-
Notifications
You must be signed in to change notification settings - Fork 159
/
CVE_Record_Format.json
1234 lines (1233 loc) · 65.1 KB
/
CVE_Record_Format.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "https://cveproject.github.io/cve-schema/schema/CVE_Record_Format.json",
"title": "CVE JSON record format",
"description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://cve.mitre.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).",
"definitions": {
"uriType": {
"description": "A universal resource identifier (URI), according to [RFC 3986](https://tools.ietf.org/html/rfc3986).",
"type": "string",
"format": "uri",
"minLength": 1,
"maxLength": 2048
},
"uuidType": {
"description": "A version 4 (random) universally unique identifier (UUID) as defined by [RFC 4122](https://tools.ietf.org/html/rfc4122#section-4.1.3).",
"type": "string",
"pattern": "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$"
},
"reference": {
"type": "object",
"required": ["url"],
"properties": {
"url": {
"description": "The uniform resource locator (URL), according to [RFC 3986](https://tools.ietf.org/html/rfc3986#section-1.1.3), that can be used to retrieve the referenced resource.",
"$ref": "#/definitions/uriType"
},
"name": {
"description": "User created name for the reference, often the title of the page.",
"type": "string",
"maxLength": 512,
"minLength": 1
},
"tags": {
"description": "An array of one or more tags that describe the resource referenced by 'url'.",
"type": "array",
"minItems": 1,
"uniqueItems": true,
"items": {
"oneOf": [
{
"$ref": "#/definitions/tagExtension"
},
{
"$ref": "file:tags/reference-tags.json"
}
]
}
}
},
"additionalProperties": false
},
"cveId": {
"type": "string",
"pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$"
},
"orgId": {
"description": "A UUID for an organization participating in the CVE program. This UUID can be used to lookup the organization record in the user registry service.",
"$ref": "#/definitions/uuidType"
},
"userId": {
"description": "A UUID for a user participating in the CVE program. This UUID can be used to lookup the user record in the user registry service.",
"$ref": "#/definitions/uuidType"
},
"shortName": {
"description": "A 2-32 character name that can be used to complement an organization's UUID.",
"type": "string",
"minLength": 2,
"maxLength": 32
},
"datestamp": {
"description": "Date/time format based on RFC3339 and ISO ISO8601.",
"type": "string",
"format": "date",
"pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))$"
},
"timestamp": {
"type": "string",
"description": "Date/time format based on RFC3339 and ISO ISO8601, with an optional timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'. If timezone offset is not given, GMT (+00:00) is assumed.",
"pattern": "^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$"
},
"version": {
"description": "A single version of a product, as expressed in its own version numbering scheme.",
"type": "string",
"minLength": 1,
"maxLength": 1024
},
"status": {
"description": "The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.",
"type": "string",
"enum": ["affected", "unaffected", "unknown"]
},
"product": {
"type": "object",
"description": "Provides information about the set of products and services affected by this vulnerability.",
"allOf": [
{
"anyOf": [
{"required": ["vendor", "product"]},
{"required": ["collectionURL", "packageName"]}
]
},
{
"anyOf": [
{"required": ["versions"]},
{"required": ["defaultStatus"]}
]
}
],
"properties": {
"vendor": {
"type": "string",
"description": "Name of the organization, project, community, individual, or user that created or maintains this product or hosted service. Can be 'N/A' if none of those apply. When collectionURL and packageName are used, this field may optionally represent the user or account within the package collection associated with the package.",
"minLength": 1,
"maxLength": 512
},
"product": {
"type": "string",
"description": "Name of the affected product.",
"minLength": 1,
"maxLength": 2048
},
"collectionURL": {
"description": "URL identifying a package collection (determines the meaning of packageName).",
"$ref": "#/definitions/uriType",
"examples": [
"https://access.redhat.com/downloads/content/package-browser",
"https://addons.mozilla.org",
"https://addons.thunderbird.net",
"https://anaconda.org/anaconda/repo",
"https://app.vagrantup.com/boxes/search",
"https://apps.apple.com",
"https://archlinux.org/packages",
"https://atmospherejs.meteor.com",
"https://atom.io/packages",
"https://bitbucket.org",
"https://bower.io",
"https://brew.sh/",
"https://chocolatey.org/packages",
"https://chrome.google.com/webstore",
"https://clojars.org",
"https://cocoapods.org",
