Vulnerability APIs

<!DOCTYPE html> <html lang="en"> <head><script type="text/javascript" src="/_static/js/bundle-playback.js?v=HxkREWBo" charset="utf-8"></script> <script type="text/javascript" src="/_static/js/wombat.js?v=txqj7nKC" charset="utf-8"></script> <script>window.RufflePlayer=window.RufflePlayer||{};window.RufflePlayer.config={"autoplay":"on","unmuteOverlay":"hidden"};</script> <script type="text/javascript" src="/_static/js/ruffle/ruffle.js"></script> <script type="text/javascript"> __wm.init("https://web.archive.org/web"); __wm.wombat("https://nvd.nist.gov/developers/vulnerabilities","20231005173235","https://web.archive.org/","web","/_static/", "1696527155"); </script> <link rel="stylesheet" type="text/css" href="/_static/css/banner-styles.css?v=S1zqJCYt" /> <link rel="stylesheet" type="text/css" href="/_static/css/iconochive.css?v=3PDvdIFv" />  <title>Vulnerability APIs</title> <meta http-equiv="content-type" content="text/html; charset=UTF-8"/> <meta http-equiv="content-style-type" content="text/css"/> <meta http-equiv="content-script-type" content="text/javascript"/> <meta name="viewport" content="width=device-width, initial-scale=1.0"/> <link href="/web/20231005173235cs_/https://nvd.nist.gov/site-scripts/font-awesome/css/font-awesome.min.css" type="text/css" rel="stylesheet"/> <link href="/web/20231005173235cs_/https://nvd.nist.gov/site-media/bootstrap/css/bootstrap.min.css" type="text/css" rel="stylesheet"/> <link href="/web/20231005173235cs_/https://nvd.nist.gov/site-media/bootstrap/css/bootstrap-theme.min.css" type="text/css" rel="stylesheet"/> <link href="/web/20231005173235cs_/https://nvd.nist.gov/site-scripts/eonasdan-bootstrap-datetimepicker/build/css/bootstrap-datetimepicker.min.css" type="text/css" rel="stylesheet"/> <link href="/web/20231005173235cs_/https://nvd.nist.gov/site-media/css/nist-fonts.css" type="text/css" rel="stylesheet"/> <link href="/web/20231005173235cs_/https://nvd.nist.gov/site-media/css/base-style.css" type="text/css" rel="stylesheet"/> <link href="/web/20231005173235cs_/https://nvd.nist.gov/site-media/css/media-resize.css" type="text/css" rel="stylesheet"/> <meta name="theme-color" content="#000000"> <script src="/web/20231005173235js_/https://nvd.nist.gov/site-scripts/jquery/dist/jquery.min.js" type="text/javascript"></script> <script src="/web/20231005173235js_/https://nvd.nist.gov/site-scripts/jquery-visible/jquery.visible.min.js" type="text/javascript"></script> <script src="/web/20231005173235js_/https://nvd.nist.gov/site-scripts/underscore/underscore-min.js" type="text/javascript"></script> <script src="/web/20231005173235js_/https://nvd.nist.gov/site-media/bootstrap/js/bootstrap.js" type="text/javascript"></script> <script src="/web/20231005173235js_/https://nvd.nist.gov/site-scripts/moment/min/moment.min.js" type="text/javascript"></script> <script src="/web/20231005173235js_/https://nvd.nist.gov/site-scripts/eonasdan-bootstrap-datetimepicker/build/js/bootstrap-datetimepicker.min.js" type="text/javascript"></script> <script src="/web/20231005173235js_/https://nvd.nist.gov/site-media/js/megamenu.js" type="text/javascript"></script> <script src="/web/20231005173235js_/https://nvd.nist.gov/site-media/js/nist-exit-script.js" type="text/javascript"></script> <script src="/web/20231005173235js_/https://nvd.nist.gov/site-media/js/forms.js" type="text/javascript"></script> <script src="/web/20231005173235js_/https://nvd.nist.gov/site-media/js/federated-analytics.all.min.js?agency=NIST&subagency=nvd&pua=UA-37115410-41&yt=true" type="text/javascript" id="_fed_an_js_tag"></script>  <script async src="https://web.archive.org/web/20231005173235js_/https://www.googletagmanager.com/gtag/js?id=G-4KKFZP12LQ"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-4KKFZP12LQ'); </script> <style id="antiClickjack"> body>* { display: none !important; } #antiClickjack { display: block !important; } </style> <noscript> <style id="antiClickjackNoScript"> body>* { display: block !important; } #antiClickjack { display: none !important; } </style> </noscript> <script type="text/javascript" id="antiClickjackScript"> if (self === top) { // no clickjacking var antiClickjack = document.getElementById("antiClickjack"); antiClickjack.parentNode.removeChild(antiClickjack); } else { setTimeout(tryForward(), 5000); } function tryForward() { top.location = self.location; } </script> <meta charset="UTF-8"> <link href="/web/20231005173235cs_/https://nvd.nist.gov/site-media/css/nvd-style.css" type="text/css" rel="stylesheet"/> <link href="/web/20231005173235im_/https://nvd.nist.gov/site-media/images/favicons/apple-touch-icon.png" rel="apple-touch-icon" type="image/png" sizes="180x180"/> <link href="/web/20231005173235im_/https://nvd.nist.gov/site-media/images/favicons/favicon-32x32.png" rel="icon" type="image/png" sizes="32x32"/> <link href="/web/20231005173235im_/https://nvd.nist.gov/site-media/images/favicons/favicon-16x16.png" rel="icon" type="image/png" sizes="16x16"/> <link href="/web/20231005173235/https://nvd.nist.gov/site-media/images/favicons/manifest.json" rel="manifest"/> <link href="/web/20231005173235im_/https://nvd.nist.gov/site-media/images/favicons/safari-pinned-tab.svg" rel="mask-icon" color="#000000"/> <link href="/web/20231005173235im_/https://nvd.nist.gov/site-media/images/favicons/favicon.ico" rel="shortcut icon"/> <meta name="msapplication-config" content="/site-media/images/favicons/browserconfig.xml"/> <link href="/web/20231005173235im_/https://nvd.nist.gov/site-media/images/favicons/favicon.ico" rel="shortcut icon" type="image/x-icon"/> <link href="/web/20231005173235im_/https://nvd.nist.gov/site-media/images/favicons/favicon.ico" rel="icon" type="image/x-icon"/> <meta charset="UTF-8"> <link href="/web/20231005173235cs_/https://nvd.nist.gov/site-media/css/apiKey/api-styles.css" type="text/css" rel="stylesheet"/> <meta name="viewport1" content="width=device-width, initial-scale=1"> <script> $(document).ready( function() { // get hash/anchor_id from url var hash = window.location.hash; // if hash exists, expand the section and scroll to hash if(hash.startsWith("#cves-")) { toggleMoreCode('divGetCveParameters', 'iconCveParams'); $('html, body').animate({ scrollTop: $(hash).offset().top }, 1000); } }); function toggleMoreCode(elementId, iconId) { var x = document.getElementById(elementId); if (x.style.display === "none") { x.style.display = "block"; } else { x.style.display = "none"; } if(typeof iconId !== 'undefined') { var y = document.getElementById(iconId); if (x.style.display === "block") { y.classList.add("fa-minus"); y.classList.remove("fa-plus"); } else { y.classList.add("fa-plus"); y.classList.remove("fa-minus"); } } } </script> <style> </style> <meta name="viewport1" content="width=device-width, initial-scale=1"> </head> <body> <header role="banner" title="Site Banner"> <div id="antiClickjack" style="display: none"> <h1>You are viewing this page in an unauthorized frame window.</h1> <p> This is a potential security issue, you are being redirected to <a href="https://web.archive.org/web/20231005173235/https://nvd.nist.gov/">https://nvd.nist.gov</a> </p> </div> <div> <section class="usa-banner" aria-label="Official government website"> <div class="usa-accordion container"> <header class="usa-banner__header"> <noscript> <p style="font-size: 0.85rem; font-weight: bold;">You have JavaScript disabled. This site requires JavaScript to be enabled for complete site functionality.</p> </noscript> <img class="usa-banner__header-flag" src="/web/20231005173235im_/https://nvd.nist.gov/site-media/images/usbanner/us_flag_small.png" alt="U.S. flag">   <span class="usa-banner__header-text">An official website of the United States government</span> <button id="gov-banner-button" class="usa-accordion__button usa-banner__button" data-toggle="collapse" data-target="#gov-banner" aria-expanded="false" aria-controls="gov-banner"> <span class="usa-banner__button-text">Here's how you know</span> </button> </header> <div class="usa-banner__content usa-accordion__content collapse" role="tabpanel" id="gov-banner" aria-expanded="true"> <div class="row"> <div class="col-md-5 col-sm-12"> <div class="row"> <div class="col-sm-2 col-xs-3"> <img class="usa-banner__icon usa-media-block__img" src="/web/20231005173235im_/https://nvd.nist.gov/site-media/images/usbanner/icon-dot-gov.svg" alt="Dot gov"> </div> <div class="col-sm-10 col-xs-9"> <p> <strong>Official websites use .gov</strong> <br> A <strong>.gov</strong> website belongs to an official government organization in the United States. </p> </div> </div> </div> <div class="col-md-5 col-sm-12"> <div class="row"> <div class="col-sm-2 col-xs-3"> <img class="usa-banner__icon usa-media-block__img" src="/web/20231005173235im_/https://nvd.nist.gov/site-media/images/usbanner/icon-https.svg" alt="Https"> </div> <div class="col-sm-10 col-xs-9"> <p> <strong>Secure .gov websites use HTTPS</strong> <br> A <strong>lock</strong> (<img class="usa-banner__lock" src="/web/20231005173235im_/https://nvd.nist.gov/site-media/images/usbanner/lock.svg" alt="Dot gov">) or <strong>https://</strong> means you've safely connected to the .gov website. Share sensitive information only on official, secure websites. </p> </div> </div> </div> </div> </div> </div> </section> </div> <div> <div> <nav id="navbar" class="navbar"> <div id="nist-menu-container" class="container"> <div class="row">  <div class="col-xs-6 col-md-4 navbar-header" style="height:104px"> <a class="navbar-brand" href="https://web.archive.org/web/20231005173235/https://www.nist.gov/" target="_blank" id="navbar-brand-image" style="padding-top: 36px"> <img alt="National Institute of Standards and Technology" src="/web/20231005173235im_/https://nvd.nist.gov/site-media/images/nist/nist-logo.svg" width="110" height="30"> </a> </div> <div class="col-xs-6 col-md-8 navbar-nist-logo"> <span id="nvd-menu-button" class="pull-right" style="margin-top: 26px"> <a href="#"> <span class="fa fa-bars"></span> <span id="nvd-menu-full-text"><span class="hidden-xxs">NVD </span>MENU</span> </a> </span> </div> </div> </div> <div class="main-menu-row container">  <div