cveproject.github.io Open in urlscan Pro
185.199.108.153  Public Scan

Submitted URL: https://cveproject.github.io/cve-schema/schema/docs/#oneOf_i0_containers_adp_items_references
Effective URL: https://cveproject.github.io/cve-schema/schema/docs/
Submission: On July 12 via api from TR — Scanned from IT

Form analysis 0 forms found in the DOM

Text Content

CVE JSON RECORD FORMAT




cve-schema specifies the CVE JSON record format. This is the blueprint for a
rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs)
and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of
CVE Record data include CVE ID number, affected product(s), affected version(s),
and public references. While those specific items are required when assigning a
CVE, there are many other optional data in the schema that can be used to enrich
CVE Records for community benefit. Learn more about the CVE program at the
official website. This CVE JSON record format is defined using JSON Schema.
Learn more about JSON Schema here.




ONE OF

 * Published
 * Rejected

root > oneOf > Published
Type: object


When a CNA populates the data associated with a CVE ID as a CVE Record, the
state of the CVE Record is Published.

No Additional Properties


DATATYPE REQUIRED

root > oneOf > Published > dataType
Type: enum (of string)


Indicates the type of information represented in the JSON instance.

MUST BE ONE OF:

 * "CVE_RECORD"


DATAVERSION REQUIRED

root > oneOf > Published > dataVersion
Type: string Default: "5.1.0"


The version of the CVE schema used for validating this record. Used to support
multiple versions of this format.

Must match regular expression: ^5\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))?$


CVEMETADATA REQUIRED

root > oneOf > Published > cveMetadata
Type: object


This is meta data about the CVE ID such as the CVE ID, who requested it, who
assigned it, when it was requested, the current state (PUBLISHED, REJECTED,
etc.) and so on. These fields are controlled by the CVE Services.

No Additional Properties


CVEID REQUIRED

root > oneOf > Published > cveMetadata > cveId
Type: string


The CVE identifier that this record pertains to.

Must match regular expression: ^CVE-[0-9]{4}-[0-9]{4,19}$


ASSIGNERORGID REQUIRED

root > oneOf > Published > cveMetadata > assignerOrgId
Type: string


The UUID for the organization to which the CVE ID was originally assigned. This
UUID can be used to lookup the organization record in the user registry service.

Must match regular expression:
^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$


ASSIGNERSHORTNAME

root > oneOf > Published > cveMetadata > assignerShortName
Type: string


The short name for the organization to which the CVE ID was originally assigned.

Must be at least 2 characters long

Must be at most 32 characters long


REQUESTERUSERID

root > oneOf > Published > cveMetadata > requesterUserId
Type: string


The user that requested the CVE identifier.

Same definition as assignerOrgId


DATEUPDATED

root > oneOf > Published > cveMetadata > dateUpdated
Type: string


The date/time the record was last updated.

Must match regular expression:
^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$


SERIAL

root > oneOf > Published > cveMetadata > serial
Type: integer


The system of record causes this to start at 1, and increment by 1 each time a
submission from a data provider changes this CVE Record. The incremented value
moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to
the Published schema upon a REJECTED->PUBLISHED transition.

Value must be greater or equal to 1


DATERESERVED

root > oneOf > Published > cveMetadata > dateReserved
Type: string


The date/time this CVE ID was reserved in the CVE automation workgroup services
system. Disclaimer: This date reflects when the CVE ID was reserved, and does
not necessarily indicate when this vulnerability was discovered, shared with the
affected vendor, publicly disclosed, or updated in CVE.

Same definition as dateUpdated


DATEPUBLISHED

root > oneOf > Published > cveMetadata > datePublished
Type: string


The date/time the CVE Record was first published in the CVE List.

Same definition as dateUpdated


STATE REQUIRED

root > oneOf > Published > cveMetadata > state
Type: enum (of string)


State of CVE - PUBLISHED, REJECTED.

MUST BE ONE OF:

 * "PUBLISHED"


CONTAINERS REQUIRED

root > oneOf > Published > containers
Type: object


A set of structures (called containers) used to store vulnerability information
related to a specific CVE ID provided by a specific organization participating
in the CVE program. Each container includes information provided by a different
source.

At a minimum, a 'cna' container containing the vulnerability information
provided by the CNA who initially assigned the CVE ID must be included.

There can only be one 'cna' container, as there can only be one assigning CNA.
However, there can be multiple 'adp' containers, allowing multiple organizations
participating in the CVE program to add additional information related to the
vulnerability. For the most part, the 'cna' and 'adp' containers contain the
same properties. The main differences are the source of the information. The
'cna' container requires the CNA to include certain fields, while the 'adp'
container does not.


No Additional Properties


CNA REQUIRED

root > oneOf > Published > containers > cna
Type: object


An object containing the vulnerability information provided by a CVE Numbering
Authority (CNA) for a published CVE ID. There can only be one CNA container per
CVE record since there can only be one assigning CNA. The CNA container must
include the required information defined in the CVE Rules, which includes a
product, version, problem type, prose description, and a reference.

No Additional Properties


PROVIDERMETADATA REQUIRED

root > oneOf > Published > containers > cna > providerMetadata
Type: object


Details related to the information container provider (CNA or ADP).

No Additional Properties


ORGID REQUIRED

root > oneOf > Published > containers > cna > providerMetadata > orgId
Type: string


The container provider's organizational UUID.

Same definition as assignerOrgId


SHORTNAME

root > oneOf > Published > containers > cna > providerMetadata > shortName
Type: string


The container provider's organizational short name.

Same definition as assignerShortName


DATEUPDATED

root > oneOf > Published > containers > cna > providerMetadata > dateUpdated
Type: string


Timestamp to be set by the system of record at time of submission. If
dateUpdated is provided to the system of record it will be replaced by the
current timestamp at the time of submission.

Same definition as dateUpdated


DATEASSIGNED

root > oneOf > Published > containers > cna > dateAssigned
Type: string


The date/time this CVE ID was associated with a vulnerability by a CNA.

Same definition as dateUpdated


DATEPUBLIC

root > oneOf > Published > containers > cna > datePublic
Type: string


If known, the date/time the vulnerability was disclosed publicly.

Same definition as dateUpdated


TITLE

root > oneOf > Published > containers > cna > title
Type: string


A title, headline, or a brief phrase summarizing the CVE record. Eg., Buffer
overflow in Example Soft.

Must be at least 1 characters long

Must be at most 256 characters long


DESCRIPTIONS REQUIRED

root > oneOf > Published > containers > cna > descriptions
Type: array


A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE]
in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER]
to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT
CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].

Must contain a minimum of 1 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > descriptions > description
Type: object


Text in a particular language with optional alternate markup or formatted
representation (e.g., Markdown) or embedded media.

No Additional Properties


LANG REQUIRED

root > oneOf > Published > containers > cna > descriptions > items > lang
Type: string Default: "en"


BCP 47 language code, language-region.

Must match regular expression:
^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$


VALUE REQUIRED

root > oneOf > Published > containers > cna > descriptions > items > value
Type: string


Plain text description.

Must be at least 1 characters long

Must be at most 4096 characters long


SUPPORTINGMEDIA

root > oneOf > Published > containers > cna > descriptions > items >
supportingMedia
Type: array of object


Supporting media data for the description such as markdown, diagrams, ..
(optional). Similar to RFC 2397 each media object has three main parts: media
type, media data value, and an optional boolean flag to indicate if the media
data is base64 encoded.

Must contain a minimum of 1 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > descriptions > items >
supportingMedia > items
Type: object
No Additional Properties


TYPE REQUIRED

root > oneOf > Published > containers > cna > descriptions > items >
supportingMedia > items > type
Type: string


RFC2046 compliant IANA Media type for eg., text/markdown, text/html.

Must be at least 1 characters long

Must be at most 256 characters long


Examples:


"text/markdown"


"text/html"


"image/png"


"image/svg"


"audio/mp3"



BASE64

root > oneOf > Published > containers > cna > descriptions > items >
supportingMedia > items > base64
Type: boolean Default: false


If true then the value field contains the media data encoded in base64. If false
then the value field contains the UTF-8 media content.


VALUE REQUIRED

root > oneOf > Published > containers > cna > descriptions > items >
supportingMedia > items > value
Type: string


Supporting media content, up to 16K. If base64 is true, this field stores base64
encoded data.

Must be at least 1 characters long

Must be at most 16384 characters long

AT LEAST ONE OF THE ITEMS MUST BE:

root > oneOf > Published > containers > cna > descriptions >
englishLanguageDescription
Type: object


A description with lang set to an English language (en, enUS, enUK, and so on).


LANG REQUIRED

root > oneOf > Published > containers > cna > descriptions > contains > lang
Type: string


BCP 47 language code, language-region, required to be English.

Must match regular expression:
^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$


AFFECTED REQUIRED

root > oneOf > Published > containers > cna > affected
Type: array


List of affected products.

Must contain a minimum of 1 items

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > affected > product
Type: object


Provides information about the set of products and services affected by this
vulnerability.