"https://code.dlang.org",
"https://conan.io/center",
"https://cpan.org/modules",
"https://cran.r-project.org",
"https://crates.io",
"https://ctan.org/pkg",
"https://drupal.org",
"https://exchange.adobe.com",
"https://forge.puppet.com/modules",
"https://github.com",
"https://gitlab.com/explore",
"https://golang.org/pkg",
"https://guix.gnu.org/packages",
"https://hackage.haskell.org",
"https://helm.sh",
"https://hub.docker.com",
"https://juliahub.com",
"https://lib.haxe.org",
"https://luarocks.org",
"https://marketplace.visualstudio.com",
"https://melpa.org",
"https://microsoft.com/en-us/store/apps",
"https://nimble.directory",
"https://nuget.org/packages",
"https://opam.ocaml.org/packages",
"https://openwrt.org/packages/index",
"https://package.elm-lang.org",
"https://packagecontrol.io",
"https://packages.debian.org",
"https://packages.gentoo.org",
"https://packagist.org",
"https://pear.php.net/packages.php",
"https://pecl.php.net",
"https://platformio.org/lib",
"https://play.google.com/store",
"https://plugins.gradle.org",
"https://projects.eclipse.org",
"https://pub.dev",
"https://pypi.python.org",
"https://registry.npmjs.org",
"https://registry.terraform.io",
"https://repo.hex.pm",
"https://repo.maven.apache.org/maven2",
"https://rubygems.org",
"https://search.nixos.org/packages",
"https://sourceforge.net",
"https://wordpress.org/plugins"
]
},
"packageName": {
"type": "string",
"description": "Name or identifier of the affected software package as used in the package collection.",
"minLength": 1,
"maxLength": 2048
},
"cpes": {
"type": "array",
"description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.",
"uniqueItems": true,
"items": {
"title": "CPE Name",
"type": "string",
"description":"Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format",
"pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})",
"minLength": 1,
"maxLength": 2048
}
},
"modules": {
"type": "array",
"description": "A list of the affected components, features, modules, sub-components, sub-products, APIs, commands, utilities, programs, or functionalities (optional).",
"uniqueItems": true,
"items": {
"type": "string",
"description": "Name of the affected component, feature, module, sub-component, sub-product, API, command, utility, program, or functionality (optional).",
"minLength": 1,
"maxLength": 4096
}
},
"programFiles": {
"type": "array",
"description": "A list of the affected source code files (optional).",
"uniqueItems": true,
"items": {
"description": "Name or path or location of the affected source code file.",
"type": "string",
"minLength": 1,
"maxLength": 1024
}
},
"programRoutines": {
"type": "array",
"description": "A list of the affected source code functions, methods, subroutines, or procedures (optional).",
"uniqueItems": true,
"items": {
"type": "object",
"description": "An object describing program routine.",
"required": [
"name"
],
"properties": {
"name": {
"type": "string",
"description": "Name of the affected source code file, function, method, subroutine, or procedure.",
"minLength": 1,
"maxLength": 4096
}
},
"additionalProperties": false
}
},
"platforms": {
"title": "Platforms",
"description": "List of specific platforms if the vulnerability is only relevant in the context of these platforms (optional). Platforms may include execution environments, operating systems, virtualization technologies, hardware models, or computing architectures. The lack of this field or an empty array implies that the other fields are applicable to all relevant platforms.",
"type": "array",
"minItems": 1,
"uniqueItems": true,
"items": {
"type": "string",
"examples": ["iOS", "Android", "Windows", "macOS", "x86", "ARM", "64 bit", "Big Endian", "iPad", "Chromebook", "Docker", "Model T"],
"maxLength": 1024
}
},
"repo": {
"description": "The URL of the source code repository, for informational purposes and/or to resolve git hash version ranges.",
"$ref": "#/definitions/uriType"
},
"defaultStatus": {
"description": "The default status for versions that are not otherwise listed in the versions list. If not specified, defaultStatus defaults to 'unknown'. Versions or defaultStatus may be omitted, but not both.",
"$ref": "#/definitions/status"
},
"versions": {
"type": "array",
"description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.",
"minItems": 1,
"uniqueItems": true,
"items": {
"type": "object",