id="main-menu-drop" class="col-lg-12" style="display: none;"> <ul> <li><a href="/web/20231005173235/https://nvd.nist.gov/general"> General <span class="expander fa fa-plus" id="nvd-header-menu-general" data-expander-name="general" data-expanded="false"> <span class="element-invisible">Expand or Collapse</span> </span> </a> <div style="display: none;" class="sub-menu" data-expander-trigger="general"> <div class="row"> <div class="col-lg-4"> <p> <a href="/web/20231005173235/https://nvd.nist.gov/general/nvd-dashboard">NVD Dashboard</a> </p> <p> <a href="/web/20231005173235/https://nvd.nist.gov/general/news">News</a> </p> </div> <div class="col-lg-4"> <p> <a href="/web/20231005173235/https://nvd.nist.gov/general/email-list">Email List</a> </p> <p> <a href="/web/20231005173235/https://nvd.nist.gov/general/faq">FAQ</a> </p> </div> <div class="col-lg-4"> <p> <a href="/web/20231005173235/https://nvd.nist.gov/general/visualizations">Visualizations</a> </p> <p> <a href="/web/20231005173235/https://nvd.nist.gov/general/legal-disclaimer">Legal Disclaimer</a> </p> </div> </div> </div></li> <li><a href="/web/20231005173235/https://nvd.nist.gov/vuln"> Vulnerabilities <span class="expander fa fa-plus" id="nvd-header-menu-vulnerabilities" data-expander-name="vulnerabilities" data-expanded="false"> <span class="element-invisible">Expand or Collapse</span> </span> </a> <div style="display: none;" class="sub-menu" data-expander-trigger="vulnerabilities"> <div class="row"> <div class="col-lg-4"> <p> <a href="/web/20231005173235/https://nvd.nist.gov/vuln/search">Search & Statistics</a> </p> <p> <a href="/web/20231005173235/https://nvd.nist.gov/vuln/full-listing">Full Listing</a> </p> </div> <div class="col-lg-4"> <p> <a href="/web/20231005173235/https://nvd.nist.gov/vuln/categories">Weakness Types</a> </p> <p> <a href="/web/20231005173235/https://nvd.nist.gov/vuln/data-feeds">Legacy Data Feeds</a> </p> </div> <div class="col-lg-4"> <p> <a href="/web/20231005173235/https://nvd.nist.gov/vuln/vendor-comments">Vendor Comments</a> </p> <p> <a href="/web/20231005173235/https://nvd.nist.gov/vuln/cvmap">CVMAP</a> </p> </div> </div> </div></li> <li><a href="/web/20231005173235/https://nvd.nist.gov/vuln-metrics/cvss"> Vulnerability Metrics <span class="expander fa fa-plus" id="nvd-header-menu-metrics" data-expander-name="metrics" data-expanded="false"> <span class="element-invisible">Expand or Collapse</span> </span> </a> <div style="display: none;" class="sub-menu" data-expander-trigger="metrics"> <div class="row"> <div class="col-lg-4"> <p> <a href="/web/20231005173235/https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator">CVSS V3 Calculator</a> </p> </div> <div class="col-lg-4"> <p> <a href="/web/20231005173235/https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator">CVSS V2 Calculator</a> </p> </div> <div class="col-lg-4"></div> </div> </div></li> <li><a href="/web/20231005173235/https://nvd.nist.gov/products"> Products <span class="expander fa fa-plus" id="nvd-header-menu-products" data-expander-name="products" data-expanded="false"> <span class="element-invisible">Expand or Collapse</span> </span> </a> <div style="display: none;" class="sub-menu" data-expander-trigger="products"> <div class="row"> <div class="col-lg-4"> <p> <a href="/web/20231005173235/https://nvd.nist.gov/products/cpe">CPE Dictionary</a> </p> <p> <a href="/web/20231005173235/https://nvd.nist.gov/products/cpe/search">CPE Search</a> </p> </div> <div class="col-lg-4"> <p> <a href="/web/20231005173235/https://nvd.nist.gov/products/cpe/statistics">CPE Statistics</a> </p> <p> <a href="/web/20231005173235/https://nvd.nist.gov/products/swid">SWID</a> </p> </div> <div class="col-lg-4"></div> </div> </div></li> <li> <a href="/web/20231005173235/https://nvd.nist.gov/developers">Developers<span class="expander fa fa-plus" id="nvd-header-menu-developers" data-expander-name="developers" data-expanded="false"> <span class="element-invisible">Expand or Collapse</span> </span> </a> <div style="display: none;" class="sub-menu" data-expander-trigger="developers"> <div class="row"> <div class="col-lg-4"> <p> <a href="/web/20231005173235/https://nvd.nist.gov/developers/start-here">Start Here</a> </p> <p> <a href="/web/20231005173235/https://nvd.nist.gov/developers/request-an-api-key">Request an API Key</a> </p> </div> <div class="col-lg-4"> <p> <a href="/web/20231005173235/https://nvd.nist.gov/developers/vulnerabilities">Vulnerabilities</a> </p> <p> <a href="/web/20231005173235/https://nvd.nist.gov/developers/products">Products</a> </p> </div> <div class="col-lg-4"> <p> <a href="/web/20231005173235/https://nvd.nist.gov/developers/data-sources">Data Sources</a> </p> <p> <a href="/web/20231005173235/https://nvd.nist.gov/developers/terms-of-use">Terms of Use</a> </p> </div> </div> </div> </li> <li><a href="/web/20231005173235/https://nvd.nist.gov/info"> Contact NVD </a></li> <li><a href="/web/20231005173235/https://nvd.nist.gov/other"> Other Sites <span class="expander fa fa-plus" id="nvd-header-menu-othersites" data-expander-name="otherSites" data-expanded="false"> <span class="element-invisible">Expand or Collapse</span> </span> </a> <div style="display: none;" class="sub-menu" data-expander-trigger="otherSites"> <div class="row"> <div class="col-lg-4"> <p> <a href="https://web.archive.org/web/20231005173235/https://ncp.nist.gov/">Checklist (NCP) Repository</a> </p> <p> <a href="https://web.archive.org/web/20231005173235/https://ncp.nist.gov/cce">Configurations (CCE)</a> </p> <p> <a href="https://web.archive.org/web/20231005173235/https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search">800-53 Controls</a> </p> </div> <div class="col-lg-4"> <p> <a href="https://web.archive.org/web/20231005173235/https://csrc.nist.gov/projects/scap-validation-program">SCAP Validated Tools</a> </p> <p> <a href="https://web.archive.org/web/20231005173235/https://csrc.nist.gov/projects/security-content-automation-protocol">SCAP</a> </p> </div> <div class="col-lg-4"> <p> <a href="https://web.archive.org/web/20231005173235/https://csrc.nist.gov/projects/united-states-government-configuration-baseline">USGCB</a> </p> </div> </div> </div></li> <li><a href="/web/20231005173235/https://nvd.nist.gov/search"> Search <span class="expander fa fa-plus" id="nvd-header-menu-search" data-expander-name="search" data-expanded="false"> <span class="element-invisible">Expand or Collapse</span> </span> </a> <div style="display: none;" class="sub-menu" data-expander-trigger="search"> <div class="row"> <div class="col-lg-4"> <p> <a href="/web/20231005173235/https://nvd.nist.gov/vuln/search">Vulnerability Search</a> </p> </div> <div class="col-lg-4"> <p> <a href="/web/20231005173235/https://nvd.nist.gov/products/cpe/search">CPE Search</a> </p> </div> </div> </div></li> </ul> </div>  </div> </nav> <section id="itl-header" class="has-menu"> <div class="container"> <div class="row"> <div class="col-sm-12 col-md-8"> <h2 class="hidden-xs hidden-sm"> <a href="https://web.archive.org/web/20231005173235/https://www.nist.gov/itl" target="_blank">Information Technology Laboratory</a> </h2> <h1 class="hidden-xs hidden-sm"> <a id="nvd-header-link" href="/web/20231005173235/https://nvd.nist.gov/">National Vulnerability Database</a> </h1> <h1 class="hidden-xs text-center hidden-md hidden-lg">National Vulnerability Database</h1> <h1 class="hidden-sm hidden-md hidden-lg text-center">NVD</h1> </div> <div class="col-sm-12 col-md-4"> <a style="width: 100%; text-align: center; display: block;padding-top: 14px"> <img id="img-logo-nvd-lg" alt="National Vulnerability Database" src="/web/20231005173235im_/https://nvd.nist.gov/site-media/images/F_NIST-Logo-NVD-white.svg" width="500" height="100"> </a> </div> </div> </div> </section> </div> </div> </header> <main> <div> <div id="body-section" class="container"> <div class="row"> <ol class="breadcrumb"> <li><a href="/web/20231005173235/https://nvd.nist.gov/developers" class="CMSBreadCrumbsLink">Developers</a></li> </ol> </div> <div> <div id="divVulnerabilityApis" class="row"> <h2>Vulnerabilities</h2> <p> This documentation assumes that you already understand at least one common programming language and are generally familiar with JSON RESTful services. JSON specifies the format of the data returned by the REST service. REST refers to a style of services that allow computers to communicate via HTTP over the Internet. Click here for a list of <a href="/web/20231005173235/https://nvd.nist.gov/developers/start-here">best practices and additional information</a> on where to start. The NVD is also documenting <a href="/web/20231005173235/https://nvd.nist.gov/developers/api-workflows">popular workflows</a> to assist developers working with the APIs. </p> <p> Please note, new users are discouraged from starting with the 1.0 API as it <a href="/web/20231005173235/https://nvd.nist.gov/General/News/change-timeline">will be retired</a> in 2023 but you may still view documentation for the <a href="/web/20231005173235/https://nvd.nist.gov/developers/vulnerabilities-1">1.0 Vulnerability<a> and <a href="/web/20231005173235/https://nvd.nist.gov/developers/products-1">1.0 Product<a> APIs. </p> </div> <div id="divGetCves" class="row"> <h3>CVE API</h3> <p> The CVE API is used to easily retrieve information on a single CVE or a collection of CVE from the NVD. The NVD contains <span id="apiCveCount">227,040</span> CVE records. Because of this, its APIs enforce offset-based pagination to answer requests for large collections. Through a series of smaller “chunked” responses controlled by an offset <code>startIndex</code> and a page limit <code>resultsPerPage</code> users may page through all the CVE in the NVD. </p> <p> The URL stem for retrieving CVE information is shown below. </p> </div> <div id="cvesBase" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Base URL</div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0</code></pre> </div> <h4 title="Click to expand or collapse"> <a id="toggleGetCveParameters" onclick="toggleMoreCode('divGetCveParameters', 'iconCveParams')"> <span class="fa fa-plus" id="iconCveParams"></span> Parameters </a> </h4> <div