ALL OF

 * Requirement 1
 * Requirement 2

root > oneOf > Published > containers > cna > affected > items > allOf > item 0



ANY OF

 * Option 1
 * Option 2

root > oneOf > Published > containers > cna > affected > items > allOf > item 0
> anyOf > item 0
Type: object


THE FOLLOWING PROPERTIES ARE REQUIRED:

 * product
 * vendor

root > oneOf > Published > containers > cna > affected > items > allOf > item 0
> anyOf > item 1
Type: object


THE FOLLOWING PROPERTIES ARE REQUIRED:

 * packageName
 * collectionURL

root > oneOf > Published > containers > cna > affected > items > allOf > item 1



ANY OF

 * Option 1
 * Option 2

root > oneOf > Published > containers > cna > affected > items > allOf > item 1
> anyOf > item 0
Type: object


THE FOLLOWING PROPERTIES ARE REQUIRED:

 * versions

root > oneOf > Published > containers > cna > affected > items > allOf > item 1
> anyOf > item 1
Type: object


THE FOLLOWING PROPERTIES ARE REQUIRED:

 * defaultStatus


VENDOR

root > oneOf > Published > containers > cna > affected > items > vendor
Type: string


Name of the organization, project, community, individual, or user that created
or maintains this product or hosted service. Can be 'N/A' if none of those
apply. When collectionURL and packageName are used, this field may optionally
represent the user or account within the package collection associated with the
package.

Must be at least 1 characters long

Must be at most 512 characters long


PRODUCT

root > oneOf > Published > containers > cna > affected > items > product
Type: string


Name of the affected product.

Must be at least 1 characters long

Must be at most 2048 characters long


COLLECTIONURL

root > oneOf > Published > containers > cna > affected > items > collectionURL
Type: string


URL identifying a package collection (determines the meaning of packageName).

Must be at least 1 characters long

Must be at most 2048 characters long


Examples:


"https://access.redhat.com/downloads/content/package-browser"


"https://addons.mozilla.org"


"https://addons.thunderbird.net"


"https://anaconda.org/anaconda/repo"


"https://app.vagrantup.com/boxes/search"


"https://apps.apple.com"


"https://archlinux.org/packages"


"https://atmospherejs.meteor.com"


"https://atom.io/packages"


"https://bitbucket.org"


"https://bower.io"


"https://brew.sh/"


"https://chocolatey.org/packages"


"https://chrome.google.com/webstore"


"https://clojars.org"


"https://cocoapods.org"


"https://code.dlang.org"


"https://conan.io/center"


"https://cpan.org/modules"


"https://cran.r-project.org"


"https://crates.io"


"https://ctan.org/pkg"


"https://drupal.org"


"https://exchange.adobe.com"


"https://forge.puppet.com/modules"


"https://github.com"


"https://gitlab.com/explore"


"https://golang.org/pkg"


"https://guix.gnu.org/packages"


"https://hackage.haskell.org"


"https://helm.sh"


"https://hub.docker.com"


"https://juliahub.com"


"https://lib.haxe.org"


"https://luarocks.org"


"https://marketplace.visualstudio.com"


"https://melpa.org"


"https://microsoft.com/en-us/store/apps"


"https://nimble.directory"


"https://nuget.org/packages"


"https://opam.ocaml.org/packages"


"https://openwrt.org/packages/index"


"https://package.elm-lang.org"


"https://packagecontrol.io"


"https://packages.debian.org"


"https://packages.gentoo.org"


"https://packagist.org"


"https://pear.php.net/packages.php"


"https://pecl.php.net"


"https://platformio.org/lib"


"https://play.google.com/store"


"https://plugins.gradle.org"


"https://projects.eclipse.org"


"https://pub.dev"


"https://pypi.python.org"


"https://registry.npmjs.org"


"https://registry.terraform.io"


"https://repo.hex.pm"


"https://repo.maven.apache.org/maven2"


"https://rubygems.org"


"https://search.nixos.org/packages"


"https://sourceforge.net"


"https://wordpress.org/plugins"



PACKAGENAME

root > oneOf > Published > containers > cna > affected > items > packageName
Type: string


Name or identifier of the affected software package as used in the package
collection.

Must be at least 1 characters long

Must be at most 2048 characters long


CPES

root > oneOf > Published > containers > cna > affected > items > cpes
Type: array of string


Affected products defined by CPE. This is an array of CPE values (vulnerable and
not), we use an array so that we can make multiple statements about the same
version and they are separate (if we used a JSON object we'd essentially be
keying on the CPE name and they would have to overlap). Also, this allows things
like cveDataVersion or cveDescription to be applied directly to the product
entry. This also allows more complex statements such as "Product X between
versions 10.2 and 10.8" to be put in a machine-readable format. As well since
multiple statements can be used multiple branches of the same product can be
defined here.



All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > affected > items > cpes > CPE Name
Type: string


Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format

Must match regular expression:
([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\-~%]*){0,6})|(cpe:2\.3:[aho*\-](:(((\?*|\*?)([a-zA-Z0-9\-._]|(\\[\\*?!"#$%&'()+,/:;<=>@\[\]\^`{|}~]))+(\?*|\*?))|[*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-._]|(\\[\\*?!"#$%&'()+,/:;<=>@\[\]\^`{|}~]))+(\?*|\*?))|[*\-])){4})

Must be at least 1 characters long

Must be at most 2048 characters long


MODULES

root > oneOf > Published > containers > cna > affected > items > modules
Type: array of string


A list of the affected components, features, modules, sub-components,
sub-products, APIs, commands, utilities, programs, or functionalities
(optional).

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > affected > items > modules > items
Type: string


Name of the affected component, feature, module, sub-component, sub-product,
API, command, utility, program, or functionality (optional).

Must be at least 1 characters long

Must be at most 4096 characters long


PROGRAMFILES

root > oneOf > Published > containers > cna > affected > items > programFiles
Type: array of string


A list of the affected source code files (optional).

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > affected > items > programFiles >
items
Type: string


Name or path or location of the affected source code file.

Must be at least 1 characters long

Must be at most 1024 characters long


PROGRAMROUTINES

root > oneOf > Published > containers > cna > affected > items > programRoutines
Type: array of object


A list of the affected source code functions, methods, subroutines, or
procedures (optional).

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > affected > items > programRoutines
> items
Type: object


An object describing program routine.

No Additional Properties


NAME REQUIRED

root > oneOf > Published > containers > cna > affected > items > programRoutines
> items > name
Type: string


Name of the affected source code file, function, method, subroutine, or
procedure.

Must be at least 1 characters long

Must be at most 4096 characters long


PLATFORMS

root > oneOf > Published > containers > cna > affected > items > platforms
Type: array of string


List of specific platforms if the vulnerability is only relevant in the context
of these platforms (optional). Platforms may include execution environments,
operating systems, virtualization technologies, hardware models, or computing
architectures. The lack of this field or an empty array implies that the other
fields are applicable to all relevant platforms.

Must contain a minimum of 1 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > affected > items > platforms >
items
Type: string


Must be at most 1024 characters long


Examples:


"iOS"


"Android"


"Windows"


"macOS"


"x86"


"ARM"


"64 bit"


"Big Endian"


"iPad"


"Chromebook"


"Docker"


"Model T"



REPO

root > oneOf > Published > containers > cna > affected > items > repo
Type: string


The URL of the source code repository, for informational purposes and/or to
resolve git hash version ranges.

Same definition as collectionURL


DEFAULTSTATUS

root > oneOf > Published > containers > cna > affected > items > defaultStatus
Type: enum (of string)


The default status for versions that are not otherwise listed in the versions
list. If not specified, defaultStatus defaults to 'unknown'. Versions or
defaultStatus may be omitted, but not both.

MUST BE ONE OF:

 * "affected"
 * "unaffected"
 * "unknown"


VERSIONS

root > oneOf > Published > containers > cna > affected > items > versions
Type: array of object


Set of product versions or version ranges related to the vulnerability. The
versions satisfy the CNA Rules 8.1.2 requirement. Versions or defaultStatus may
be omitted, but not both.

Must contain a minimum of 1 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > affected > items > versions >
items


A single version or a range of versions, with vulnerability status.

An entry with only 'version' and 'status' indicates the status of a single
version.

Otherwise, an entry describes a range; it must include the 'versionType'
property, to define the version numbering semantics in use, and 'limit', to
indicate the non-inclusive upper limit of the range. The object describes the
status for versions V such that 'version' <= V and V < 'limit', using the <= and
< semantics defined for the specific kind of 'versionType'. Status changes
within the range can be specified by an optional 'changes' list.

The algorithm to decide the status specified for a version V is:

for entry in product.versions {
    if entry.lessThan is not present and entry.lessThanOrEqual is not present and v == entry.version {
        return entry.status
    }
    if (entry.lessThan is present and entry.version <= v and v < entry.lessThan) or
       (entry.lessThanOrEqual is present and entry.version <= v and v <= entry.lessThanOrEqual) { // <= and < defined by entry.versionType
        status = entry.status
        for change in entry.changes {
            if change.at <= v {
                status = change.status
            }
        }
        return status
    }
}
return product.defaultStatus


.