"description": "A single version or a range of versions, with vulnerability status.\n\nAn entry with only 'version' and 'status' indicates the status of a single version.\n\nOtherwise, an entry describes a range; it must include the 'versionType' property, to define the version numbering semantics in use, and 'limit', to indicate the non-inclusive upper limit of the range. The object describes the status for versions V such that 'version' <= V and V < 'limit', using the <= and < semantics defined for the specific kind of 'versionType'. Status changes within the range can be specified by an optional 'changes' list.\n\nThe algorithm to decide the status specified for a version V is:\n\n\tfor entry in product.versions {\n\t\tif entry.lessThan is not present and entry.lessThanOrEqual is not present and v == entry.version {\n\t\t\treturn entry.status\n\t\t}\n\t\tif (entry.lessThan is present and entry.version <= v and v < entry.lessThan) or\n\t\t (entry.lessThanOrEqual is present and entry.version <= v and v <= entry.lessThanOrEqual) { // <= and < defined by entry.versionType\n\t\t\tstatus = entry.status\n\t\t\tfor change in entry.changes {\n\t\t\t\tif change.at <= v {\n\t\t\t\t\tstatus = change.status\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn status\n\t\t}\n\t}\n\treturn product.defaultStatus\n\n.",
"oneOf": [
{
"required": ["version", "status"],
"maxProperties": 2
},
{
"required": ["version", "status", "versionType"],
"maxProperties": 3
},
{
"required": ["version", "status", "versionType", "lessThan"]
},
{
"required": ["version", "status", "versionType", "lessThanOrEqual"]
}
],
"properties": {
"version": {
"description": "The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.",
"$ref": "#/definitions/version"
},
"status": {
"description": "The vulnerability status for the version or range of versions. For a range, the status may be refined by the 'changes' list.",
"$ref": "#/definitions/status"
},
"versionType": {
"type": "string",
"description": "The version numbering system used for specifying the range. This defines the exact semantics of the comparison (less-than) operation on versions, which is required to understand the range itself. 'Custom' indicates that the version type is unspecified and should be avoided whenever possible. It is included primarily for use in conversion of older data files.",
"minLength": 1,
"maxLength": 128,
"examples": [
"custom",
"git",
"maven",
"python",
"rpm",
"semver"
]
},
"lessThan": {
"description": "The non-inclusive upper limit of the range. This is the least version NOT in the range. The usual version syntax is expanded to allow a pattern to end in an asterisk `(*)`, indicating an arbitrarily large number in the version ordering. For example, `{version: 1.0 lessThan: 1.*}` would describe the entire 1.X branch for most range kinds, and `{version: 2.0, lessThan: *}` describes all versions starting at 2.0, including 3.0, 5.1, and so on. Only one of lessThan and lessThanOrEqual should be specified.",
"$ref": "#/definitions/version"
},
"lessThanOrEqual": {
"description": "The inclusive upper limit of the range. This is the greatest version contained in the range. Only one of lessThan and lessThanOrEqual should be specified. For example, `{version: 1.0, lessThanOrEqual: 1.3}` covers all versions from 1.0 up to and including 1.3.",
"$ref": "#/definitions/version"
},
"changes": {
"type": "array",
"description": "A list of status changes that take place during the range. The array should be sorted in increasing order by the 'at' field, according to the versionType, but clients must re-sort the list themselves rather than assume it is sorted.",
"minItems": 1,
"uniqueItems": true,
"items": {
"type": "object",
"description": "The start of a single status change during the range.",
"required": ["at", "status"],
"additionalProperties": false,
"properties": {
"at": {
"description": "The version at which a status change occurs.",
"$ref": "#/definitions/version"
},
"status": {
"description": "The new status in the range starting at the given version.",
"$ref": "#/definitions/status"
}
}
}
}
},
"additionalProperties": false
}
}
}
},
"dataType": {
"description": "Indicates the type of information represented in the JSON instance.",
"type": "string",
"enum": [
"CVE_RECORD"
]
},
"dataVersion": {
"description": "The version of the CVE schema used for validating this record. Used to support multiple versions of this format.",
"type": "string",
"pattern": "^5\\.(0|[1-9][0-9]*)(\\.(0|[1-9][0-9]*))?$",
"default": "5.1.0"
},
"cveMetadataPublished": {
"description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.",
"type": "object",
"required": [
"cveId",
"assignerOrgId",
"state"
],
"properties": {
"cveId": {
"description": "The CVE identifier that this record pertains to.",
"$ref": "#/definitions/cveId"
},
"assignerOrgId": {
"$ref": "#/definitions/orgId",
"description": "The UUID for the organization to which the CVE ID was originally assigned. This UUID can be used to lookup the organization record in the user registry service."