id="divGetCveParameters" class="row" style="display: none"> <table class="table"> <tr> <td> <a id="cves-cpeName"><span class="paramName">cpeName <span class="paramOptional">optional</span></span></a> <ul> <li><code>{name}</code></li> </ul> <p> This parameter returns all CVE associated with a specific CPE. The exact value provided with <code>cpeName</code> is compared against the CPE Match Criteria within a CVE applicability statement. If the value of <code>cpeName</code> is considered to match, the CVE is included in the results. </p> <p> A CPE Name is a string of characters comprised of 13 colon separated values that describe a product. In CPEv2.3 the first two values are always “cpe” and “2.3”. The 11 values that follow are referred to as the CPE components. When filtering by <code>cpeName</code> the part, vendor, product, and version components are <span class="paramRequired">required</span> to contain values other than "*". </p> <p> CPE Match Criteria comes in two forms: CPE Match Strings and CPE Match String Ranges. Both are abstract concepts that are then correlated to CPE URIs in the Official CPE Dictionary. Unlike a CPE Name, match strings and match string ranges do not require a value in the part, vendor, product, or version components. The CVE API returns CPE Match Criteria within the <span class="json-obj">configurations</span> object. </p> <div id="cves-cpeName-request-1" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request the CVE associated a specific CPE</div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*</code></pre> </div> <br> <div id="cves-cpeName-request-2" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request the CVE associated a specific CPE using an incomplete name</div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:o:microsoft:windows_10:1607 </code></pre> </div> </td> </tr> <tr> <td> <a id="cves-cveId"><span class="paramName">cveId <span class="paramOptional">optional</span></span></a> <ul> <li><code>{CVE-ID}</code></li> </ul> <p> This parameter returns a specific vulnerability identified by its unique Common Vulnerabilities and Exposures identifier (the CVE ID). <code>cveId</code> will not accept <code>{CVE-ID}</code> for vulnerabilities not yet published in the NVD. </p> <div id="cves-cveId-request" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request a specific CVE using its CVE-ID</div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2019-1010218</code></pre> </div> </td> </tr> <tr> <td> <a id="cves-cvssV2Metrics"><span class="paramName">cvssV2Metrics <span class="paramOptional">optional</span></span></a> <ul> <li><code>{CVSSv2 vector string}</code></li> </ul> <p> This parameter returns only the CVEs that match the provided <code>{CVSSv2 vector string}</code>. Either full or partial vector strings may be used. This parameter cannot be used in requests that include <code>cvssV3Metrics</code>. </p> <p> Please note, as of July 2022, the NVD no longer generates new information for CVSS v2. Existing CVSS v2 information will remain in the database but the NVD will no longer actively populate CVSS v2 for new CVEs. NVD analysts will continue to use the reference information provided with the CVE and any publicly available information at the time of analysis to associate Reference Tags, information related to CVSS v3.1, CWE, and CPE Applicability statements. </p> <div id="cves-cvssV2Metrics-request-1" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request all CVE matching the CVSSv2 vector string</div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cvssV2Metrics=AV:N/AC:H/Au:N/C:C/I:C/A:C </code></pre> </div> <br> <div id="cves-cvssV2Metrics-request-2" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">An example of a valid request for which there exists no vulnerabilities</div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cvssV2Metrics=AV:L/AC:H/Au:M/C:N/I:N/A:N </code></pre> </div> </td> </tr> <tr> <td> <a id="cves-cvssV2Severity"><span class="paramName">cvssV2Severity <span class="paramOptional">optional</span></span></a> <ul> <li><code>LOW</code></li> <li><code>MEDIUM</code></li> <li><code>HIGH</code></li> </ul> <p> This parameter returns only the CVEs that match the provided CVSSv2 qualitative severity rating. This parameter cannot be used in requests that include <code>cvssV3Severity</code>. </p> <p> Please note, as of July 2022, the NVD no longer generates new information for CVSS v2. Existing CVSS v2 information will remain in the database but the NVD will no longer actively populate CVSS v2 for new CVEs. NVD analysts will continue to use the reference information provided with the CVE and any publicly available information at the time of analysis to associate Reference Tags, information related to CVSS v3.1, CWE, and CPE Applicability statements. </p> <div id="cves-cvssV2Severity-request-1" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request all CVE matching the CVSSv2 qualitative severity rating of LOW </div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cvssV2Severity=LOW </code></pre> </div> </td> </tr> <tr> <td> <a id="cves-cvssV3Metrics"><span class="paramName">cvssV3Metrics <span class="paramOptional">optional</span></span></a> <ul> <li><code>{CVSSv3 vector string}</code></li> </ul> <p> This parameter returns only the CVEs that match the provided <code>{CVSSv3 vector string}</code>. Either full or partial vector strings may be used. This parameter cannot be used in requests that include <code>cvssV2Metrics</code>. </p> <div id="cves-cvssV3Metrics-request-1" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request all CVE matching the CVSSv3 vector string </div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cvssV3Metrics=AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L </code></pre> </div> <br> <div id="cves-cvssV3Metrics-request-2" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">An example of a valid request for which there exists no vulnerabilities </div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cvssV3Metrics=AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H </code></pre> </div> </td> </tr> <tr> <td> <a id="cves-cvssV3Severity"><span class="paramName">cvssV3Severity <span class="paramOptional">optional</span></span></a> <ul> <li><code>LOW</code></li> <li><code>MEDIUM</code></li> <li><code>HIGH</code></li> <li><code>CRITICAL</code></li> </ul> <p> This parameter returns only the CVEs that match the provided CVSSv3 qualitative severity rating. This parameter cannot be used in requests that include <code>cvssV2Severity</code>. <br/> Note: The NVD will not contain CVSS v3 vector strings with a severity of <code>NONE</code>. This is why that severity is not an included option. </p> <div id="cves-cvssV3Severity-request-1" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request all CVE matching the CVSSv3 qualitative severity rating of LOW </div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cvssV3Severity=LOW </code></pre> </div> </td> </tr> <tr> <td> <a id="cves-cweId"><span class="paramName">cweId <span class="paramOptional">optional</span></span></a> <ul> <li><code>{CWE-ID}</code></li> </ul> <p> This parameter returns only the CVE that include a weakness identified by <a href="https://web.archive.org/web/20231005173235/https://cwe.mitre.org/data/definitions/1000.html">Common Weakness Enumeration</a> using the provided <code>{CWE-ID}</code>. </p> <div id="cves-cweId-request" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request all CVE that include Improper Authentication </div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cweId=CWE-287 </code></pre> </div> </td> </tr> <tr> <td> <a id="cves-hasCertAlerts"><span class="paramName">hasCertAlerts <span class="paramOptional">optional</span></span></a> <p> This parameter returns the CVE that contain a Technical Alert from US-CERT. Please note, this parameter is provided without a parameter value. </p> <div id="cves-hasCertAlerts-request" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request all CVE containing a Technical Alert </div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?hasCertAlerts </code></pre> </div> </td> </tr> <tr> <td> <a id="cves-hasCertNotes"><span class="paramName">hasCertNotes <span class="paramOptional">optional</span></span></a> <p> This parameter returns the CVE that contain a Vulnerability Note from CERT/CC. Please note, this parameter is provided without a parameter value. </p> <div id="cves-hasCertNotes-request" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request all CVE containing a Vulnerability Note from CERT/CC </div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?hasCertNotes </code></pre> </div> </td> </tr> <tr> <td> <a id="cves-hasKev"><span class="paramName">hasKev <span class="paramOptional">optional</span></span></a> <p> This parameter returns the CVE that appear in CISA's <a href="https://web.archive.org/web/20231005173235/https://www.cisa.gov/known-exploited-vulnerabilities-catalog">Known Exploited Vulnerabilities</a> (KEV) Catalog. Please note, this parameter is provided without a parameter value. </p> <div id="cves-hasKev-request" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request all CVE that appear in the KEV catalog </div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?hasKev </code></pre> </div> </td> </tr> <tr> <td> <a id="cves-hasOval"><span class="paramName">hasOval <span class="paramOptional">optional</span></span></a> <p> This parameter returns the CVE that contain information from MITRE's <a href="https://web.archive.org/web/20231005173235/https://oval.mitre.org/inuse/">Open Vulnerability and Assessment Language</a> (OVAL) before this transitioned to the Center for Internet Security (CIS). Please note, this parameter is provided without a parameter value. </p> <div id="cves-hasOval-request" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request all CVE containing an OVAL record </div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?hasOval </code></pre> </div> </td> </tr> <tr> <td> <a id="cves-isVulnerable"><span class="paramName">isVulnerable <span