No Additional Properties


ONE OF

 * Option 1
 * Option 2
 * Option 3
 * Option 4

root > oneOf > Published > containers > cna > affected > items > versions >
items > oneOf > item 0
Type: object


THE FOLLOWING PROPERTIES ARE REQUIRED:

 * version
 * status

root > oneOf > Published > containers > cna > affected > items > versions >
items > oneOf > item 1
Type: object


THE FOLLOWING PROPERTIES ARE REQUIRED:

 * version
 * versionType
 * status

root > oneOf > Published > containers > cna > affected > items > versions >
items > oneOf > item 2
Type: object


THE FOLLOWING PROPERTIES ARE REQUIRED:

 * lessThan
 * version
 * versionType
 * status

root > oneOf > Published > containers > cna > affected > items > versions >
items > oneOf > item 3
Type: object


THE FOLLOWING PROPERTIES ARE REQUIRED:

 * lessThanOrEqual
 * version
 * versionType
 * status


VERSION

root > oneOf > Published > containers > cna > affected > items > versions >
items > version
Type: string


The single version being described, or the version at the start of the range. By
convention, typically 0 denotes the earliest possible version.

Must be at least 1 characters long

Must be at most 1024 characters long


STATUS

root > oneOf > Published > containers > cna > affected > items > versions >
items > status
Type: enum (of string)


The vulnerability status for the version or range of versions. For a range, the
status may be refined by the 'changes' list.

Same definition as defaultStatus


VERSIONTYPE

root > oneOf > Published > containers > cna > affected > items > versions >
items > versionType
Type: string


The version numbering system used for specifying the range. This defines the
exact semantics of the comparison (less-than) operation on versions, which is
required to understand the range itself. 'Custom' indicates that the version
type is unspecified and should be avoided whenever possible. It is included
primarily for use in conversion of older data files.

Must be at least 1 characters long

Must be at most 128 characters long


Examples:


"custom"


"git"


"maven"


"python"


"rpm"


"semver"



LESSTHAN

root > oneOf > Published > containers > cna > affected > items > versions >
items > lessThan
Type: string


The non-inclusive upper limit of the range. This is the least version NOT in the
range. The usual version syntax is expanded to allow a pattern to end in an
asterisk (*), indicating an arbitrarily large number in the version ordering.
For example, {version: 1.0 lessThan: 1.*} would describe the entire 1.X branch
for most range kinds, and {version: 2.0, lessThan: *} describes all versions
starting at 2.0, including 3.0, 5.1, and so on. Only one of lessThan and
lessThanOrEqual should be specified.

Same definition as version


LESSTHANOREQUAL

root > oneOf > Published > containers > cna > affected > items > versions >
items > lessThanOrEqual
Type: string


The inclusive upper limit of the range. This is the greatest version contained
in the range. Only one of lessThan and lessThanOrEqual should be specified. For
example, {version: 1.0, lessThanOrEqual: 1.3} covers all versions from 1.0 up to
and including 1.3.

Same definition as version


CHANGES

root > oneOf > Published > containers > cna > affected > items > versions >
items > changes
Type: array of object


A list of status changes that take place during the range. The array should be
sorted in increasing order by the 'at' field, according to the versionType, but
clients must re-sort the list themselves rather than assume it is sorted.

Must contain a minimum of 1 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > affected > items > versions >
items > changes > items
Type: object


The start of a single status change during the range.

No Additional Properties


AT REQUIRED

root > oneOf > Published > containers > cna > affected > items > versions >
items > changes > items > at
Type: string


The version at which a status change occurs.

Same definition as version


STATUS REQUIRED

root > oneOf > Published > containers > cna > affected > items > versions >
items > changes > items > status
Type: enum (of string)


The new status in the range starting at the given version.

Same definition as defaultStatus


PROBLEMTYPES

root > oneOf > Published > containers > cna > problemTypes
Type: array of object


This is problem type information (e.g. CWE identifier). Must contain: At least
one entry, can be text, OWASP, CWE, please note that while only one is required
you can use more than one (or indeed all three) as long as they are correct).
(CNA requirement: [PROBLEMTYPE]).

Must contain a minimum of 1 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > problemTypes > items
Type: object
No Additional Properties


DESCRIPTIONS REQUIRED

root > oneOf > Published > containers > cna > problemTypes > items >
descriptions
Type: array of object


Must contain a minimum of 1 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items
Type: object
No Additional Properties


LANG REQUIRED

root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > lang
Type: string Default: "en"


BCP 47 language code, language-region.

Same definition as lang


DESCRIPTION REQUIRED

root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > description
Type: string


Text description of problemType, or title from CWE or OWASP.

Must be at least 1 characters long

Must be at most 4096 characters long


CWEID

root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > cweId
Type: string


CWE ID of the CWE that best describes this problemType entry.

Must match regular expression: ^CWE-[1-9][0-9]*$

Must be at least 5 characters long

Must be at most 9 characters long


TYPE

root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > type
Type: string


Problemtype source, text, OWASP, CWE, etc.,

Must be at least 1 characters long

Must be at most 128 characters long


REFERENCES

root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > references
Type: array


This is reference data in the form of URLs or file objects (uuencoded and
embedded within the JSON file, exact format to be decided, e.g. we may require a
compressed format so the objects require unpacking before they are "dangerous").

Same definition as references


REFERENCES REQUIRED

root > oneOf > Published > containers > cna > references
Type: array


This is reference data in the form of URLs or file objects (uuencoded and
embedded within the JSON file, exact format to be decided, e.g. we may require a
compressed format so the objects require unpacking before they are "dangerous").

Must contain a minimum of 1 items

Must contain a maximum of 512 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > references > reference
Type: object
No Additional Properties


URL REQUIRED

root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > references > items > url
Type: string


The uniform resource locator (URL), according to RFC 3986, that can be used to
retrieve the referenced resource.

Same definition as collectionURL


NAME

root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > references > items > name
Type: string


User created name for the reference, often the title of the page.

Must be at least 1 characters long

Must be at most 512 characters long


TAGS

root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > references > items > tags
Type: array


An array of one or more tags that describe the resource referenced by 'url'.

Must contain a minimum of 1 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > references > items > tags > items



ONE OF

 * tagExtension
 * reference-tags.json

root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > references > items > tags > items > oneOf > tagExtension
Type: string
Same definition as tagExtension
root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > references > items > tags > items > oneOf >
reference-tags.json
Type: enum (of string)


broken-link: The reference link is returning a 404 error, or the site is no
longer online.

customer-entitlement: Similar to Privileges Required, but specific to references
that require non-public/paid access for customers of the particular vendor.

exploit: Reference contains an in-depth/detailed description of steps to exploit
a vulnerability OR the reference contains any legitimate Proof of Concept (PoC)
code or exploit kit.

government-resource: All reference links that are from a government agency or
organization should be given the Government Resource tag.

issue-tracking: The reference is a post from a bug tracking tool such as
MantisBT, Bugzilla, JIRA, Github Issues, etc...

mailing-list: The reference is from a mailing list -- often specific to a
product or vendor.

mitigation: The reference contains information on steps to mitigate against the
vulnerability in the event a patch can't be applied or is unavailable or for EOL
product situations.

not-applicable: The reference link is not applicable to the vulnerability and
was likely associated by MITRE accidentally (should be used sparingly).

patch: The reference contains an update to the software that fixes the
vulnerability.

permissions-required: The reference link provided is blocked by a logon page. If
credentials are required to see any information this tag must be applied.

media-coverage: The reference is from a media outlet such as a newspaper,
magazine, social media, or weblog. This tag is not intended to apply to any
individual's personal social media account. It is strictly intended for public
media entities.

product: A reference appropriate for describing a product for the purpose of CPE
or SWID.

related: A reference that is for a related (but not the same) vulnerability.

release-notes: The reference is in the format of a vendor or open source
project's release notes or change log.

signature: The reference contains a method to detect or prevent the presence or
exploitation of the vulnerability.

technical-description: The reference contains in-depth technical information
about a vulnerability and its exploitation process, typically in the form of a
presentation or whitepaper.

third-party-advisory: Advisory is from an organization that is not the
vulnerable product's vendor/publisher/maintainer.

vendor-advisory: Advisory is from the vendor/publisher/maintainer of the product
or the parent organization.

vdb-entry: VDBs are loosely defined as sites that provide information about this
vulnerability, such as advisories, with identifiers. Included VDBs are free to
access, substantially public, and have broad scope and coverage (not limited to
a single vendor or research organization). See:
https://www.first.org/global/sigs/vrdx/vdb-catalog



MUST BE ONE OF:

 * "broken-link"
 * "customer-entitlement"
 * "exploit"
 * "government-resource"
 * "issue-tracking"
 * "mailing-list"
 * "mitigation"
 * "not-applicable"
 * "patch"
 * "permissions-required"
 * "media-coverage"
 * "product"
 * "related"
 * "release-notes"
 * "signature"
 * "technical-description"
 * "third-party-advisory"
 * "vendor-advisory"
 * "vdb-entry"


IMPACTS

root > oneOf > Published > containers > cna > impacts
Type: array of object


Collection of impacts of this vulnerability.

Must contain a minimum of 1 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > impacts > items
Type: object


This is impact type information (e.g. a text description.

No Additional Properties


CAPECID

root > oneOf > Published > containers > cna > impacts > items > capecId
Type: string


CAPEC ID that best relates to this impact.