},
"assignerShortName": {
"$ref": "#/definitions/shortName",
"description": "The short name for the organization to which the CVE ID was originally assigned."
},
"requesterUserId": {
"$ref": "#/definitions/userId",
"description": "The user that requested the CVE identifier."
},
"dateUpdated": {
"description": "The date/time the record was last updated.",
"$ref": "#/definitions/timestamp"
},
"serial": {
"type": "integer",
"minimum": 1,
"description": "The system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition."
},
"dateReserved": {
"$ref": "#/definitions/timestamp",
"description": "The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE."
},
"datePublished": {
"$ref": "#/definitions/timestamp",
"description": "The date/time the CVE Record was first published in the CVE List."
},
"state": {
"description": "State of CVE - PUBLISHED, REJECTED.",
"type": "string",
"enum": ["PUBLISHED"]
}
},
"additionalProperties": false
},
"cveMetadataRejected": {
"type": "object",
"description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on. These fields are controlled by the CVE Services.",
"required": [
"cveId",
"assignerOrgId",
"state"
],
"properties": {
"cveId": {
"description": "The CVE identifier that this record pertains to.",
"$ref": "#/definitions/cveId"
},
"assignerOrgId": {
"$ref": "#/definitions/orgId",
"description": "The UUID for the organization to which the CVE ID was originally assigned."
},
"assignerShortName": {
"$ref": "#/definitions/shortName",
"description": "The short name for the organization to which the CVE ID was originally assigned."
},
"serial": {
"type": "integer",
"minimum": 1,
"description": "The system of record causes this to start at 1, and increment by 1 each time a submission from a data provider changes this CVE Record. The incremented value moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to the Published schema upon a REJECTED->PUBLISHED transition."
},
"dateUpdated": {
"description": "The date/time the record was last updated.",
"$ref": "#/definitions/timestamp"
},
"datePublished": {
"$ref": "#/definitions/timestamp",
"description": "The date/time the CVE Record was first published in the CVE List."
},
"dateRejected": {
"$ref": "#/definitions/timestamp",
"description": "The date/time the CVE ID was rejected."
},
"state": {
"type": "string",
"description": "State of CVE - PUBLISHED, REJECTED.",
"enum": ["REJECTED"]
},
"dateReserved": {
"$ref": "#/definitions/timestamp",
"description": "The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE."
}
},
"additionalProperties": false
},
"providerMetadata": {
"type": "object",
"description": "Details related to the information container provider (CNA or ADP).",
"properties": {
"orgId": {
"$ref": "#/definitions/orgId",
"description": "The container provider's organizational UUID."
},
"shortName": {
"$ref": "#/definitions/shortName",
"description": "The container provider's organizational short name."
},
"dateUpdated": {
"$ref": "#/definitions/timestamp",
"description": "Timestamp to be set by the system of record at time of submission. If dateUpdated is provided to the system of record it will be replaced by the current timestamp at the time of submission."
}
},
"required": ["orgId"],
"additionalProperties": false
},
"cnaPublishedContainer": {
"description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a published CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.",
"type": "object",
"properties": {
"providerMetadata": {
"$ref": "#/definitions/providerMetadata"
},
"dateAssigned": {
"$ref": "#/definitions/timestamp",
"description": "The date/time this CVE ID was associated with a vulnerability by a CNA."
},
"datePublic": {
"$ref": "#/definitions/timestamp",
"description": "If known, the date/time the vulnerability was disclosed publicly."