class="paramOptional">optional</span></span></a> <p> This parameter returns only CVE associated with a specific CPE, where the CPE is also considered vulnerable. The exact value provided with <code>cpeName</code> is compared against the CPE Match Criteria within a CVE applicability statement. If the value of <code>cpeName</code> is considered to match, and is also considered vulnerable the CVE is included in the results. </p> <p> If filtering by <code>isVulnerable</code>, <code>cpeName</code> is <span class="paramRequired">required</span>. Please note, <code>virtualMatchString</code> is not accepted in requests that use <code>isVulnerable</code>. </p> <div id="cves-isVulnerable-request" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request all CVE associated a specific CPE and are marked as vulnerable </div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?cpeName=cpe:2.3:o:microsoft:windows_10:1607&isVulnerable; </code></pre> </div> </td> </tr> <tr> <td> <a id="cves-keywordExactMatch"><span class="paramName">keywordExactMatch <span class="paramOptional">optional</span></span></a> <p> By default, <code>keywordSearch</code> returns any CVE where a word or phrase is found in the current description. </p> <p> If the value of <code>keywordSearch</code> is a phrase, i.e., contains more than one term, including <code>keywordExactMatch</code> returns only the CVEs matching the phrase exactly. Otherwise, the results will contain records having any of the terms. If filtering by <code>keywordExactMatch</code>, <code>keywordSearch</code> is <span class="paramRequired">required</span>. Please note, this parameter is provided without a parameter value. </p> <div id="cves-keywordExactMatch-request-1" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request all CVE mentioning the exact phrase "Microsoft Outlook"</div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=Microsoft Outlook&keywordExactMatch;</code></pre> </div> <p> Please note, the example above would not return a CVE unless the exact phrase "Microsoft Outlook" appears in the current description. </p> </td> </tr> <tr> <td> <a id="cves-keywordSearch"><span class="paramName">keywordSearch <span class="paramOptional">optional</span></span></a> <ul> <li><code>{keyword(s)}</code></li> </ul><p> This parameter returns only the CVEs where a word or phrase is found in the current description. Descriptions associated with CVE are maintained by the CVE Assignment Team through coordination with CVE Numbering Authorities (CNAs). The NVD has no control over CVE descriptions. </p> <p> Please note, empty spaces in the URL should be encoded in the request as "%20". The user agent may handle this encoding automatically. Multiple <code>{keywords}</code> function like an 'AND' statement. This returns results where all keywords exist somewhere in the current description, though not necessarily together. Keyword search operates as though a wildcard is placed after each keyword provided. For example, providing "circle" will return results such as "circles" but not "encircle". </p> <div id="cves-keywordSearch-request-1" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request any CVE mentioning "Microsoft"</div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=Microsoft </code></pre> </div> <br> <div id="cves-keywordSearch-request-2" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request any CVE mentioning "Windows", "MacOs", and "Debian"</div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=Windows MacOs Linux </code></pre> </div> </td> </tr> <tr> <td> <a id="cves-lastModDates"><span class="paramName">lastModStartDate & lastModEndDate <span class="paramOptional">optional</span></span></a> <ul> <li><code>{start date}</code></li> <li><code>{end date}</code></li> </ul> <p> These parameters return only the CVEs that were last modified during the specified period. If a CVE has been modified more recently than the specified period, it will not be included in the response. If filtering by the last modified date, both <code>lastModStartDate</code> and <code>lastModEndDate</code> are <span class="paramRequired">required</span>. The maximum allowable range when using any date range parameters is 120 consecutive days. </p> <p> A CVE's <span class="json-obj">lastModified</span> changes when any of the follow actions occur: </p> <ol> <li>The NVD publishes the new CVE record</li> <li><a href="/web/20231005173235/https://nvd.nist.gov/vuln/vulnerability-status#divNvdStatus">The NVD changes the status of a published CVE record after it has been analyzed</a></li> <li>A source (CVE Primary CNA or another CNA) modifies a published CVE record</li> </ol> <p> A CVE's <span class="json-obj">lastModified</span> does not change when any of the follow actions occur: </p> <ol> <li><a href="/web/20231005173235/https://nvd.nist.gov/vuln/vulnerability-status#divNvdStatus">The NVD changes the status of a newly published CVE record to "Undergoing Analysis"</a></li> <li>The NVD modifies a CPE record previously associated with the CVE record</li> </ol> <p> Values must be entered in the extended ISO-8601 date/time format: </p> <code>[YYYY][“-”][MM][“-”][DD][“T”][HH][“:”][MM][“:”][SS][Z]</code> <p> The "T" is a literal to separate the date from the time. The Z indicates an optional offset-from-UTC. Please note, if a positive Z value is used (such as +01:00 for Central European Time) then the "+" should be encoded in the request as "%2B". The user agent may handle this encoding automatically. </p> <div id="cves-lastModDates-request" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request all CVE records modified between the start and end datetimes</div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0/?lastModStartDate=2021-08-04T13:00:00.000%2B01:00&lastModEndDate;=2021-10-22T13:36:00.000%2B01:00</code></pre> </div> </td> </tr> <tr> <td> <a id="cves-noRejected"><span class="paramName">noRejected <span class="paramOptional">optional</span></span></a> <p> By default, the CVE API includes CVE records with the REJECT or Rejected status. This parameter excludes CVE records with the REJECT or Rejected status from API response. Please note, this parameter is provided without a parameter value. </p> <div id="cves-noRejected-request" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request all CVE without the REJECT or Rejected status</div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?noRejected </code></pre> </div> </td> </tr> <tr> <td> <a id="cves-pubDates"><span class="paramName">pubStartDate & pubEndDate <span class="paramOptional">optional</span></span></a> <ul> <li><code>{start date}</code></li> <li><code>{end date}</code></li> </ul> <p> These parameters return only the CVEs that were added to the NVD (i.e., published) during the specified period. If filtering by the published date, both <code>pubStartDate</code> and <code>pubEndDate</code> are <span class="paramRequired">required</span>. The maximum allowable range when using any date range parameters is 120 consecutive days. </p> <p> Values must be entered in the extended ISO-8601 date/time format: </p> <code>[YYYY][“-”][MM][“-”][DD][“T”][HH][“:”][MM][“:”][SS][Z]</code> <p> The "T" is a literal to separate the date from the time. The Z indicates an optional offset-from-UTC. Please note, if a positive Z value is used (such as +01:00 for Central European Time) then the "+" should be encoded in the request as "%2B". The user agent may handle this encoding automatically. </p> <div id="cves-pubDates-request-1" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request all CVE published between the start and end dates, defaulting to GMT</div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0/?pubStartDate=2021-08-04T00:00:00.000&pubEndDate;=2021-10-22T00:00:00.000</code></pre> </div> <br> <div id="cves-pubDates-request-2" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request all CVE published between the start and end datetimes</div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0/?pubStartDate=2020-01-01T00:00:00.000-05:00&pubEndDate;=2020-01-14T23:59:59.999-05:00</code></pre> </div> </td> </tr> <tr> <td> <a id="cves-resultsPerPage"><span class="paramName">resultsPerPage <span class="paramOptional">optional</span></span></a> <ul> <li><code>{page limit}</code></li> </ul> <p> This parameter specifies the maximum number of CVE records to be returned in a single API response. For network considerations, the default value and maximum allowable limit is <span id="apiResultsPerPageCve">2,000</span>. </p> <p> It is recommended that users of the CVE API use the default <code>resultsPerPage</code> value. This value has been optimized to allow the greatest number of results over the fewest number of requests. </p> </td> </tr> <tr> <td> <a id="cves-startIndex"><span class="paramName">startIndex <span class="paramOptional">optional</span></span></a> <ul> <li><code>{offset}</code></li> </ul> <p> This parameter specifies the index of the first CVE to be returned in the response data. The index is zero-based, meaning the first CVE is at index zero. </p> <p> The CVE API returns four primary objects in the response body that are used for pagination: <span class="json-obj">resultsPerPage</span>, <span class="json-obj">startIndex</span>, <span class="json-obj">totalResults</span>, and <span class="json-obj">vulnerabilities</span>. <span class="json-obj">totalResults</span> indicates the total number of CVE records that match the request parameters. If the value of <span class="json-obj">totalResults</span> is greater than the value of <span class="json-obj">resultsPerPage</span>, there are more records than could be returned by a single API response and additional requests must update the <code>startIndex</code> to get the remaining records. </p> <p> The best, most efficient, practice for keeping up to date with the NVD is to use the date range parameters to request only the CVEs that have been modified since your last request. </p> <div id="cves-startIndex-request-1" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request 20 CVE records, beginning at index 0 and ending at index 