Must match regular expression: ^CAPEC-[1-9][0-9]{0,4}$

Must be at least 7 characters long

Must be at most 11 characters long


DESCRIPTIONS REQUIRED

root > oneOf > Published > containers > cna > impacts > items > descriptions
Type: array


Prose description of the impact scenario. At a minimum provide the description
given by CAPEC.

Same definition as descriptions


METRICS

root > oneOf > Published > containers > cna > metrics
Type: array of object


Collection of impact scores with attribution.

Must contain a minimum of 1 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > metrics > items


This is impact type information (e.g. a text description, CVSSv2, CVSSv3,
CVSSV4, etc.). Must contain: At least one entry, can be text, CVSSv2, CVSSv3,
others may be added.

No Additional Properties


ANY OF

 * Option 1
 * Option 2
 * Option 3
 * Option 4
 * Option 5

root > oneOf > Published > containers > cna > metrics > items > anyOf > item 0
Type: object


THE FOLLOWING PROPERTIES ARE REQUIRED:

 * cvssV4_0

root > oneOf > Published > containers > cna > metrics > items > anyOf > item 1
Type: object


THE FOLLOWING PROPERTIES ARE REQUIRED:

 * cvssV3_1

root > oneOf > Published > containers > cna > metrics > items > anyOf > item 2
Type: object


THE FOLLOWING PROPERTIES ARE REQUIRED:

 * cvssV3_0

root > oneOf > Published > containers > cna > metrics > items > anyOf > item 3
Type: object


THE FOLLOWING PROPERTIES ARE REQUIRED:

 * cvssV2_0

root > oneOf > Published > containers > cna > metrics > items > anyOf > item 4
Type: object


THE FOLLOWING PROPERTIES ARE REQUIRED:

 * other


FORMAT

root > oneOf > Published > containers > cna > metrics > items > format
Type: string


Name of the scoring format. This provides a bit of future proofing. Additional
properties are not prohibited, so this will support the inclusion of proprietary
formats. It also provides an easy future conversion mechanism when future score
formats become part of the schema. example: cvssV44, format = 'cvssV44', other =
cvssV4_4 JSON object. In the future, the other properties can be converted to
score properties when they become part of the schema.

Must be at least 1 characters long

Must be at most 64 characters long


SCENARIOS

root > oneOf > Published > containers > cna > metrics > items > scenarios
Type: array of object


Description of the scenarios this metrics object applies to. If no specific
scenario is given, GENERAL is used as the default and applies when no more
specific metric matches.

Must contain a minimum of 1 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > metrics > items > scenarios >
items
Type: object
No Additional Properties


LANG REQUIRED

root > oneOf > Published > containers > cna > metrics > items > scenarios >
items > lang
Type: string Default: "en"


BCP 47 language code, language-region.

Same definition as lang


VALUE REQUIRED

root > oneOf > Published > containers > cna > metrics > items > scenarios >
items > value
Type: string Default: "GENERAL"


Description of the scenario this metrics object applies to. If no specific
scenario is given, GENERAL is used as the default and applies when no more
specific metric matches.

Must be at least 1 characters long

Must be at most 4096 characters long


CVSSV4_0

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0
Type: object
No Additional Properties


ALL OF

 * Requirement 1
 * Requirement 2
 * Requirement 3

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0



ANY OF

 * Option 1
 * Option 2
 * Option 3
 * Option 4
 * Option 5

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 0
Type: object



BASESCORE

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 0 > baseScore
Type: number


Value must be greater or equal to 0.0 and lesser or equal to 0.0


BASESEVERITY

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 0 > baseSeverity
Type: const
Specific value: "NONE"
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 1
Type: object



BASESCORE

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 1 > baseScore
Type: number


Value must be greater or equal to 0.1 and lesser or equal to 3.9 and a multiple
of 0.1


BASESEVERITY

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 1 > baseSeverity
Type: const
Specific value: "LOW"
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 2
Type: object



BASESCORE

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 2 > baseScore
Type: number


Value must be greater or equal to 4.0 and lesser or equal to 6.9 and a multiple
of 0.1


BASESEVERITY

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 2 > baseSeverity
Type: const
Specific value: "MEDIUM"
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 3
Type: object



BASESCORE

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 3 > baseScore
Type: number


Value must be greater or equal to 7.0 and lesser or equal to 8.9 and a multiple
of 0.1


BASESEVERITY

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 3 > baseSeverity
Type: const
Specific value: "HIGH"
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 4
Type: object



BASESCORE

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 4 > baseScore
Type: number


Value must be greater or equal to 9.0 and lesser or equal to 10 and a multiple
of 0.1


BASESEVERITY

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 4 > baseSeverity
Type: const
Specific value: "CRITICAL"
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1



ANY OF

 * Option 1
 * Option 2
 * Option 3
 * Option 4
 * Option 5

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 0
Type: object



THREATSCORE

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 0 > threatScore
Type: number
Same definition as baseScore


THREATSEVERITY

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 0 > threatSeverity
Type: const
Same definition as baseSeverity
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 1
Type: object



THREATSCORE

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 1 > threatScore
Type: number
Same definition as baseScore


THREATSEVERITY

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 1 > threatSeverity
Type: const
Same definition as baseSeverity
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 2
Type: object



THREATSCORE

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 2 > threatScore
Type: number
Same definition as baseScore


THREATSEVERITY

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 2 > threatSeverity
Type: const
Same definition as baseSeverity
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 3
Type: object



THREATSCORE

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 3 > threatScore
Type: number
Same definition as baseScore


THREATSEVERITY

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 3 > threatSeverity
Type: const
Same definition as baseSeverity
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 4
Type: object



THREATSCORE

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 4 > threatScore
Type: number
Same definition as baseScore


THREATSEVERITY

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 4 > threatSeverity
Type: const
Same definition as baseSeverity
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2



ANY OF

 * Option 1
 * Option 2
 * Option 3
 * Option 4
 * Option 5

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 0
Type: object



ENVIRONMENTALSCORE

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 0 > environmentalScore
Type: number
Same definition as baseScore


ENVIRONMENTALSEVERITY

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 0 > environmentalSeverity
Type: const
Same definition as baseSeverity
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 1
Type: object



ENVIRONMENTALSCORE

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 1 > environmentalScore
Type: number
Same definition as baseScore


ENVIRONMENTALSEVERITY

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 1 > environmentalSeverity
Type: const
Same definition as baseSeverity
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 2
Type: object



ENVIRONMENTALSCORE

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 2 > environmentalScore
Type: number
Same definition as baseScore


ENVIRONMENTALSEVERITY

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 2 > environmentalSeverity
Type: const
Same definition as baseSeverity
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 3
Type: object



ENVIRONMENTALSCORE

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 3 > environmentalScore
Type: number
Same definition as baseScore


ENVIRONMENTALSEVERITY

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 3 > environmentalSeverity
Type: const
Same definition as baseSeverity
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 4
Type: object



ENVIRONMENTALSCORE

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 4 > environmentalScore
Type: number
Same definition as baseScore


ENVIRONMENTALSEVERITY

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 4 > environmentalSeverity
Type: const
Same definition as baseSeverity


VERSION REQUIRED

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
version
Type: enum (of string)


CVSS Version

MUST BE ONE OF:

 * "4.0"


VECTORSTRING REQUIRED

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
vectorString
Type: string
Must match regular expression:
^CVSS:4[.]0/AV:[NALP]/AC:[LH]/AT:[NP]/PR:[NLH]/UI:[NPA]/VC:[HLN]/VI:[HLN]/VA:[HLN]/SC:[HLN]/SI:[HLN]/SA:[HLN](/E:[XAPU])?(/CR:[XHML])?(/IR:[XHML])?(/AR:[XHML])?(/MAV:[XNALP])?(/MAC:[XLH])?(/MAT:[XNP])?(/MPR:[XNLH])?(/MUI:[XNPA])?(/MVC:[XNLH])?(/MVI:[XNLH])?(/MVA:[XNLH])?(/MSC:[XNLH])?(/MSI:[XNLHS])?(/MSA:[XNLHS])?(/S:[XNP])?(/AU:[XNY])?(/R:[XAUI])?(/V:[XDC])?(/RE:[XLMH])?(/U:(X|Clear|Green|Amber|Red))?$


BASESCORE REQUIRED

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
baseScore
Type: number


Value must be greater or equal to 0.0 and lesser or equal to 10.0 and a multiple
of 0.1


BASESEVERITY REQUIRED

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
baseSeverity
Type: enum (of string)


MUST BE ONE OF:

 * "NONE"
 * "LOW"
 * "MEDIUM"
 * "HIGH"
 * "CRITICAL"


ATTACKVECTOR

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
attackVector
Type: enum (of string)


MUST BE ONE OF:

 * "NETWORK"
 * "ADJACENT"
 * "LOCAL"
 * "PHYSICAL"


ATTACKCOMPLEXITY

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
attackComplexity
Type: enum (of string)


MUST BE ONE OF:

 * "HIGH"
 * "LOW"


ATTACKREQUIREMENTS

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
attackRequirements
Type: enum (of string)


MUST BE ONE OF:

 * "NONE"
 * "PRESENT"


PRIVILEGESREQUIRED

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
privilegesRequired
Type: enum (of string)


