"> optional </span> </p> <p> This parameter specifies the maximum number of results that are returned based on the request parameters. The default value is 20. For network considerations, maximum allowable limit is 2,000. </p> <p> The response content <code>totalResults</code> indicates the number of CVE results that match request parameters. If the value of <code>totalResults</code> is greater than the value of <code>resultsPerPage</code>, the parameter <code>startIndex</code> may be used in subsequent requests to identify the starting point for the request. </p> </td> </tr> <tr> <td> <p class="paramName"> startIndex <span class="paramOptional"> optional </span> </p> <p> This parameter determines the first CVE in the collection returned by the response. The index is zero-based, meaning the first CVE is at index zero. The response header <code>totalResults</code> indicates the number of CVE results that match request parameters. If the value of <code>totalResults</code> is greater than the value of <code>resultsPerPage</code>, the parameter <code>startIndex</code> may be used in subsequent requests to identify the first CVE for the request. </p> <p> The best, most efficient, practice for keeping up to date with the NVD is to use the date range parameters in order to request only those CVE that have been published or modified since the last request. </p> <p> Presently NVD contains more than 160,000 vulnerabilities relating to thousands of vendor products. Multiple consecutive requests are required to return all available records. Requesting an API key signifigantly raises the number of requests that can be made in a given timeframe. However, NIST firewall rules in place to prevent denial of service attacks on NVD can thwart your application. To avoid this, it is recommended that your application sleeps for several seconds between requests in order that your legitimate requests are not denied. </p> </td> </tr> </table> </div> <div id="divResponse" class="row"> <h3>Response</h3> <p> This section describes the response returned by the vulnerability API. Each CVE has a text description and reference links. Vulnerabilities that have undergone NVD analysis include CVSS scores, product applicability statements, and more. The response is based on four JSON schema that were developed independently as part of three separate initiatives. Hence the stylistic differences in data element names. The following diagram shows where the main feed schema is dependent on the other three. </p> <div id="divImage" class="row"> <div class="col-md-6" style="padding:0px;"> <div class="text-center"> <span> <a href="https://web.archive.org/web/20220205092303/https://csrc.nist.gov/schema/nvd/feed/1.1/nvd_cve_feed_json_1.1.schema"> <img alt="Graphical representation of the JSON response schema" src="/web/20220205092303im_/https://nvd.nist.gov/site-media/images/vuln/cve-json-schema.svg" style="width: 992px; height: 292px"/> <br> Click to view the full JSON response schema </a> </span> </div> </div> </div> <br> </div> <h4 title="Click to expand or collapse"> <a id="toggleResponseBody" onclick="toggleMoreCode('divResponseBody', 'iconResponseBody')"> <span class="fa fa-plus" id="iconResponseBody"></span> Response Body </a> </h4> <div id="divResponseBody" class="row" style="display: none"> <p> The vulnerabilities API returns four primary elements in the body of the response: <code>resultsPerPage</code>, <code>startIndex</code>, <code>totalResults</code>, and <code>result</code>. <p> <p> The first three elements identify how how many CVE meet the search criteria and how many CVE have been returned in this response. The element <code>totalResults</code> indicates the number of CVE results that match search critera. If the value of <code>totalResults</code> is greater than the value of <code>resultsPerPage</code>, then additional requests are nessecary to return the remaining CVE. The parameter <code>startIndex</code> may be used in subsequent requests to identify the starting point for the request next. More information and the best practices for using <code>resultsPerPage</code> and <code>startIndex</code> are described above. </p> <p> The <code>result</code> element contains an array of five additional elements. <code>CVE_data_type</code>, <code>CVE_data_format</code>, <code>CVE_data_version</code>, and <code>CVE_data_timestamp</code> describe the request while the fifth element <code>CVE_Items</code> contains the CVE. </p> <h5 style="font-family:'Lucida Console', monospace">CVE Items</h5> <p> At the high-level, each vulnerability in the <code>CVE_Items</code> array can have the following elements: </p> <table class="table"> <tr> <td> <p class="paramName"> cve <span class="paramRequired">required</span> </p> <p> This element contains the CVE identifier, description, reference links, and problem type (CWE). In rare occasions <code>description_data</code> can contain multiple values. All vulnerabilities have at least one Internet link under <code>references</code> that provides additional information about the vulnerability. NIST categorizes link using the <code>tags</code> elements, e.g., Third Party Advisory. All CWE assigned to a vulnerability are found in <code>problem_type</code>. In some cases there are more than one CWE. </p> <button onclick="toggleMoreCode('jsonWindowCve')">Toggle JSON</button> <div id="jsonWindowCve" style="display: none;"> <pre class="json-code"> "cve":{ "data_type":"CVE", "data_format":"MITRE", "data_version":"4.0", "CVE_data_meta":{ "ID":"CVE-2019-1010218", "ASSIGNER":"cve@mitre.org" }, "description":{ "description_data":[{ "lang":"en", "value":"Cherokee Webserver Latest Cherokee Web server Upto Version 1.2.103 (Current stable) is affected by: Buffer Overflow - CWE-120. The impact is: Crash. The component is: Main cherokee command. The attack vector is: Overwrite argv[0] to an insane length with execl. The fixed version is: There's no fix yet." }] }, "references":{ "reference_data":[{ "url":"https://i.imgur.com/PWCCyir.png", "name":"https://i.imgur.com/PWCCyir.png", "refsource":"MISC", "tags":["Exploit","Third Party Advisory"] }] }, "problemtype":{ "problemtype_data":[{ "description":[{ "lang":"en", "value":"CWE-119" }] }] }, } </pre> </div> </td> </tr> <tr> <td> <p class="paramName"> configurations <span class="paramOptional">not required</span> </p> <p> The configurations element has the CVE applicability statements that convey which product, or products, are associated with the vulnerability according to analysis by NIST. Recall that each CPE shown here is a match string that can be used to search the Official CPE Dictionary. </p> <p> Configurations are a tree, or hierarchical data structure consisting of nodes where each node contains CPE match string or child nodes. (A node will never contain both CPEs and child nodes, and is never empty.) </p> <p> Each node has either an OR- or an AND-operator (and in rare cases a NEGATE flag) to covey the logical relationship of the CPE or child nodes within. For example, if the vulnerability exists only when both CPE products are present, the operator is “AND”. If the vulnerability exists if either CPE is present, then the operator is “OR”. </p> <button onclick="toggleMoreCode('jsonWindowConfig')">Toggle JSON</button> <div id="jsonWindowConfig" style="display: none;"> <pre class="json-code"> "configurations":{ "CVE_data_version":"4.0", "nodes":[{ "operator":"AND", "children":[{ "operator":"OR", "cpe_match":[{ "vulnerable":true, "cpe23Uri":"cpe:2.3:o:tesla:model_3_firmware:-:*:*:*:*:*:*:*" }] },{ "operator":"OR", "cpe_match":[{ "vulnerable":false, "cpe23Uri":"cpe:2.3:h:tesla:model_3:-:*:*:*:*:*:*:*" }] } ] }] }, </pre> <p class="commentInJson"> Notice that the first product is marked as vulnerable, but the second is not. (The vulnerability is said to exist only if the firmware in this example is running on the hardware.) Configurations vary in complexity, partly due to their recursive nature. Some vulnerabilities have one node with one CPE, while others have more than one configuration, i.e., more than one root node element. Nodes may contain a single CPE match string or dozens. </p> <p class="commentInJson"> In some cases, the CPE match string indicates a range of product versions. Notice in the following example that the version is not specified in the <code>cpe23Uri</code> element; instead, the <code>versionEndIncluding</code> indicates the last vulnerable version. Other possible elements are <code>versionEndExcluding</code>, <code>versionStartIncluding</code>, and <code>versionStartExcluding</code>. </p> <pre class="json-code"> "configurations" : { "CVE_data_version" : "4.0", "nodes" : [ { "operator" : "OR", "cpe_match" : [ { "vulnerable" : true, "cpe23Uri" : "cpe:2.3:a:imapfilter_project:imapfilter:*:*:*:*:*:*:*:*", "versionEndIncluding" : "2.6.12" } ] } ] }, </pre> <p class="commentInJson"> Recall that the vulnerability service has an optional query parameter, <code>addOns=dictionaryCpes</code>, described above. When the request has this parameter, the response returns official CPE names for each CPE match string in the configuration, in so far as they are present in the Official CPE Dictionary. The following example shows matching CPE names for a match string. </p> <pre