},
"title": {
"type": "string",
"description": "A title, headline, or a brief phrase summarizing the CVE record. Eg., Buffer overflow in Example Soft.",
"minLength": 1,
"maxLength": 256
},
"descriptions": {
"$ref": "#/definitions/descriptions"
},
"affected": {
"$ref": "#/definitions/affected"
},
"problemTypes": {
"$ref": "#/definitions/problemTypes"
},
"references": {
"$ref": "#/definitions/references"
},
"impacts": {
"$ref": "#/definitions/impacts"
},
"metrics": {
"$ref": "#/definitions/metrics"
},
"configurations": {
"$ref": "#/definitions/configurations"
},
"workarounds": {
"$ref": "#/definitions/workarounds"
},
"solutions": {
"$ref": "#/definitions/solutions"
},
"exploits": {
"$ref": "#/definitions/exploits"
},
"timeline": {
"$ref": "#/definitions/timeline"
},
"credits": {
"$ref": "#/definitions/credits"
},
"source": {
"$ref": "#/definitions/source"
},
"tags": {
"$ref": "#/definitions/cnaTags"
},
"taxonomyMappings": {
"$ref": "#/definitions/taxonomyMappings"
}
},
"required": [
"providerMetadata",
"descriptions",
"affected",
"references"
],
"patternProperties": {
"^x_[^.]*$": {}
},
"$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.",
"additionalProperties": false
},
"cnaRejectedContainer": {
"description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a rejected CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA.",
"type": "object",
"properties": {
"providerMetadata": {
"$ref": "#/definitions/providerMetadata"
},
"rejectedReasons": {
"description": "Reasons for rejecting this CVE Record.",
"$ref": "#/definitions/descriptions"
},
"replacedBy": {
"type": "array",
"description": "Contains an array of CVE IDs that this CVE ID was rejected in favor of because this CVE ID was assigned to the vulnerabilities.",
"minItems": 1,
"uniqueItems": true,
"items": {
"$ref": "#/definitions/cveId"
}
}
},
"required": [
"providerMetadata",
"rejectedReasons"
],
"patternProperties": {
"^x_[^.]*$": {}
},
"$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.",
"additionalProperties": false
},
"adpContainer": {
"description": "An object containing the vulnerability information provided by an Authorized Data Publisher (ADP). Since multiple ADPs can provide information for a CVE ID, an ADP container must indicate which ADP is the source of the information in the object.",
"type": "object",
"properties": {
"providerMetadata": {
"$ref": "#/definitions/providerMetadata"
},
"datePublic": {
"$ref": "#/definitions/timestamp",
"description": "If known, the date/time the vulnerability was disclosed publicly."
},
"title": {
"type": "string",
"description": "A title, headline, or a brief phrase summarizing the information in an ADP container.",
"minLength": 1,
"maxLength": 256
},
"descriptions": {
"$ref": "#/definitions/descriptions"
},
"affected": {
"$ref": "#/definitions/affected"
},
"problemTypes": {
"$ref": "#/definitions/problemTypes"
},
"references": {
"$ref": "#/definitions/references"
},
"impacts": {
"$ref": "#/definitions/impacts"
},
"metrics": {
"$ref": "#/definitions/metrics"
},
"configurations": {
"$ref": "#/definitions/configurations"
},
"workarounds": {
"$ref": "#/definitions/workarounds"
},
"solutions": {
"$ref": "#/definitions/solutions"
},
"exploits": {
"$ref": "#/definitions/exploits"
},
"timeline": {
"$ref": "#/definitions/timeline"
},
"credits": {
"$ref": "#/definitions/credits"
},
"source": {
"$ref": "#/definitions/source"
},
"tags": {
"$ref": "#/definitions/adpTags"
},
"taxonomyMappings": {
"$ref": "#/definitions/taxonomyMappings"
}
},
"required": [
"providerMetadata"
],
"minProperties": 2,
"patternProperties": {
"^x_[^.]*$": {}
},
"$comment": "The character . is restricted in names allowed by patternProperties to work-around naming limitations in some common implementations.",
"additionalProperties": false
},
"affected": {
"type": "array",
"description": "List of affected products.",
"minItems": 1,
"items": {"$ref": "#/definitions/product"}
},
"description": {
"type": "object",
"description": "Text in a particular language with optional alternate markup or formatted representation (e.g., Markdown) or embedded media.",
"properties": {
"lang": {"$ref": "#/definitions/language"},
"value": {
"type": "string",
"description": "Plain text description.",
"minLength": 1,
"maxLength": 4096
},
"supportingMedia": {
"type": "array",