MUST BE ONE OF:

 * "HIGH"
 * "LOW"
 * "NONE"


USERINTERACTION

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
userInteraction
Type: enum (of string)


MUST BE ONE OF:

 * "NONE"
 * "PASSIVE"
 * "ACTIVE"


VULNCONFIDENTIALITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
vulnConfidentialityImpact
Type: enum (of string)


MUST BE ONE OF:

 * "NONE"
 * "LOW"
 * "HIGH"


VULNINTEGRITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
vulnIntegrityImpact
Type: enum (of string)
Same definition as vulnConfidentialityImpact


VULNAVAILABILITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
vulnAvailabilityImpact
Type: enum (of string)
Same definition as vulnConfidentialityImpact


SUBCONFIDENTIALITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
subConfidentialityImpact
Type: enum (of string)


MUST BE ONE OF:

 * "NONE"
 * "LOW"
 * "HIGH"


SUBINTEGRITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
subIntegrityImpact
Type: enum (of string)
Same definition as subConfidentialityImpact


SUBAVAILABILITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
subAvailabilityImpact
Type: enum (of string)
Same definition as subConfidentialityImpact


EXPLOITMATURITY

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
exploitMaturity
Type: enum (of string) Default: "NOT_DEFINED"


MUST BE ONE OF:

 * "UNREPORTED"
 * "PROOF_OF_CONCEPT"
 * "ATTACKED"
 * "NOT_DEFINED"


CONFIDENTIALITYREQUIREMENT

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
confidentialityRequirement
Type: enum (of string) Default: "NOT_DEFINED"


MUST BE ONE OF:

 * "LOW"
 * "MEDIUM"
 * "HIGH"
 * "NOT_DEFINED"


INTEGRITYREQUIREMENT

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
integrityRequirement
Type: enum (of string) Default: "NOT_DEFINED"
Same definition as confidentialityRequirement


AVAILABILITYREQUIREMENT

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
availabilityRequirement
Type: enum (of string) Default: "NOT_DEFINED"
Same definition as confidentialityRequirement


MODIFIEDATTACKVECTOR

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
modifiedAttackVector
Type: enum (of string) Default: "NOT_DEFINED"


MUST BE ONE OF:

 * "NETWORK"
 * "ADJACENT"
 * "LOCAL"
 * "PHYSICAL"
 * "NOT_DEFINED"


MODIFIEDATTACKCOMPLEXITY

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
modifiedAttackComplexity
Type: enum (of string) Default: "NOT_DEFINED"


MUST BE ONE OF:

 * "HIGH"
 * "LOW"
 * "NOT_DEFINED"


MODIFIEDATTACKREQUIREMENTS

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
modifiedAttackRequirements
Type: enum (of string) Default: "NOT_DEFINED"


MUST BE ONE OF:

 * "NONE"
 * "PRESENT"
 * "NOT_DEFINED"


MODIFIEDPRIVILEGESREQUIRED

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
modifiedPrivilegesRequired
Type: enum (of string) Default: "NOT_DEFINED"


MUST BE ONE OF:

 * "HIGH"
 * "LOW"
 * "NONE"
 * "NOT_DEFINED"


MODIFIEDUSERINTERACTION

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
modifiedUserInteraction
Type: enum (of string) Default: "NOT_DEFINED"


MUST BE ONE OF:

 * "NONE"
 * "PASSIVE"
 * "ACTIVE"
 * "NOT_DEFINED"


MODIFIEDVULNCONFIDENTIALITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
modifiedVulnConfidentialityImpact
Type: enum (of string) Default: "NOT_DEFINED"


MUST BE ONE OF:

 * "NONE"
 * "LOW"
 * "HIGH"
 * "NOT_DEFINED"


MODIFIEDVULNINTEGRITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
modifiedVulnIntegrityImpact
Type: enum (of string) Default: "NOT_DEFINED"
Same definition as modifiedVulnConfidentialityImpact


MODIFIEDVULNAVAILABILITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
modifiedVulnAvailabilityImpact
Type: enum (of string) Default: "NOT_DEFINED"
Same definition as modifiedVulnConfidentialityImpact


MODIFIEDSUBCONFIDENTIALITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
modifiedSubConfidentialityImpact
Type: enum (of string) Default: "NOT_DEFINED"


MUST BE ONE OF:

 * "NONE"
 * "LOW"
 * "HIGH"
 * "NOT_DEFINED"


MODIFIEDSUBINTEGRITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
modifiedSubIntegrityImpact
Type: enum (of string) Default: "NOT_DEFINED"


MUST BE ONE OF:

 * "NONE"
 * "LOW"
 * "HIGH"
 * "SAFETY"
 * "NOT_DEFINED"


MODIFIEDSUBAVAILABILITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
modifiedSubAvailabilityImpact
Type: enum (of string) Default: "NOT_DEFINED"
Same definition as modifiedSubIntegrityImpact


SAFETY

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
Safety
Type: enum (of string) Default: "NOT_DEFINED"


MUST BE ONE OF:

 * "NEGLIGIBLE"
 * "PRESENT"
 * "NOT_DEFINED"


AUTOMATABLE

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
Automatable
Type: enum (of string) Default: "NOT_DEFINED"


MUST BE ONE OF:

 * "NO"
 * "YES"
 * "NOT_DEFINED"


RECOVERY

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
Recovery
Type: enum (of string) Default: "NOT_DEFINED"


MUST BE ONE OF:

 * "AUTOMATIC"
 * "USER"
 * "IRRECOVERABLE"
 * "NOT_DEFINED"


VALUEDENSITY

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
valueDensity
Type: enum (of string) Default: "NOT_DEFINED"


MUST BE ONE OF:

 * "DIFFUSE"
 * "CONCENTRATED"
 * "NOT_DEFINED"


VULNERABILITYRESPONSEEFFORT

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
vulnerabilityResponseEffort
Type: enum (of string) Default: "NOT_DEFINED"


MUST BE ONE OF:

 * "LOW"
 * "MODERATE"
 * "HIGH"
 * "NOT_DEFINED"


PROVIDERURGENCY

root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
providerUrgency
Type: enum (of string) Default: "NOT_DEFINED"


MUST BE ONE OF:

 * "CLEAR"
 * "GREEN"
 * "AMBER"
 * "RED"
 * "NOT_DEFINED"


CVSSV3_1

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1
Type: object
No Additional Properties


VERSION REQUIRED

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
version
Type: enum (of string)


CVSS Version

MUST BE ONE OF:

 * "3.1"


VECTORSTRING REQUIRED

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
vectorString
Type: string
Must match regular expression:
^CVSS:3[.]1/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$


ATTACKVECTOR

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
attackVector
Type: enum (of string)


MUST BE ONE OF:

 * "NETWORK"
 * "ADJACENT_NETWORK"
 * "LOCAL"
 * "PHYSICAL"


ATTACKCOMPLEXITY

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
attackComplexity
Type: enum (of string)


MUST BE ONE OF:

 * "HIGH"
 * "LOW"


PRIVILEGESREQUIRED

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
privilegesRequired
Type: enum (of string)


MUST BE ONE OF:

 * "HIGH"
 * "LOW"
 * "NONE"


USERINTERACTION

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
userInteraction
Type: enum (of string)


MUST BE ONE OF:

 * "NONE"
 * "REQUIRED"


SCOPE

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 > scope
Type: enum (of string)


MUST BE ONE OF:

 * "UNCHANGED"
 * "CHANGED"


CONFIDENTIALITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
confidentialityImpact
Type: enum (of string)


MUST BE ONE OF:

 * "NONE"
 * "LOW"
 * "HIGH"


INTEGRITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
integrityImpact
Type: enum (of string)
Same definition as confidentialityImpact


AVAILABILITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
availabilityImpact
Type: enum (of string)
Same definition as confidentialityImpact


BASESCORE REQUIRED

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
baseScore
Type: number


Value must be greater or equal to 0 and lesser or equal to 10


BASESEVERITY REQUIRED

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
baseSeverity
Type: enum (of string)


MUST BE ONE OF:

 * "NONE"
 * "LOW"
 * "MEDIUM"
 * "HIGH"
 * "CRITICAL"


EXPLOITCODEMATURITY

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
exploitCodeMaturity
Type: enum (of string)


MUST BE ONE OF:

 * "UNPROVEN"
 * "PROOF_OF_CONCEPT"
 * "FUNCTIONAL"
 * "HIGH"
 * "NOT_DEFINED"


REMEDIATIONLEVEL

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
remediationLevel
Type: enum (of string)


MUST BE ONE OF:

 * "OFFICIAL_FIX"
 * "TEMPORARY_FIX"
 * "WORKAROUND"
 * "UNAVAILABLE"
 * "NOT_DEFINED"


REPORTCONFIDENCE

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
reportConfidence
Type: enum (of string)


MUST BE ONE OF:

 * "UNKNOWN"
 * "REASONABLE"
 * "CONFIRMED"
 * "NOT_DEFINED"


TEMPORALSCORE

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
temporalScore
Type: number
Same definition as baseScore


TEMPORALSEVERITY

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
temporalSeverity
Type: enum (of string)
Same definition as baseSeverity