class="json-code"> "configurations":{ "CVE_data_version":"4.0", "nodes":[{ "operator":"OR", "negate":false, "cpe_match":[{ "vulnerable":true, "cpe23Uri":"cpe:2.3:a:elementor:elementor:*:*:*:*:*:*:*:*", "versionEndExcluding":"1.8.0", "cpe_name":[{ "cpe23Uri":"cpe:2.3:a:elementor:elementor:-:*:*:*:*:*:*:*", "lastModifiedDate":"2019-09-10T15:38Z"}, {"cpe23Uri":"cpe:2.3:a:elementor:elementor:0.1.0:*:*:*:*:*:*:*", "lastModifiedDate":"2019-09-10T15:38Z"}, {"cpe23Uri":"cpe:2.3:a:elementor:elementor:0.1.1:*:*:*:*:*:*:*", "lastModifiedDate":"2019-09-10T15:38Z"}, {"cpe23Uri":"cpe:2.3:a:elementor:elementor:0.1.2:*:*:*:*:*:*:*", "lastModifiedDate":"2019-09-10T15:38Z"}, {"cpe23Uri":"cpe:2.3:a:elementor:elementor:0.1.3:*:*:*:*:*:*:*", "lastModifiedDate":"2019-09-10T15:38Z"}, </pre> <p class="commentInJson"> Since configurations can be large, and the number of matches can be many, applications are cautioned from using this parameter for requests that return large numbers of vulnerabilities. </p> </div> </td> </tr> <tr> <td> <p class="paramName"> impact <span class="paramOptional">not required</span> </p> <p> The impact element provides the CVSS severity scores for the vulnerability if it has been analyzed by NIST. The <code>cvssV3</code> and <code>cvssV2</code> elements within the impact element conform to the cvss-v3.x.json and cvssv2.0.json schemas, respectively. Additional elements provided by NIST conform to the parent nvd_cve_feed_json_1.1.schema such as the exploitability and impact sub-scores. </p> <button onclick="toggleMoreCode('jsonWindowImpact')">Toggle JSON</button> <div id="jsonWindowImpact" style="display: none;"> <pre class="json-code"> "impact":{ "baseMetricV3":{ "cvssV3":{ "version":"3.0", "vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector":"NETWORK", "attackComplexity":"LOW", "privilegesRequired":"NONE", "userInteraction":"REQUIRED", "scope":"UNCHANGED", "confidentialityImpact":"HIGH", "integrityImpact":"HIGH", "availabilityImpact":"HIGH", "baseScore":8.8, "baseSeverity":"HIGH" }, "exploitabilityScore":2.8, "impactScore":5.9 }, "impact":{ "baseMetricV2":{ "cvssV2":{ "version":"2.0", "vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P", "accessVector":"NETWORK", "accessComplexity":"MEDIUM", "authentication":"NONE", "confidentialityImpact":"PARTIAL", "integrityImpact":"PARTIAL", "availabilityImpact":"PARTIAL", "baseScore":6.8 }, "severity":"MEDIUM", "exploitabilityScore":8.6, "impactScore":6.4, "obtainAllPrivilege":false, "obtainUserPrivilege":false, "obtainOtherPrivilege":false, "userInteractionRequired":true } } </pre> </div> </td> </tr> <tr> <td> <p class="paramName"> publishedDate <span class="paramOptional">not required</span> </p> <p> The date that the CVE was published. </p> </td> </tr> <tr> <td> <p class="paramName"> lastModifiedDate <span class="paramOptional">not required</span> </p> <p> The date that the CVE was last modified. </p> </td> </tr> </table> </div> <div id="divContact" class="row"> <br> <p> Questions, comments, or concerns may be shared with the NVD by emailing <a href="https://web.archive.org/web/20220205092303/mailto:nvd@nist.gov">nvd@nist.gov</a> </p> </div> </div> </div> <footer id="footer"> <div class="container"> <div class="row"> <div class="col-sm-12"> <ul class="social-list pull-right"> <li class="field-item service-twitter list-horiz"><a href="https://web.archive.org/web/20220205092303/https://twitter.com/NISTCyber" target="_blank" class="social-btn social-btn--large extlink ext"> <i class="fa fa-twitter fa-fw"><span class="element-invisible">twitter</span></i><span class="ext"><span class="element-invisible"> (link is external)</span></span> </a></li> <li class="field-item service-facebook list-horiz"><a href="https://web.archive.org/web/20220205092303/https://www.facebook.com/NIST" target="_blank" class="social-btn social-btn--large extlink ext"> <i class="fa fa-facebook fa-fw"><span class="element-invisible">facebook</span></i><span class="ext"><span class="element-invisible"> (link is external)</span></span></a></li> <li class="field-item service-linkedin list-horiz"><a href="https://web.archive.org/web/20220205092303/https://www.linkedin.com/company/nist" target="_blank" class="social-btn social-btn--large extlink ext"> <i class="fa fa-linkedin fa-fw"><span class="element-invisible">linkedin</span></i><span class="ext"><span class="element-invisible"> (link is external)</span></span></a></li> <li class="field-item service-youtube list-horiz"><a href="https://web.archive.org/web/20220205092303/https://www.youtube.com/user/USNISTGOV" target="_blank" class="social-btn social-btn--large extlink ext"> <i class="fa fa-youtube fa-fw"><span