"title": "Supporting media",
"description": "Supporting media data for the description such as markdown, diagrams, .. (optional). Similar to RFC 2397 each media object has three main parts: media type, media data value, and an optional boolean flag to indicate if the media data is base64 encoded.",
"uniqueItems": true,
"minItems": 1,
"items": {
"type": "object",
"properties": {
"type": {
"type": "string",
"title": "Media type",
"minLength": 1,
"maxLength": 256,
"description": "RFC2046 compliant IANA Media type for eg., text/markdown, text/html.",
"examples": [
"text/markdown",
"text/html",
"image/png",
"image/svg",
"audio/mp3"
]
},
"base64": {
"type": "boolean",
"title": "Encoding",
"description": "If true then the value field contains the media data encoded in base64. If false then the value field contains the UTF-8 media content.",
"default": false
},
"value": {
"type": "string",
"description": "Supporting media content, up to 16K. If base64 is true, this field stores base64 encoded data.",
"minLength": 1,
"maxLength": 16384
}
},
"required": [
"type",
"value"
],
"additionalProperties": false
}
}
},
"required": [
"lang",
"value"
],
"additionalProperties": false
},
"englishLanguageDescription": {
"type": "object",
"description": "A description with lang set to an English language (en, en_US, en_UK, and so on).",
"properties": {"lang": {"$ref": "#/definitions/englishLanguage"}},
"required": ["lang"],
"$comment": "Cannot use additionalProperties: false here, as this prevents the other properties used by /definitions/description."
},
"descriptions": {
"type": "array",
"description": "A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].",
"minItems": 1,
"uniqueItems": true,
"items": {
"$ref": "#/definitions/description"
},
"contains": {
"$ref": "#/definitions/englishLanguageDescription"
}
},
"problemTypes": {
"type": "array",
"description": "This is problem type information (e.g. CWE identifier). Must contain: At least one entry, can be text, OWASP, CWE, please note that while only one is required you can use more than one (or indeed all three) as long as they are correct). (CNA requirement: [PROBLEMTYPE]).",
"items": {
"type": "object",
"required": ["descriptions"],
"properties": {
"descriptions": {
"type": "array",
"items": {
"type": "object",
"required": [
"lang",
"description"
],
"properties": {
"lang": {"$ref": "#/definitions/language"},
"description": {
"type": "string",
"description": "Text description of problemType, or title from CWE or OWASP.",
"minLength": 1,
"maxLength": 4096
},
"cweId": {
"type": "string",
"description": "CWE ID of the CWE that best describes this problemType entry.",
"minLength": 5,
"maxLength": 9,
"pattern": "^CWE-[1-9][0-9]*$"
},
"type": {
"type": "string",
"description": "Problemtype source, text, OWASP, CWE, etc.,",
"minLength": 1,
"maxLength": 128
},
"references": {"$ref": "#/definitions/references"}
},
"additionalProperties": false
},
"minItems": 1,
"uniqueItems": true
}
},
"additionalProperties": false
},
"minItems": 1,
"uniqueItems": true
},
"references": {
"type": "array",
"description": "This is reference data in the form of URLs or file objects (uuencoded and embedded within the JSON file, exact format to be decided, e.g. we may require a compressed format so the objects require unpacking before they are \"dangerous\").",
"items": {"$ref": "#/definitions/reference"},
"minItems": 1,
"maxItems": 512,
"uniqueItems": true
},
"impacts": {
"type": "array",
"description": "Collection of impacts of this vulnerability.",
"minItems": 1,
"uniqueItems": true,
"items": {
"type": "object",
"description": "This is impact type information (e.g. a text description.",
"required": ["descriptions"],
"properties": {
"capecId": {
"type": "string",
"description": "CAPEC ID that best relates to this impact.",
"minLength": 7,
"maxLength": 11,
"pattern": "^CAPEC-[1-9][0-9]{0,4}$"
},
"descriptions": {
"description": "Prose description of the impact scenario. At a minimum provide the description given by CAPEC.",
"$ref": "#/definitions/descriptions"
}
},
"additionalProperties": false
}
},
"metrics": {
"type": "array",
"description": "Collection of impact scores with attribution.",
"minItems": 1,
"uniqueItems": true,
"items": {
"type": "object",