CONFIDENTIALITYREQUIREMENT

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
confidentialityRequirement
Type: enum (of string)


MUST BE ONE OF:

 * "LOW"
 * "MEDIUM"
 * "HIGH"
 * "NOT_DEFINED"


INTEGRITYREQUIREMENT

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
integrityRequirement
Type: enum (of string)
Same definition as confidentialityRequirement


AVAILABILITYREQUIREMENT

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
availabilityRequirement
Type: enum (of string)
Same definition as confidentialityRequirement


MODIFIEDATTACKVECTOR

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
modifiedAttackVector
Type: enum (of string)


MUST BE ONE OF:

 * "NETWORK"
 * "ADJACENT_NETWORK"
 * "LOCAL"
 * "PHYSICAL"
 * "NOT_DEFINED"


MODIFIEDATTACKCOMPLEXITY

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
modifiedAttackComplexity
Type: enum (of string)


MUST BE ONE OF:

 * "HIGH"
 * "LOW"
 * "NOT_DEFINED"


MODIFIEDPRIVILEGESREQUIRED

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
modifiedPrivilegesRequired
Type: enum (of string)


MUST BE ONE OF:

 * "HIGH"
 * "LOW"
 * "NONE"
 * "NOT_DEFINED"


MODIFIEDUSERINTERACTION

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
modifiedUserInteraction
Type: enum (of string)


MUST BE ONE OF:

 * "NONE"
 * "REQUIRED"
 * "NOT_DEFINED"


MODIFIEDSCOPE

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
modifiedScope
Type: enum (of string)


MUST BE ONE OF:

 * "UNCHANGED"
 * "CHANGED"
 * "NOT_DEFINED"


MODIFIEDCONFIDENTIALITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
modifiedConfidentialityImpact
Type: enum (of string)


MUST BE ONE OF:

 * "NONE"
 * "LOW"
 * "HIGH"
 * "NOT_DEFINED"


MODIFIEDINTEGRITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
modifiedIntegrityImpact
Type: enum (of string)
Same definition as modifiedConfidentialityImpact


MODIFIEDAVAILABILITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
modifiedAvailabilityImpact
Type: enum (of string)
Same definition as modifiedConfidentialityImpact


ENVIRONMENTALSCORE

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
environmentalScore
Type: number
Same definition as baseScore


ENVIRONMENTALSEVERITY

root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
environmentalSeverity
Type: enum (of string)
Same definition as baseSeverity


CVSSV3_0

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0
Type: object
No Additional Properties


VERSION REQUIRED

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
version
Type: enum (of string)


CVSS Version

MUST BE ONE OF:

 * "3.0"


VECTORSTRING REQUIRED

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
vectorString
Type: string
Must match regular expression:
^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$


ATTACKVECTOR

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
attackVector
Type: enum (of string)


MUST BE ONE OF:

 * "NETWORK"
 * "ADJACENT_NETWORK"
 * "LOCAL"
 * "PHYSICAL"


ATTACKCOMPLEXITY

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
attackComplexity
Type: enum (of string)


MUST BE ONE OF:

 * "HIGH"
 * "LOW"


PRIVILEGESREQUIRED

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
privilegesRequired
Type: enum (of string)


MUST BE ONE OF:

 * "HIGH"
 * "LOW"
 * "NONE"


USERINTERACTION

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
userInteraction
Type: enum (of string)


MUST BE ONE OF:

 * "NONE"
 * "REQUIRED"


SCOPE

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 > scope
Type: enum (of string)


MUST BE ONE OF:

 * "UNCHANGED"
 * "CHANGED"


CONFIDENTIALITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
confidentialityImpact
Type: enum (of string)


MUST BE ONE OF:

 * "NONE"
 * "LOW"
 * "HIGH"


INTEGRITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
integrityImpact
Type: enum (of string)
Same definition as confidentialityImpact


AVAILABILITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
availabilityImpact
Type: enum (of string)
Same definition as confidentialityImpact


BASESCORE REQUIRED

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
baseScore
Type: number


Value must be greater or equal to 0 and lesser or equal to 10


BASESEVERITY REQUIRED

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
baseSeverity
Type: enum (of string)


MUST BE ONE OF:

 * "NONE"
 * "LOW"
 * "MEDIUM"
 * "HIGH"
 * "CRITICAL"


EXPLOITCODEMATURITY

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
exploitCodeMaturity
Type: enum (of string)


MUST BE ONE OF:

 * "UNPROVEN"
 * "PROOF_OF_CONCEPT"
 * "FUNCTIONAL"
 * "HIGH"
 * "NOT_DEFINED"


REMEDIATIONLEVEL

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
remediationLevel
Type: enum (of string)


MUST BE ONE OF:

 * "OFFICIAL_FIX"
 * "TEMPORARY_FIX"
 * "WORKAROUND"
 * "UNAVAILABLE"
 * "NOT_DEFINED"


REPORTCONFIDENCE

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
reportConfidence
Type: enum (of string)


MUST BE ONE OF:

 * "UNKNOWN"
 * "REASONABLE"
 * "CONFIRMED"
 * "NOT_DEFINED"


TEMPORALSCORE

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
temporalScore
Type: number
Same definition as baseScore


TEMPORALSEVERITY

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
temporalSeverity
Type: enum (of string)
Same definition as baseSeverity


CONFIDENTIALITYREQUIREMENT

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
confidentialityRequirement
Type: enum (of string)


MUST BE ONE OF:

 * "LOW"
 * "MEDIUM"
 * "HIGH"
 * "NOT_DEFINED"


INTEGRITYREQUIREMENT

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
integrityRequirement
Type: enum (of string)
Same definition as confidentialityRequirement


AVAILABILITYREQUIREMENT

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
availabilityRequirement
Type: enum (of string)
Same definition as confidentialityRequirement


MODIFIEDATTACKVECTOR

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
modifiedAttackVector
Type: enum (of string)


MUST BE ONE OF:

 * "NETWORK"
 * "ADJACENT_NETWORK"
 * "LOCAL"
 * "PHYSICAL"
 * "NOT_DEFINED"


MODIFIEDATTACKCOMPLEXITY

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
modifiedAttackComplexity
Type: enum (of string)


MUST BE ONE OF:

 * "HIGH"
 * "LOW"
 * "NOT_DEFINED"


MODIFIEDPRIVILEGESREQUIRED

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
modifiedPrivilegesRequired
Type: enum (of string)


MUST BE ONE OF:

 * "HIGH"
 * "LOW"
 * "NONE"
 * "NOT_DEFINED"


MODIFIEDUSERINTERACTION

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
modifiedUserInteraction
Type: enum (of string)


MUST BE ONE OF:

 * "NONE"
 * "REQUIRED"
 * "NOT_DEFINED"


MODIFIEDSCOPE

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
modifiedScope
Type: enum (of string)


MUST BE ONE OF:

 * "UNCHANGED"
 * "CHANGED"
 * "NOT_DEFINED"


MODIFIEDCONFIDENTIALITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
modifiedConfidentialityImpact
Type: enum (of string)


MUST BE ONE OF:

 * "NONE"
 * "LOW"
 * "HIGH"
 * "NOT_DEFINED"


MODIFIEDINTEGRITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
modifiedIntegrityImpact
Type: enum (of string)
Same definition as modifiedConfidentialityImpact


MODIFIEDAVAILABILITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
modifiedAvailabilityImpact
Type: enum (of string)
Same definition as modifiedConfidentialityImpact


ENVIRONMENTALSCORE

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
environmentalScore
Type: number
Same definition as baseScore


ENVIRONMENTALSEVERITY

root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
environmentalSeverity
Type: enum (of string)
Same definition as baseSeverity


CVSSV2_0

root > oneOf > Published > containers > cna > metrics > items > cvssV2_0
Type: object
No Additional Properties


VERSION REQUIRED

root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
version
Type: enum (of string)


CVSS Version

MUST BE ONE OF:

 * "2.0"


VECTORSTRING REQUIRED

root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
vectorString
Type: string
Must match regular expression:
^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$


ACCESSVECTOR

root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
accessVector
Type: enum (of string)


MUST BE ONE OF:

 * "NETWORK"
 * "ADJACENT_NETWORK"
 * "LOCAL"


ACCESSCOMPLEXITY

root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
accessComplexity
Type: enum (of string)


MUST BE ONE OF:

 * "HIGH"
 * "MEDIUM"
 * "LOW"


AUTHENTICATION

root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
authentication
Type: enum (of string)


MUST BE ONE OF:

 * "MULTIPLE"
 * "SINGLE"
 * "NONE"


CONFIDENTIALITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
confidentialityImpact
Type: enum (of string)


MUST BE ONE OF:

 * "NONE"
 * "PARTIAL"
 * "COMPLETE"


INTEGRITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
integrityImpact
Type: enum (of string)
Same definition as confidentialityImpact


AVAILABILITYIMPACT

root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
availabilityImpact
Type: enum (of string)
Same definition as confidentialityImpact


BASESCORE REQUIRED

root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
baseScore
Type: number


Value must be greater or equal to 0 and lesser or equal to 10


EXPLOITABILITY

root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
exploitability
Type: enum (of string)


MUST BE ONE OF:

 * "UNPROVEN"
 * "PROOF_OF_CONCEPT"
 * "FUNCTIONAL"
 * "HIGH"
 * "NOT_DEFINED"


REMEDIATIONLEVEL

root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
remediationLevel
Type: enum (of string)


MUST BE ONE OF:

 * "OFFICIAL_FIX"
 * "TEMPORARY_FIX"
 * "WORKAROUND"
 * "UNAVAILABLE"
 * "NOT_DEFINED"


REPORTCONFIDENCE

root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
reportConfidence
Type: enum (of string)


MUST BE ONE OF:

 * "UNCONFIRMED"
 * "UNCORROBORATED"
 * "CONFIRMED"
 * "NOT_DEFINED"


TEMPORALSCORE

root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
temporalScore
Type: number
Same definition as baseScore


COLLATERALDAMAGEPOTENTIAL

root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
collateralDamagePotential
Type: enum (of string)


MUST BE ONE OF:

 * "NONE"
 * "LOW"
 * "LOW_MEDIUM"
 * "MEDIUM_HIGH"
 * "HIGH"
 * "NOT_DEFINED"


TARGETDISTRIBUTION

root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
targetDistribution
Type: enum (of string)


MUST BE ONE OF:

 * "NONE"
 * "LOW"
 * "MEDIUM"
 * "HIGH"
 * "NOT_DEFINED"


CONFIDENTIALITYREQUIREMENT

root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
confidentialityRequirement
Type: enum (of string)


MUST BE ONE OF:

 * "LOW"
 * "MEDIUM"
 * "HIGH"
 * "NOT_DEFINED"


INTEGRITYREQUIREMENT

root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
integrityRequirement
Type: enum (of string)
Same definition as confidentialityRequirement


AVAILABILITYREQUIREMENT

root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
availabilityRequirement
Type: enum (of string)
Same definition as confidentialityRequirement


ENVIRONMENTALSCORE

root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
environmentalScore
Type: number
Same definition as baseScore


OTHER

root > oneOf > Published > containers > cna > metrics > items > other
Type: object


A non-standard impact description, may be prose or JSON block.

No Additional Properties


TYPE REQUIRED

root > oneOf > Published > containers > cna > metrics > items > other > type
Type: string


Name of the non-standard impact metrics format used.

Must be at least 1 characters long

Must be at most 128 characters long


CONTENT REQUIRED

root > oneOf > Published > containers > cna > metrics > items > other > content
Type: object


JSON object not covered by another metrics format.


CONFIGURATIONS

root > oneOf > Published > containers > cna > configurations
Type: array


Configurations required for exploiting this vulnerability.

Must contain a minimum of 1 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > configurations > description
Type: object


Text in a particular language with optional alternate markup or formatted
representation (e.g., Markdown) or embedded media.

Same definition as description


WORKAROUNDS

root > oneOf > Published > containers > cna > workarounds
Type: array


Workarounds and mitigations for this vulnerability.

Must contain a minimum of 1 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > workarounds > description
Type: object


Text in a particular language with optional alternate markup or formatted
representation (e.g., Markdown) or embedded media.

Same definition as description


SOLUTIONS

root > oneOf > Published > containers > cna > solutions
Type: array


Information about solutions or remediations available for this vulnerability.

Must contain a minimum of 1 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > solutions > description
Type: object


Text in a particular language with optional alternate markup or formatted
representation (e.g., Markdown) or embedded media.

Same definition as description


EXPLOITS

root > oneOf > Published > containers > cna > exploits
Type: array


Information about exploits of the vulnerability.

Must contain a minimum of 1 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > exploits > description
Type: object


Text in a particular language with optional alternate markup or formatted
representation (e.g., Markdown) or embedded media.

Same definition as description


TIMELINE

root > oneOf > Published > containers > cna > timeline
Type: array of object


This is timeline information for significant events about this vulnerability or
changes to the CVE Record.

Must contain a minimum of 1 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > timeline > items
Type: object
No Additional Properties


TIME REQUIRED

root > oneOf > Published > containers > cna > timeline > items > time
Type: string


Timestamp representing when the event in the timeline occurred. The timestamp
format is based on RFC3339 and ISO ISO8601, with an optional timezone.
yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM - if the timezone offset is not given, GMT (+00:00)
is assumed.

Same definition as dateUpdated


LANG REQUIRED

root > oneOf > Published > containers > cna > timeline > items > lang
Type: string Default: "en"


The language used in the description of the event. The language field is
included so that CVE Records can support translations. The value must be a BCP
47 language code.

Same definition as lang


VALUE REQUIRED

root > oneOf > Published > containers > cna > timeline > items > value
Type: string


A summary of the event.

Must be at least 1 characters long

Must be at most 4096 characters long


CREDITS

root > oneOf > Published > containers > cna > credits
Type: array of object


Statements acknowledging specific people, organizations, or tools recognizing
the work done in researching, discovering, remediating or helping with
activities related to this CVE.

Must contain a minimum of 1 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > credits > items
Type: object
No Additional Properties


LANG REQUIRED

root > oneOf > Published > containers > cna > credits > items > lang
Type: string Default: "en"


The language used when describing the credits. The language field is included so
that CVE Records can support translations. The value must be a BCP 47 language
code.

Same definition as lang


VALUE REQUIRED

root > oneOf > Published > containers > cna > credits > items > value
Type: string


Must be at least 1 characters long

Must be at most 4096 characters long


USER

root > oneOf > Published > containers > cna > credits > items > user
Type: string


UUID of the user being credited if present in the CVE User Registry (optional).
This UUID can be used to lookup the user record in the user registry service.

Same definition as assignerOrgId


TYPE

root > oneOf > Published > containers > cna > credits > items > type
Type: enum (of string) Default: "finder"


Type or role of the entity being credited (optional). finder: identifies the
vulnerability.
reporter: notifies the vendor of the vulnerability to a CNA.
analyst: validates the vulnerability to ensure accuracy or severity.
coordinator: facilitates the coordinated response process.
remediation developer: prepares a code change or other remediation plans.
remediation reviewer: reviews vulnerability remediation plans or code changes
for effectiveness and completeness.
remediation verifier: tests and verifies the vulnerability or its remediation.
tool: names of tools used in vulnerability discovery or identification.
sponsor: supports the vulnerability identification or remediation activities.



MUST BE ONE OF:

 * "finder"
 * "reporter"
 * "analyst"
 * "coordinator"
 * "remediation developer"
 * "remediation reviewer"
 * "remediation verifier"
 * "tool"
 * "sponsor"
 * "other"


SOURCE

root > oneOf > Published > containers > cna > source
Type: object


This is the source information (who discovered it, who researched it, etc.) and
optionally a chain of CNA information (e.g. the originating CNA and subsequent
parent CNAs who have processed it before it arrives at the MITRE root).
Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF
this source entry is NOT in the root (e.g. it is part of a vendor statement)
then it must contain at least one type of data entry.


TAGS

root > oneOf > Published > containers > cna > tags
Type: array


Tags provided by a CNA describing the CVE Record.

Must contain a minimum of 1 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > tags > items



ONE OF

 * tagExtension
 * cna-tags.json

root > oneOf > Published > containers > cna > tags > items > oneOf >
tagExtension
Type: string
Must match regular expression: ^x_.*$

Must be at least 2 characters long

Must be at most 128 characters long

root > oneOf > Published > containers > cna > tags > items > oneOf >
cna-tags.json
Type: enum (of string)


exclusively-hosted-service: All known software and/or hardware affected by this
CVE Record is known to exist only in the affected hosted service. If the
vulnerability affects both hosted and on-prem software and/or hardware, then the
tag should not be used.

unsupported-when-assigned: Used by the assigning CNA to indicate that when a
request for a CVE assignment was received, the product was already end-of-life
(EOL) or a product or specific version was deemed not to be supported by the
vendor. This tag should only be applied to a CVE Record when all affected
products or version lines referenced in the CVE-Record are EOL.

disputed: When one party disagrees with another party's assertion that a
particular issue in software is a vulnerability, a CVE Record assigned to that
issue may be tagged as being 'disputed'.



MUST BE ONE OF:

 * "unsupported-when-assigned"
 * "exclusively-hosted-service"
 * "disputed"


TAXONOMYMAPPINGS

root > oneOf > Published > containers > cna > taxonomyMappings
Type: array of object


List of taxonomy items related to the vulnerability.

Must contain a minimum of 1 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > taxonomyMappings > items
Type: object


A taxonomy mapping object identifies the taxonomy by a name and version (eg.,
ATT&CK v13.1, CVSS 3.1, CWE 4.12) along with a list of relations relevant to
this CVE.

No Additional Properties


TAXONOMYNAME REQUIRED

root > oneOf > Published > containers > cna > taxonomyMappings > items >
taxonomyName
Type: string


The name of the taxonomy, eg., ATT&CK, D3FEND, CWE, CVSS

Must be at least 1 characters long

Must be at most 128 characters long


TAXONOMYVERSION

root > oneOf > Published > containers > cna > taxonomyMappings > items >
taxonomyVersion
Type: string


The version of taxonomy the identifiers come from.