class="element-invisible">youtube</span></i><span class="ext"><span class="element-invisible"> (link is external)</span></span></a></li> <li class="field-item service-rss list-horiz"><a href="https://web.archive.org/web/20220205092303/https://www.nist.gov/news-events/nist-rss-feeds" target="_blank" class="social-btn social-btn--large extlink"> <i class="fa fa-rss fa-fw"><span class="element-invisible">rss</span></i> </a></li> <li class="field-item service-govdelivery list-horiz last"><a href="https://web.archive.org/web/20220205092303/https://public.govdelivery.com/accounts/USNIST/subscriber/new?qsp=USNIST_3" target="_blank" class="social-btn social-btn--large extlink ext"> <i class="fa fa-envelope fa-fw"><span class="element-invisible">govdelivery</span></i><span class="ext"><span class="element-invisible"> (link is external)</span></span> </a></li> </ul> <span class="hidden-xs"> <a title="National Institute of Standards and Technology" rel="home" class="footer-nist-logo"> <img src="/web/20220205092303im_/https://nvd.nist.gov/site-media/images/logo_rev.png" alt="National Institute of Standards and Technology logo"/> </a> </span> </div> </div> <div class="row hidden-sm hidden-md hidden-lg"> <div class="col-sm-12"> <a href="https://web.archive.org/web/20220205092303/https://www.nist.gov/" title="National Institute of Standards and Technology" rel="home" target="_blank" class="footer-nist-logo"> <img src="/web/20220205092303im_/https://nvd.nist.gov/site-media/images/logo_rev.png" alt="National Institute of Standards and Technology logo"/> </a> </div> </div> <div class="row footer-contact-container"> <div class="col-sm-6"> <strong>HEADQUARTERS</strong> <br> 100 Bureau Drive <br> Gaithersburg, MD 20899 <br> <a href="https://web.archive.org/web/20220205092303/tel:301-975-2000">(301) 975-2000</a> <br> <br> <a href="https://web.archive.org/web/20220205092303/mailto:nvd@nist.gov">Webmaster</a> | <a href="https://web.archive.org/web/20220205092303/https://www.nist.gov/about-nist/contact-us">Contact Us</a> | <a href="https://web.archive.org/web/20220205092303/https://www.nist.gov/about-nist/our-organization" style="display: inline-block;">Our Other Offices</a> </div> <div class="col-sm-6"> <div class="pull-right" style="text-align:right"> <strong>Incident Response Assistance and Non-NVD Related<br>Technical Cyber Security Questions:</strong> <br> US-CERT Security Operations Center <br> Email: <a href="https://web.archive.org/web/20220205092303/mailto:soc@us-cert.gov">soc@us-cert.gov</a> <br> Phone: 1-888-282-0870 <br> <span style="display: inline-block; text-align: left; margin-left: 0; margin-right: 0;"> <strong style="float: right">Sponsored by</strong> <br>                       <a href="https://web.archive.org/web/20220205092303/https://www.cisa.gov/" target="_blank">CISA</a> </span> <a style="float: right; width: 68px;"> <img src="/web/20220205092303im_/https://nvd.nist.gov/site-media/images/cisa-thumbnail.png" alt="CISA"/> </a> </div> </div> </div> <div class="row"> <div class="row footer-bottom-links-container" role="navigation">  <p> <a href="https://web.archive.org/web/20220205092303/https://www.nist.gov/privacy-policy">Site Privacy</a> | <a href="https://web.archive.org/web/20220205092303/https://www.nist.gov/oism/accessibility">Accessibility</a> | <a href="https://web.archive.org/web/20220205092303/https://www.nist.gov/privacy">Privacy Program</a> | <a href="https://web.archive.org/web/20220205092303/https://www.nist.gov/oism/copyrights">Copyrights</a> | <a href="https://web.archive.org/web/20220205092303/https://www.commerce.gov/vulnerability-disclosure-policy">Vulnerability Disclosure</a> | <a href="https://web.archive.org/web/20220205092303/https://www.nist.gov/no-fear-act-policy">No Fear Act Policy</a> | <a href="https://web.archive.org/web/20220205092303/https://www.nist.gov/foia">FOIA</a> | <a href="https://web.archive.org/web/20220205092303/https://www.nist.gov/environmental-policy-statement">Environmental Policy</a> | <a href="https://web.archive.org/web/20220205092303/https://www.nist.gov/summary-report-scientific-integrity">Scientific Integrity</a> | <a href="https://web.archive.org/web/20220205092303/https://www.nist.gov/nist-information-quality-standards">Information Quality Standards</a> | <a href="https://web.archive.org/web/20220205092303/https://www.commerce.gov/">Commerce.gov</a> | <a href="https://web.archive.org/web/20220205092303/http://www.science.gov/">Science.gov</a> | <a href="https://web.archive.org/web/20220205092303/http://www.usa.gov/">USA.gov</a> </p> </div> </div> </div> </footer> </body> </html>

CINXE.COM

API Vulnerabilities