"description": "This is impact type information (e.g. a text description, CVSSv2, CVSSv3, CVSSV4, etc.). Must contain: At least one entry, can be text, CVSSv2, CVSSv3, others may be added.",
"anyOf": [
{
"required": ["cvssV4_0"]
},
{
"required": ["cvssV3_1"]
},
{
"required": ["cvssV3_0"]
},
{
"required": ["cvssV2_0"]
},
{
"required": ["other"]
}
],
"properties": {
"format": {
"type": "string",
"description": "Name of the scoring format. This provides a bit of future proofing. Additional properties are not prohibited, so this will support the inclusion of proprietary formats. It also provides an easy future conversion mechanism when future score formats become part of the schema. example: cvssV44, format = 'cvssV44', other = cvssV4_4 JSON object. In the future, the other properties can be converted to score properties when they become part of the schema.",
"minLength": 1,
"maxLength": 64
},
"scenarios": {
"type": "array",
"description": "Description of the scenarios this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.",
"minItems": 1,
"uniqueItems": true,
"items": {
"type": "object",
"properties": {
"lang": {"$ref": "#/definitions/language"},
"value": {
"type": "string",
"default": "GENERAL",
"description": "Description of the scenario this metrics object applies to. If no specific scenario is given, GENERAL is used as the default and applies when no more specific metric matches.",
"minLength": 1,
"maxLength": 4096
}
},
"required": [
"lang",
"value"
],
"additionalProperties": false
}
},
"cvssV4_0": {"$ref": "file:imports/cvss/cvss-v4.0.json"},
"cvssV3_1": {"$ref": "file:imports/cvss/cvss-v3.1.json"},
"cvssV3_0": {"$ref": "file:imports/cvss/cvss-v3.0.json"},
"cvssV2_0": {"$ref": "file:imports/cvss/cvss-v2.0.json"},
"other": {
"type": "object",
"description": "A non-standard impact description, may be prose or JSON block.",
"required": [
"type",
"content"
],
"properties": {
"type": {
"description": "Name of the non-standard impact metrics format used.",
"type": "string",
"minLength": 1,
"maxLength": 128
},
"content": {
"type": "object",
"$comment": "additionalProperties are allowed here, since this construct supports arbitrary JSON.",
"description": "JSON object not covered by another metrics format.",
"minProperties": 1
}
},
"additionalProperties": false
}
},
"additionalProperties": false
}
},
"configurations": {
"type": "array",
"description": "Configurations required for exploiting this vulnerability.",
"minItems": 1,
"uniqueItems": true,
"items": {
"$ref": "#/definitions/description"
}
},
"workarounds": {
"type": "array",
"description": "Workarounds and mitigations for this vulnerability.",
"minItems": 1,
"uniqueItems": true,
"items": {
"$ref": "#/definitions/description"
}
},
"solutions": {
"type": "array",
"description": "Information about solutions or remediations available for this vulnerability.",
"minItems": 1,
"uniqueItems": true,
"items": {
"$ref": "#/definitions/description"
}
},
"exploits": {
"type": "array",
"description": "Information about exploits of the vulnerability.",
"minItems": 1,
"uniqueItems": true,
"items": {
"$ref": "#/definitions/description"
}
},
"timeline": {
"type": "array",
"description": "This is timeline information for significant events about this vulnerability or changes to the CVE Record.",
"minItems": 1,
"uniqueItems": true,
"items": {
"type": "object",
"required": [
"time",
"lang",
"value"
],
"properties": {
"time": {
"description": "Timestamp representing when the event in the timeline occurred. The timestamp format is based on RFC3339 and ISO ISO8601, with an optional timezone. yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM - if the timezone offset is not given, GMT (+00:00) is assumed.",
"$ref": "#/definitions/timestamp"
},
"lang": {
"description": "The language used in the description of the event. The language field is included so that CVE Records can support translations. The value must be a BCP 47 language code.",
"$ref": "#/definitions/language"
},
"value": {
"description": "A summary of the event.",
"type": "string",
"minLength": 1,
"maxLength": 4096
}
},
"additionalProperties": false
}
},
"credits": {
"type": "array",
"description": "Statements acknowledging specific people, organizations, or tools recognizing the work done in researching, discovering, remediating or helping with activities related to this CVE.",
"minItems": 1,
"uniqueItems": true,
"items": {