19</div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0/?resultsPerPage=20&startIndex;=0</code></pre> </div> <br> <div id="cves-startIndex-request-2" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request the CVE records, beginning at index 20 and ending at index 39</div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0/?resultsPerPage=20&startIndex;=20</code></pre> </div> </td> </tr> <tr> <td> <a id="cves-sourceIdentifier"><span class="paramName">sourceIdentifier <span class="paramOptional">optional</span></span></a> <ul> <li><code>{sourceIdentifier}</code></li> </ul> <p> This parameter returns CVE where the exact value of <code>{sourceIdentifier}</code> appears as a data source in the CVE record. The CVE API returns <code>{sourceIdentifier}</code> values within the <span class="json-obj">descriptions</span> object. The <a href="/web/20231005173235/https://nvd.nist.gov/developers/data-sources">Source API</a> returns detailed information on the organizations that provide the data contained in the NVD dataset, including every valid <code>{sourceIdentifier}</code> value. </p> <div id="cves-sourceIdentifier-request" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request all CVE with the data source "cve@mitre.org"</div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?sourceIdentifier=cve@mitre.org</code></pre> </div> </td> </tr> <tr> <td> <a id="cves-versionEnd"><span class="paramName">versionEnd & versionEndType <span class="paramOptional">optional</span></span></a> <ul> <li><code>{ending version}</code></li> </ul> <ul> <li><code>including</code></li> <li><code>excluding</code></li> </ul> <p> The <code>virtualMatchString</code> parameter may be combined with <code>versionEnd</code> and <code>versionEndType</code> to return only the CVEs associated with CPEs in specific version ranges. </p> <p> If filtering by the ending version, <code>versionEnd</code>, <code>versionEndType</code>, and <code>virtualMatchString</code> are <span class="paramRequired">required</span>. Requests that include <code>versionEnd</code> cannot include a version component in the <code>virtualMatchString</code>. </p> <div id="cves-versionEnd-request" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request all CVE affiliated with version 2.6 of a specific CPE </div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?virtualMatchString=cpe:2.3:o:linux:linux_kernel&versionStart;=2.6&versionStartType;=including&versionEnd;=2.7&versionEndType;=excluding</code></pre> </div> </td> </tr> <tr> <td> <a id="cves-versionStart"><span class="paramName">versionStart & versionStartType <span class="paramOptional">optional</span></span></a> <ul> <li><code>{starting version}</code></li> </ul> <ul> <li><code>including</code></li> <li><code>excluding</code></li> </ul> <p> The <code>virtualMatchString</code> parameter may be combined with <code>versionStart</code> and <code>versionStartType</code> to return only the CVEs associated with CPEs in specific version ranges. </p> <p> If filtering by the starting version, <code>versionStart</code>, <code>versionStartType</code>, and <code>virtualMatchString</code> are <span class="paramRequired">required</span>. Requests that include <code>versionStart</code> cannot include a version component in the <code>virtualMatchString</code>. </p> <div id="cves-versionStart-request" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request all CVE affiliated with versions 2.2 through 2.5.x of a specific CPE </div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?virtualMatchString=cpe:2.3:o:linux:linux_kernel&versionStart;=2.2&versionStartType;=including&versionEnd;=2.6&versionEndType;=excluding</code></pre> </div> </td> </tr> <tr> <td> <a id="cves-virtualMatchString"><span class="paramName">virtualMatchString <span class="paramOptional">optional</span></span></a> <ul> <li><code>{cpe match string}</code></li> </ul> <p> This parameter filters CVE more broadly than <code>cpeName</code>. The exact value of <code>{cpe match string}</code> is compared against the CPE Match Criteria present on CVE applicability statements. </p> <p> CPE Match Criteria comes in two forms: CPE Match Strings and CPE Match String Ranges. Both are abstract concepts that are then correlated to CPE URIs in the Official CPE Dictionary. Unlike a CPE Name, match strings and match string ranges do not require a value in the part, vendor, product, or version components. The CVE API returns CPE Match Criteria within the <span class="json-obj">configurations</span> object. </p> <p> CPE Match String Ranges are only supported for the version component and only when <code>virtualMatchString</code> is combined with <code>versionStart</code>, <code>versionStartType</code>, and/or <code>versionEnd</code>, both <code>versionEndType</code>. </p> <p> <code>cpeName</code> is a simpler alternative for many use cases. When both <code>cpeName</code> and <code>virtualMatchString</code> are provided, only the <code>cpeName</code> is used. </p> <div id="cves-virtualMatchString-request" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request all CVE where the associated CPE's language component denotes the German language version of a product.</div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cves/2.0?virtualMatchString=cpe:2.3:*:*:*:*:*:*:de</code></pre> </div> </td> </tr> </table> </div> <h4 title="Click to expand or collapse"> <a id="toggleCvesResponseBody" onclick="toggleMoreCode('divCvesResponseBody', 'iconCvesResponseBody')"> <span class="fa fa-plus" id="iconCvesResponseBody"></span> Response </a> </h4> <div id="divCvesResponseBody" class="row" style="display: none"> <h5>CVE API JSON Schema</h5> <p> The API response may contain up to four JSON schema that define the structure of the response data. Each of the documents below describe a different aspect of the response but all include information on data types, regex patterns, maximum character length, and other information that can support developers and database administrators looking to create their own local repository. </p> <ul style="list-style: none"> <li><a href="https://web.archive.org/web/20231005173235/https://csrc.nist.gov/schema/nvd/api/2.0/cve_api_json_2.0.schema" class="schema-link">CVE API Schema</a></li> <li><a href="https://web.archive.org/web/20231005173235/https://csrc.nist.gov/schema/nvd/api/2.0/external/cvss-v3.1.json" class="schema-link">CVSSv3.1 Schema</a></li> <li><a href="https://web.archive.org/web/20231005173235/https://csrc.nist.gov/schema/nvd/api/2.0/external/cvss-v3.0.json" class="schema-link">CVSSv3.0 Schema</a></li> <li><a href="https://web.archive.org/web/20231005173235/https://csrc.nist.gov/schema/nvd/api/2.0/external/cvss-v2.0.json" class="schema-link">CVSSv2.0 Schema</a></li> </ul> <h5>Response Details</h5> <p> The CVE API returns seven primary objects in the body of the response: <span class="json-obj">resultsPerPage</span>, <span class="json-obj">startIndex</span>, <span class="json-obj">totalResults</span>, <span class="json-obj">format</span>, <span class="json-obj">version</span>, <span class="json-obj">timestamp</span>, and <span class="json-obj">vulnerabilities</span>. <p> <p> The <span class="json-obj">totalResults</span> object indicates the number of CVE that match the request criteria, including all parameters. If the value of <span class="json-obj">totalResults</span> is greater than the value of <span class="json-obj">resultsPerPage</span>, then additional requests are necessary to return the remaining CVE. The parameter <span class="json-obj">startIndex</span> may be used in subsequent requests to identify the starting point for the next request. More information and the best practices for using <span class="json-obj">resultsPerPage</span> and <span class="json-obj">startIndex</span> are described above. </p> <p> The <span class="json-obj">format</span> and <span class="json-obj">version</span> objects identify the format and version of the API response. <span class="json-obj">timestamp</span> identifies when the response was generated. </p> <p> The <span class="json-obj">vulnerabilities</span> object contains an array of objects equal to the number of CVE returned in the response and is sorted in ascending order by the <span class="json-obj">published</span> property of the <span class="json-obj">cve</span> object. The <span class="json-obj">cve</span> object is explained in more detail below. </p> <p> JSON response objects are either optional or required. Required response objects are always returned by the API and may contain fields without data. Optional response objects are only returned when they contain data. For example, the <span class="json-obj">cvssMetricV3</span> object is optional. CVSSv3.0 was released in 2016, thus most CVE published before 2016 do not include the <span class="json-obj">cvssMetricV3</span> object. The exception are CVE published before 2016 that were later reanalyzed or modified. These CVE may have been updated to include CVSSv3 information. If the CVE was updated in this way, the API response would include this optional information. </p> <h5 style="font-family:'Roboto Mono Web','Bitstream Vera Sans Mono','Consolas','Courier','monospace'" id="cves-response-cve">cve <span class="paramRequired"> required</span> </h5> <p> This object always contains the CVE-ID, <span class="json-obj">sourceIdentifier</span> an identifier for the source of the CVE, <span class="json-obj">published</span> the date and time that the CVE was published to the NVD, <span class="json-obj">lastModified</span> the date and time that the CVE was last modified, and <span class="json-obj">vulnStatus</span> the CVE's <a href="/web/20231005173235/https://nvd.nist.gov/vuln/vulnerability-status#divNvdStatus">status in the NVD</a>. </p> <p> This object also contains seven <strong>optional</strong> fields. The <span class="json-obj">evaluatorComment</span>, <span class="json-obj">evaluatorImpact</span>, and <span class="json-obj">evaluatorSolution</span> provide additional context to help understand the vulnerability or its analysis. If the CVE is listed in CISA's Known Exploited Vulnerabilities (KEV) Catalog <span class="json-obj">cisaExploitAdd</span>, <span class="json-obj">cisaActionDue</span>, <span class="json-obj">cisaRequiredAction</span>, and <span class="json-obj">cisaVulnerabilityName</span> will be returned. The <span class="json-obj">cisaActionDue</span> object indicates the date by which all federal civilian executive branch (FCEB) agencies are required to complete the <span class="json-obj">cisaRequiredAction</span> under Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities. Although not bound by BOD 22-01, every organization, including those in state, local, tribal, and territorial (SLTT) governments and private industry can significantly strengthen their security and resilience posture by prioritizing the remediation of the vulnerabilities listed in the KEV catalog as well. </p> <p> This object may also contain up to six objects with additional nested information. The <span class="json-obj">weaknesses</span>, <span class="json-obj">references</span>, <span class="json-obj">description</span>, <span class="json-obj">configurations</span>, <span class="json-obj">metrics</span>, and <span class="json-obj">vendorComments</span> objects are explained in more detail below. </p> <table class="table"> <tr> <td> <a id="cves-response-cves-descriptions"><span class="paramName"> descriptions <span class="paramRequired">required</span></span></a> <p> This object contains a description of the CVE in one or more languages. ISO 639-1:2002's two-letter language identifiers indicate the language of the description. Spanish language translations are provided by the <a href="https://web.archive.org/web/20231005173235/https://www.incibe.es/en">Spanish National Cybersecurity Institute</a> (INCIBE). </p> <button onclick="toggleMoreCode('jsonWindowCvesDescriptions')">Toggle JSON</button> <div id="jsonWindowCvesDescriptions" class="example-response" tyle="display: none;"> <pre class="contentSection-pre"><code> "descriptions": [ { "lang": "en", "value": "The debug command in Sendmail is enabled, allowing attackers to execute commands as root." }, { "lang": "es", "value": "El comando de depuración de Sendmail está activado, permitiendo a atacantes ejecutar comandos como root." } ], </code></pre> </div> </td> </tr> <tr> <td> <a id="cves-response-cve-metrics"><span class="paramName"> metrics <span class="paramOptional">optional</span></span></a> <p> This object contains information on the CVE's impact. If the CVE has been analyzed, this object will contain any CVSSv2 or CVSSv3 information associated with the vulnerability. </p> <p> <span class="json-obj">source</span> identifies the organization that provided the metrics information and <span class="json-obj">type</span> identifies whether the organization is a primary or secondary source. Primary sources include the NVD and CNA who have reached the provider level in CVMAP. 10% of provider level submissions are audited by the NVD. If a submission has been audited the NVD will appear as the primary source and the provider level CNA will appear as the secondary source. </p> <button onclick="toggleMoreCode('jsonWindowCveMetrics')">Toggle JSON</button> <div id="jsonWindowCveMetrics" class="example-response" style="display: none;"> <pre class="contentSection-pre"><code> "metrics": { "cvssMetricV2": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0 }, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": true, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false } ] }, </code></pre> </div> </td> </tr> <tr> <td> <a id="cves-response-cves-weaknesses"><span class="paramName"> weaknesses <span class="paramOptional">optional</span></span></a> <p> This object contains information on <a href="/web/20231005173235/https://nvd.nist.gov/vuln/categories">specific weaknesses</a>, considered the cause of the vulnerability. Please note, a CVE that is Awaiting Analysis, Undergoing Analysis, or Rejected may not include the weaknesses object. </p> <p> <span class="json-obj">source</span> identifies the organization that provided the weakness information and <span class="json-obj">type</span> identifies whether the organization is a primary or secondary source. Primary sources include the NVD and CNA who have reached the provider level in CVMAP. 10% of provider level submissions are audited by the NVD. If a submission has been audited the NVD will appear as the primary source and the provider level CNA will appear as the secondary source. </p> <button onclick="toggleMoreCode('jsonWindowCvesWeaknesses')">Toggle JSON</button> <div id="jsonWindowCvesWeaknesses" class="example-response" style="display: none;"> <pre class="contentSection-pre"><code> "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "NVD-CWE-Other" } ] } ], </pre></code> </div> </td> </tr> <tr> <td> <a id="cves-response-cve-configurations"><span class="paramName"> configurations <span class="paramOptional">optional</span></span></a> <p> This object contains the CVE applicability statements that convey which product, or products, are associated with the vulnerability according to the NVD analysis. Please note, a CVE that is Awaiting Analysis, Undergoing Analysis, or Rejected will not include the configurations object. </p> <p> Like the JSON response, <span class="json-obj">configurations</span> are a hierarchical data structure that always contain one or more CPE match strings. Each object within <span class="json-obj">configurations</span> includes either an OR- or an AND-operator (and in rare cases a NEGATE flag) to covey the logical relationship of the CPE or child objects within. For example, if the vulnerability exists only when both CPE products are present, the operator is “AND”. If the vulnerability exists if either CPE is present, then the operator is “OR”. </p> <p> The <span class="json-obj">cpeMatch</span> object contains the CPE Match Criteria, the criteria's unique identifier, and a statement of whether the criteria is vulnerable. The <span class="json-obj">matchCriteriaId</span>'s corresponding <code>{uuid}</code> may be used with either the <a href="/web/20231005173235/https://nvd.nist.gov/developers/products#cpematch-matchCriteriaId">Match Criteria API's matchCriteriaId</a> or the <a href="/web/20231005173235/https://nvd.nist.gov/developers/products#cpes-matchCriteriaId">CPE API's matchCriteriaId</a> parameters. <p> <button onclick="toggleMoreCode('jsonWindowCvesConfigurations')">Toggle JSON</button> <div id="jsonWindowCvesConfigurations" class="example-response" style="display: none;"> <pre class="contentSection-pre"><code> "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:eric_allman:sendmail:5.58:*:*:*:*:*:*:*", "matchCriteriaId": "1D07F493-9C8D-44A4-8652-F28B46CBA27C" } ] } ] } ], </code></pre> </div> </td> </tr> <tr> <td> <a id="cves-response-cves-references"><span class="paramName"> references <span class="paramRequired">required</span></span></a> <p> This object contains supplemental information relevant to the vulnerability, and may include details that are not present in the CVE Description. Each reference within this object provides one or more resource tags (e.g., third-party advisory, vendor advisory, technical paper, press/media, VDB entries). Resource tags are designed to categorize the type of information each reference contains. </p> <p> <span class="json-obj">source</span> identifies the organization that provided the reference information and <span class="json-obj">type</span> identifies whether the organization is a primary or secondary source. Primary sources include the NVD and CNA who have reached the provider level in CVMAP. 10% of provider level submissions are audited by the NVD. If a submission has been audited, the NVD will appear as the primary source and the provider level CNA will appear as the secondary source. </p> <button onclick="toggleMoreCode('jsonWindowCvesReferences')">Toggle JSON</button> <div id="jsonWindowCvesReferences" class="example-response" style="display: none;"> <pre class="contentSection-pre"><code> "references": [ { "url": "http://seclists.org/fulldisclosure/2019/Jun/16", "source": "security@netgear.com" }, { "url": "http://www.openwall.com/lists/oss-security/2019/06/05/4", "source": "security@netgear.com" }, { "url": "http://www.openwall.com/lists/oss-security/2019/06/06/1", "source": "security@netgear.com" }, { "url": "http://www.securityfocus.com/bid/1", "source": "security@netgear.com" } ] </code></pre> </div> </td> </tr> <tr> <td> <a id="cves-response-cves-vendorComments"><span class="paramName"> vendorComments <span class="paramOptional">optional</span></span></a> <p> This object contains any Official Vendor Comment for the CVE. NVD provides a service whereby organizations can submit Official Vendor Comments for CVE associated with their products. Organizations can use the service in a variety of ways. For example, they can provide configuration and remediation guidance, clarify vulnerability applicability, provide deeper vulnerability analysis, dispute third party vulnerability information, and explain vulnerability impact. Official Vendor Comments can be submitted to the NVD by email at <a href="https://web.archive.org/web/20231005173235/mailto:nvd@nist.gov">nvd@nist.gov</a>. More information is provided on the <a href="/web/20231005173235/https://nvd.nist.gov/vuln/vendor-comments">vendor comments</a> page. </p> <button onclick="toggleMoreCode('jsonWindowCvesVendorComments')">Toggle JSON</button> <div id="jsonWindowCvesVendorComments" class="example-response" style="display: none;"> <pre class="contentSection-pre"><code> "vendorComments": [ { "organization": "Red Hat", "comment": "Not vulnerable. This issue did not affect the versions of the util-linux packages (providing /bin/login), as shipped with Red Hat Enterprise Linux 2.1, 3, 4 or 5.", "lastModified": "2008-12-18T00:00:00" } ] </code></pre> </div> </td> </tr> </table> </div> <div id="divGetCveHistory" class="row"> <h3>CVE Change History API</h3> <p> The CVE Change History API is used to easily retrieve information on changes made to a single CVE or a collection of CVE from the NVD. This API provides additional transparency to the work of the NVD, allowing users to easily monitor when and why vulnerabilities change. </p> <p> The NVD has existed in some form <a href="/web/20231005173235/https://nvd.nist.gov/general/brief-history">since 1999</a> and the fidelity of this information has changed several times over the decades. Earlier records may not contain the level of detail available with more recent CVE records. This is most apparent on CVE records prior to 2015. </p> <p> The URL stem for retrieving CVE information is shown below. </p> </div> <div id="cveHistoryBase" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Base URL</div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cvehistory/2.0</code></pre> </div> <h4 title="Click to expand or collapse"> <a id="toggleGetCveHistoryParameters" onclick="toggleMoreCode('divGetCveHistoryParameters', 'iconCveHistoryParams')"> <span class="fa fa-plus" id="iconCveHistoryParams"></span> Parameters </a> </h4> <div id="divGetCveHistoryParameters" class="row" style="display: none"> <table class="table"> <tr> <td> <a id="cveHistory-changeDates"><span class="paramName">changeStartDate & changeEndDate <span class="paramOptional">optional</span></span></a> <ul> <li><code>{start date}</code></li> <li><code>{end date}</code></li> </ul> <p> These parameters return any CVE that changed during the specified period. Please note, this is different from the last modified date parameters used with other APIs. If filtering by the change date, both <code>changeStartDate</code> and <code>changeEndDate</code> are <span class="paramRequired">required</span>. The maximum allowable range when using any date range parameters is 120 consecutive days. </p> <p> Values must be entered in the extended ISO-8601 date/time format: </p> <code>[YYYY][“-”][MM][“-”][DD][“T”][HH][“:”][MM][“:”][SS][Z]</code> <p> The "T" is a literal to separate the date from the time. The Z indicates an optional offset-from-UTC. Please note, if a positive Z value is used (such as +01:00 for Central European Time) then the "+" should be encoded in the request as "%2B". The user agent may handle this encoding automatically. </p> <div id="cveHistory-changeDates-request" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request all CVE change histories between the start and end datetimes</div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cvehistory/2.0/?changeStartDate=2021-08-04T13:00:00.000%2B01:00&changeEndDate;=2021-10-22T13:36:00.000%2B01:00</code></pre> </div> </td> </tr> <tr> <td> <a id="cveHistory-cveId"><span class="paramName">cveId <span class="paramOptional">optional</span></span></a> <ul> <li><code>{CVE-ID}</code></li> </ul> <p> This parameter returns the complete change history for a specific vulnerability identified by its unique Common Vulnerabilities and Exposures identifier (the CVE ID). <code>cveId</code> will not accept <code>{CVE-ID}</code> for vulnerabilities not yet published in the NVD. </p> <div id="cveHistory-cveId-request" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request the change history for a specific CVE using its CVE-ID</div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cvehistory/2.0?cveId=CVE-2019-1010218</code></pre> </div> </td> </tr> <tr> <td> <a id="cveHistory-eventName"><span class="paramName">eventName <span class="paramOptional">optional</span></span></a> <table id="cveHistory-eventName-values-table" class="inner-table table-hover"> <tbody> <tr> <td class="inner-table-value"><ul><li><code>Initial Analysis</code></li></ul></td> <td class="inner-table-description"><p>The NVD performs its initial analysis to enrich the CVE record with reference tags, CVSS base metrics, CWE, and CPE applicability statements.</p></td> </tr> <tr> <td class="inner-table-value"><ul><li><code>Reanalysis</code></li></ul></td> <td class="inner-table-description"><p>The NVD performs further analysis resulting in some modification to the CVE record.</p></td> </tr> <tr> <td class="inner-table-value"><ul><li><code>CVE Modified</code></li></ul></td> <td class="inner-table-description"><p>An approved source modifies a CVE record published in the NVD. The modification's source is identified on the details page in the event name and in the API response by the value of the <span class="json-obj">sourceIdentifer</span>.</p></td> </tr> <tr> <td class="inner-table-value"><ul><li><code>Modified Analysis</code></li></ul></td> <td class="inner-table-description"><p>After an approved source modified a previously analyzed CVE record, the NVD performs further analysis. </tr> <tr> <td class="inner-table-value"><ul><li><code>CVE Translated</code></li></ul></td> <td class="inner-table-description"><p>An approved translator provides a non-English translation for the CVE record.</p></td> </tr> <tr> <td class="inner-table-value"><ul><li><code>Vendor Comment</code></li></ul></td> <td class="inner-table-description"><p>The NVD updates the CVE record with additional information from the product vendor.</p></td> </tr> <tr> <td class="inner-table-value"><ul><li><code>CVE Source Update</code></li></ul></td> <td class="inner-table-description"><p>The NVD updates the information on a source that contributed to the CVE record.</p></td> </tr> <tr> <td class="inner-table-value"><ul><li><code>CPE Deprecation Remap</code></li></ul></td> <td class="inner-table-description"><p>The NVD updates the match criteria associated with the CVE record based on changes to the CPE dictionary. This event occurs separate from analysis.</p></td> </tr> <tr> <td class="inner-table-value"><ul><li><code>CWE Remap</code></li></ul></td> <td class="inner-table-description"><p>The NVD updates the weakness associated with the CVE record. This event occurs separate from analysis.</p></td> </tr> <tr> <td class="inner-table-value"><ul><li><code>CVE Rejected</code></li></ul></td> <td class="inner-table-description"><p>An approved source rejects a CVE record. Rejections occurs for one or more reasons, including duplicate CVE entries, withdraw by the original requester, incorrect assignment, or some other administrative reason.</p></td> </tr> <tr> <td class="inner-table-value"><ul><li><code>CVE Unrejected</code></li></ul></td> <td class="inner-table-description"><p>An approved source re-published a CVE record previously marked rejected.</p></td> </tr> </tbody> </table> <p> This parameter returns all CVE associated with a specific type of change event. Please note, each request can contain only one value for the <code>eventName</code> parameter. Empty spaces in the URL should be encoded in the request as "%20". The user agent may handle this encoding automatically. </p> <div id="cveHistory-eventName-request" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request all CVE that were rejected in the specified time frame</div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cvehistory/2.0?eventName=CVE%20Rejected&changeStartDate;=2021-08-04T13:00:00.000%2B01:00&changeEndDate;=2021-10-22T13:36:00.000%2B01:00</code></pre> </div> </td> </tr> <tr> <td> <a id="cveHistory-resultsPerPage"><span class="paramName">resultsPerPage <span class="paramOptional">optional</span></span></a> <ul> <li><code>{page limit}</code></li> </ul> <p> This parameter specifies the maximum number of change events to be returned in a single API response. For network considerations, the default value and maximum allowable limit is <span id="apiResultsPerPageHistory">5,000</span>. </p> </td> </tr> <tr> <td> <a id="cveHistory-startIndex"><span class="paramName">startIndex <span class="paramOptional">optional</span></span></a> <ul> <li><code>{offset}</code></li> </ul> <p> This parameter specifies the index of the first change events to be returned in the response data. The index is zero-based, meaning the first change events is at index zero. </p> <p> The CVE Change History API returns four primary objects in the response body that are used for pagination: <span class="json-obj">resultsPerPage</span>, <span class="json-obj">startIndex</span>, <span class="json-obj">totalResults</span>, and <span class="json-obj">cveChanges</span>. <span class="json-obj">totalResults</span> indicates the total number of change events that match the request parameters. If the value of <span class="json-obj">totalResults</span> is greater than the value of <span class="json-obj">resultsPerPage</span>, there are more events than could be returned by a single API response and additional requests must update the <code>startIndex</code> to get the remaining events. </p> <div id="cveHistory-startIndex-request" class="example-request"> <div class="example-request-topbar"> <div class="example-request-title">Request 20 change events, beginning at index 0 and ending at index 19</div> </div> <pre class="contentSection-pre"><code>https://services.nvd.nist.gov/rest/json/cvehistory/2.0/?resultsPerPage=20&startIndex;=0</code></pre> </div> </td> </tr> </table> </div> <h4 title="Click to expand or collapse"> <a id="toggleCveHistoryResponseBody" onclick="toggleMoreCode('divCveHistoryResponseBody', 'iconCveHistoryResponseBody')"> <span class="fa fa-plus" id="iconCveHistoryResponseBody"></span> Response </a> </h4> <div id="divCveHistoryResponseBody" class="row" style="display: none"> <h5>CVE Change History API JSON Schema</h5> <p> This API response includes only one JSON schema for defining the structure of the response data. The following document includes information on data types, regex patterns, maximum character length, and similar information that can support developers and database administrators looking to create their own local repository. </p> <ul style="list-style: none"> <li><a href="https://web.archive.org/web/20231005173235/https://csrc.nist.gov/schema/nvd/api/2.0/cve_history_api_json_2.0.schema" class="schema-link">CVE Change History API Schema</a></li> </ul> <h5>Response Details</h5> <p> The CVE Change History API returns seven primary objects in the body of the response: <span class="json-obj">resultsPerPage</span>, <span class="json-obj">startIndex</span>, <span class="json-obj">totalResults</span>, <span class="json-obj">format</span>, <span class="json-obj">version</span>, <span class="json-obj">timestamp</span>, and <span class="json-obj">cveChanges</span>. </p> <p> The <span class="json-obj">totalResults</span> object indicates the number of change events that match the request, including all parameters. If the value of <span class="json-obj">totalResults</span> is greater than the value of <span class="json-obj">resultsPerPage</span>, then additional requests are necessary to return the remaining records. The parameter <span class="json-obj">startIndex</span> may be used in subsequent requests to identify the starting point for the next request. More information and the best practices for using <span class="json-obj">resultsPerPage</span> and <span class="json-obj">startIndex</span> are described above. </p> <p> The <span class="json-obj">format</span> and <span class="json-obj">version</span> objects identify the format and version of the API response. <span class="json-obj">timestamp</span> identifies when the response was generated. </p> <p> The <span class="json-obj">cveChanges</span> object contains an array of objects equal to the number of change events returned in the response and is sorted in ascending order by the <span class="json-obj">created</span> property of the <span class="json-obj">change</span> object. The <span class="json-obj">change</span> object is explained in more detail below. </p> <p> JSON response objects are either optional or required. Required response objects are always returned by the API and may contain fields without data. Optional response objects are only returned when they contain data. </p> <h5 style="font-family:'Roboto Mono Web','Bitstream Vera Sans Mono','Consolas','Courier','monospace'" id="cves-response-cve-change">change <span class="paramRequired"> required</span> </h5>  <p> This object contains the following required data: the CVE-ID, the type of change event, a Universally Unique Identifier (UUID) for the change event, the <a href="/web/20231005173235/https://nvd.nist.gov/developers/data-sources">source</a> of the change event, the date and time that the CVE was modified, and an array of data containing any additional details. </p> <p> The <span class="json-obj">details</span> array is a required object. It will appear whether or not the array contains additional data. </p> <button onclick="toggleMoreCode('jsonWindowCvesHistory')">Toggle JSON</button> <div id="jsonWindowCvesHistory" class="example-response" style="display: none;"> <pre class="contentSection-pre"><code> { "resultsPerPage": 1, "startIndex": 0, "totalResults": 558843, "format": "NVD_CVEHistory", "version": "2.0", "timestamp": "2022-10-24T12:30:00.000", "cveChanges": [ { "change": { "cveId": "CVE-2020-12448", "eventName": "Initial Analysis", "cveChangeId": "5DEF54B9-7FF3-4436-9763-2958C5B78731", "sourceIdentifier": "nvd@nist.gov", "created": "2020-05-11T15:05:30.490", "details": [ { "action": "Added", "type": "CVSS V2", "newValue": "NIST (AV:N/AC:L/Au:N/C:P/I:N/A:N)" }, { "action": "Added", "type": "CVSS V3.1", "newValue": "NIST AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "action": "Changed", "type": "Reference Type", "oldValue": "https://about.gitlab.com/blog/categories/releases/ No Types Assigned", "newValue": "https://about.gitlab.com/blog/categories/releases/ Product, Release Notes" }, { "action": "Changed", "type": "Reference Type", "oldValue": "https://about.gitlab.com/releases/2020/04/30/security-release-12-10-2-released/ No Types Assigned", "newValue": "https://about.gitlab.com/releases/2020/04/30/security-release-12-10-2-released/ Release Notes, Vendor Advisory" }, { "action": "Added", "type": "CWE", "newValue": "NIST CWE-22" }, { "action": "Added", "type": "CPE Configuration", "newValue": "OR\n *cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* versions from (including) 12.8.0 up to (excluding) 12.8.10" } ] } } ] } </code></pre> </div> <div id="divContact" class="row"> <br> <p> Questions, comments, or concerns may be shared with the NVD by emailing <a href="https://web.archive.org/web/20231005173235/mailto:nvd@nist.gov">nvd@nist.gov</a> </p> </div> </div> <div class="col-md-12 historical-data-area" id="historical-data-area"> <span> Created <span id="page-created-date"> <span>September 20, 2022</span> </span>, </span> Updated <span id="page-updated-date"> <span>September 11, 2023</span> </span> </div> </div> </div> </div> </main> <footer id="footer" role="contentinfo"> <div class="container"> <div class="row"> <div class="col-sm-12"> <ul class="social-list pull-right"> <li class="field-item service-twitter list-horiz"><a href="https://web.archive.org/web/20231005173235/https://twitter.com/NISTCyber" target="_blank" class="social-btn social-btn--large extlink ext"> <i class="fa fa-twitter fa-fw"><span class="element-invisible">twitter</span></i><span class="ext"><span class="element-invisible"> (link is external)</span></span> </a></li> <li class="field-item service-facebook list-horiz"><a href="https://web.archive.org/web/20231005173235/https://www.facebook.com/NIST" target="_blank" class="social-btn social-btn--large extlink ext"> <i class="fa fa-facebook fa-fw"><span class="element-invisible">facebook</span></i><span class="ext"><span class="element-invisible"> (link is external)</span></span></a></li> <li class="field-item service-linkedin list-horiz"><a href="https://web.archive.org/web/20231005173235/https://www.linkedin.com/company/nist" target="_blank" class="social-btn social-btn--large extlink ext"> <i class="fa fa-linkedin fa-fw"><span class="element-invisible">linkedin</span></i><span class="ext"><span class="element-invisible"> (link is external)</span></span></a></li> <li class="field-item service-youtube list-horiz"><a href="https://web.archive.org/web/20231005173235/https://www.youtube.com/user/USNISTGOV" target="_blank" class="social-btn social-btn--large extlink ext"> <i class="fa fa-youtube fa-fw"><span class="element-invisible">youtube</span></i><span class="ext"><span class="element-invisible"> (link is external)</span></span></a></li> <li class="field-item service-rss list-horiz"><a href="https://web.archive.org/web/20231005173235/https://www.nist.gov/news-events/nist-rss-feeds" target="_blank" class="social-btn social-btn--large extlink"> <i class="fa fa-rss fa-fw"><span class="element-invisible">rss</span></i> </a></li> <li class="field-item service-govdelivery list-horiz last"><a href="https://web.archive.org/web/20231005173235/https://public.govdelivery.com/accounts/USNIST/subscriber/new?qsp=USNIST_3" target="_blank" class="social-btn social-btn--large extlink ext"> <i class="fa fa-envelope fa-fw"><span class="element-invisible">govdelivery</span></i><span class="ext"><span class="element-invisible"> (link is external)</span></span> </a></li> </ul> <span class="hidden-xs"> <a title="National Institute of Standards and Technology" rel="home" class="footer-nist-logo"> <img src="/web/20231005173235im_/https://nvd.nist.gov/site-media/images/nist/nist-logo.png" alt="National Institute of Standards and Technology logo"/> </a> </span> </div> </div> <div class="row hidden-sm hidden-md hidden-lg"> <div class="col-sm-12"> <a href="https://web.archive.org/web/20231005173235/https://www.nist.gov/" title="National Institute of Standards and Technology" rel="home" target="_blank" class="footer-nist-logo"> <img src="/web/20231005173235im_/https://nvd.nist.gov/site-media/images/nist/nist-logo.png" alt="National Institute of Standards and Technology logo"/> </a> </div> </div> <div class="row footer-contact-container"> <div class="col-sm-6"> <strong>HEADQUARTERS</strong> <br> 100 Bureau Drive <br> Gaithersburg, MD 20899 <br> <a href="https://web.archive.org/web/20231005173235/tel:301-975-2000">(301) 975-2000</a> <br> <br> <a href="https://web.archive.org/web/20231005173235/mailto:nvd@nist.gov">Webmaster</a> | <a href="https://web.archive.org/web/20231005173235/https://www.nist.gov/about-nist/contact-us">Contact Us</a> | <a href="https://web.archive.org/web/20231005173235/https://www.nist.gov/about-nist/visit" style="display: inline-block;">Our Other Offices</a> </div> <div class="col-sm-6"> <div class="pull-right" style="text-align:right"> <strong>Incident Response Assistance and Non-NVD Related<br>Technical Cyber Security Questions:</strong> <br> US-CERT Security Operations Center <br> Email: <a href="https://web.archive.org/web/20231005173235/mailto:soc@us-cert.gov">soc@us-cert.gov</a> <br> Phone: 1-888-282-0870 </div> </div> </div> <div class="row"> <nav title="Footer Navigation" role="navigation" class="row footer-bottom-links-container">  <p> <a href="https://web.archive.org/web/20231005173235/https://www.nist.gov/oism/site-privacy">Site Privacy</a> | <a href="https://web.archive.org/web/20231005173235/https://www.nist.gov/oism/accessibility">Accessibility</a> | <a href="https://web.archive.org/web/20231005173235/https://www.nist.gov/privacy">Privacy Program</a> | <a href="https://web.archive.org/web/20231005173235/https://www.nist.gov/oism/copyrights">Copyrights</a> | <a href="https://web.archive.org/web/20231005173235/https://www.commerce.gov/vulnerability-disclosure-policy">Vulnerability Disclosure</a> | <a href="https://web.archive.org/web/20231005173235/https://www.nist.gov/no-fear-act-policy">No Fear Act Policy</a> | <a href="https://web.archive.org/web/20231005173235/https://www.nist.gov/foia">FOIA</a> | <a href="https://web.archive.org/web/20231005173235/https://www.nist.gov/environmental-policy-statement">Environmental Policy</a> | <a href="https://web.archive.org/web/20231005173235/https://www.nist.gov/summary-report-scientific-integrity">Scientific Integrity</a> | <a href="https://web.archive.org/web/20231005173235/https://www.nist.gov/nist-information-quality-standards">Information Quality Standards</a> | <a href="https://web.archive.org/web/20231005173235/https://www.commerce.gov/">Commerce.gov</a> | <a href="https://web.archive.org/web/20231005173235/https://www.science.gov/">Science.gov</a> | <a href="https://web.archive.org/web/20231005173235/https://www.usa.gov/">USA.gov</a> </p> </nav> </div> </div> </footer> </body> </html>

CINXE.COM

Vulnerability APIs