Must be at least 1 characters long

Must be at most 128 characters long


TAXONOMYRELATIONS REQUIRED

root > oneOf > Published > containers > cna > taxonomyMappings > items >
taxonomyRelations
Type: array of object


List of relationships to the taxonomy for the vulnerability.

Must contain a minimum of 1 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > cna > taxonomyMappings > items >
taxonomyRelations > items
Type: object


A relationship between the taxonomy and the CVE or two taxonomy items.

No Additional Properties


TAXONOMYID REQUIRED

root > oneOf > Published > containers > cna > taxonomyMappings > items >
taxonomyRelations > items > taxonomyId
Type: string


Identifier of the item in the taxonomy. Used as the subject of the relationship.

Must be at least 1 characters long

Must be at most 2048 characters long


RELATIONSHIPNAME REQUIRED

root > oneOf > Published > containers > cna > taxonomyMappings > items >
taxonomyRelations > items > relationshipName
Type: string


A description of the relationship.

Must be at least 1 characters long

Must be at most 128 characters long


RELATIONSHIPVALUE REQUIRED

root > oneOf > Published > containers > cna > taxonomyMappings > items >
taxonomyRelations > items > relationshipValue
Type: string


The target of the relationship. Can be the CVE ID or another taxonomy
identifier.

Must be at least 1 characters long

Must be at most 2048 characters long


^X_[^.]*$ PATTERN PROPERTY


PATTERN PROPERTY

All property whose name matches the following regular expression must respect
the following conditions

Property name regular expression: ^x_[^.]*$

root > oneOf > Published > containers > cna > ^x_[^.]*$
Type: object



ADP

root > oneOf > Published > containers > adp
Type: array


Must contain a minimum of 1 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > adp > adpContainer
Type: object


An object containing the vulnerability information provided by an Authorized
Data Publisher (ADP). Since multiple ADPs can provide information for a CVE ID,
an ADP container must indicate which ADP is the source of the information in the
object.

No Additional Properties


PROVIDERMETADATA REQUIRED

root > oneOf > Published > containers > adp > items > providerMetadata
Type: object


Details related to the information container provider (CNA or ADP).

Same definition as providerMetadata


DATEPUBLIC

root > oneOf > Published > containers > adp > items > datePublic
Type: string


If known, the date/time the vulnerability was disclosed publicly.

Same definition as dateUpdated


TITLE

root > oneOf > Published > containers > adp > items > title
Type: string


A title, headline, or a brief phrase summarizing the information in an ADP
container.

Must be at least 1 characters long

Must be at most 256 characters long


DESCRIPTIONS

root > oneOf > Published > containers > adp > items > descriptions
Type: array


A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE]
in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER]
to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT
CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].

Same definition as descriptions


AFFECTED

root > oneOf > Published > containers > adp > items > affected
Type: array


List of affected products.

Same definition as affected


PROBLEMTYPES

root > oneOf > Published > containers > adp > items > problemTypes
Type: array of object


This is problem type information (e.g. CWE identifier). Must contain: At least
one entry, can be text, OWASP, CWE, please note that while only one is required
you can use more than one (or indeed all three) as long as they are correct).
(CNA requirement: [PROBLEMTYPE]).

Same definition as problemTypes


REFERENCES

root > oneOf > Published > containers > adp > items > references
Type: array


This is reference data in the form of URLs or file objects (uuencoded and
embedded within the JSON file, exact format to be decided, e.g. we may require a
compressed format so the objects require unpacking before they are "dangerous").

Same definition as references


IMPACTS

root > oneOf > Published > containers > adp > items > impacts
Type: array of object


Collection of impacts of this vulnerability.

Same definition as impacts


METRICS

root > oneOf > Published > containers > adp > items > metrics
Type: array of object


Collection of impact scores with attribution.

Same definition as metrics


CONFIGURATIONS

root > oneOf > Published > containers > adp > items > configurations
Type: array


Configurations required for exploiting this vulnerability.

Same definition as configurations


WORKAROUNDS

root > oneOf > Published > containers > adp > items > workarounds
Type: array


Workarounds and mitigations for this vulnerability.

Same definition as workarounds


SOLUTIONS

root > oneOf > Published > containers > adp > items > solutions
Type: array


Information about solutions or remediations available for this vulnerability.

Same definition as solutions


EXPLOITS

root > oneOf > Published > containers > adp > items > exploits
Type: array


Information about exploits of the vulnerability.

Same definition as exploits


TIMELINE

root > oneOf > Published > containers > adp > items > timeline
Type: array of object


This is timeline information for significant events about this vulnerability or
changes to the CVE Record.

Same definition as timeline


CREDITS

root > oneOf > Published > containers > adp > items > credits
Type: array of object


Statements acknowledging specific people, organizations, or tools recognizing
the work done in researching, discovering, remediating or helping with
activities related to this CVE.

Same definition as credits


SOURCE

root > oneOf > Published > containers > adp > items > source
Type: object


This is the source information (who discovered it, who researched it, etc.) and
optionally a chain of CNA information (e.g. the originating CNA and subsequent
parent CNAs who have processed it before it arrives at the MITRE root).
Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF
this source entry is NOT in the root (e.g. it is part of a vendor statement)
then it must contain at least one type of data entry.

Same definition as source


TAGS

root > oneOf > Published > containers > adp > items > tags
Type: array


Tags provided by an ADP describing the CVE Record.

Must contain a minimum of 1 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Published > containers > adp > items > tags > items



ONE OF

 * tagExtension
 * adp-tags.json

root > oneOf > Published > containers > adp > items > tags > items > oneOf >
tagExtension
Type: string
Same definition as tagExtension
root > oneOf > Published > containers > adp > items > tags > items > oneOf >
adp-tags.json
Type: enum (of string)


disputed: When one party disagrees with another party's assertion that a
particular issue in software is a vulnerability, a CVE Record assigned to that
issue may be tagged as being 'disputed'.

MUST BE ONE OF:

 * "disputed"


TAXONOMYMAPPINGS

root > oneOf > Published > containers > adp > items > taxonomyMappings
Type: array of object


List of taxonomy items related to the vulnerability.

Same definition as taxonomyMappings


^X_[^.]*$ PATTERN PROPERTY


PATTERN PROPERTY

All property whose name matches the following regular expression must respect
the following conditions

Property name regular expression: ^x_[^.]*$

root > oneOf > Published > containers > adp > items > ^x_[^.]*$
Type: object

root > oneOf > Rejected
Type: object


If the CVE ID and associated CVE Record should no longer be used, the CVE Record
is placed in the Rejected state. A Rejected CVE Record remains on the CVE List
so that users can know when it is invalid.

No Additional Properties


DATATYPE REQUIRED

root > oneOf > Rejected > dataType
Type: enum (of string)


Indicates the type of information represented in the JSON instance.

Same definition as dataType


DATAVERSION REQUIRED

root > oneOf > Rejected > dataVersion
Type: string Default: "5.1.0"


The version of the CVE schema used for validating this record. Used to support
multiple versions of this format.

Same definition as dataVersion


CVEMETADATA REQUIRED

root > oneOf > Rejected > cveMetadata
Type: object


This is meta data about the CVE ID such as the CVE ID, who requested it, who
assigned it, when it was requested, the current state (PUBLISHED, REJECTED,
etc.) and so on. These fields are controlled by the CVE Services.

No Additional Properties


CVEID REQUIRED

root > oneOf > Rejected > cveMetadata > cveId
Type: string


The CVE identifier that this record pertains to.

Same definition as cveId


ASSIGNERORGID REQUIRED

root > oneOf > Rejected > cveMetadata > assignerOrgId
Type: string


The UUID for the organization to which the CVE ID was originally assigned.

Same definition as assignerOrgId


ASSIGNERSHORTNAME

root > oneOf > Rejected > cveMetadata > assignerShortName
Type: string


The short name for the organization to which the CVE ID was originally assigned.

Same definition as assignerShortName


SERIAL

root > oneOf > Rejected > cveMetadata > serial
Type: integer


The system of record causes this to start at 1, and increment by 1 each time a
submission from a data provider changes this CVE Record. The incremented value
moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to
the Published schema upon a REJECTED->PUBLISHED transition.

Value must be greater or equal to 1


DATEUPDATED

root > oneOf > Rejected > cveMetadata > dateUpdated
Type: string


The date/time the record was last updated.

Same definition as dateUpdated


DATEPUBLISHED

root > oneOf > Rejected > cveMetadata > datePublished
Type: string


The date/time the CVE Record was first published in the CVE List.

Same definition as dateUpdated


DATEREJECTED

root > oneOf > Rejected > cveMetadata > dateRejected
Type: string


The date/time the CVE ID was rejected.

Same definition as dateUpdated


STATE REQUIRED

root > oneOf > Rejected > cveMetadata > state
Type: enum (of string)


State of CVE - PUBLISHED, REJECTED.

MUST BE ONE OF:

 * "REJECTED"


DATERESERVED

root > oneOf > Rejected > cveMetadata > dateReserved
Type: string


The date/time this CVE ID was reserved in the CVE automation workgroup services
system. Disclaimer: This date reflects when the CVE ID was reserved, and does
not necessarily indicate when this vulnerability was discovered, shared with the
affected vendor, publicly disclosed, or updated in CVE.

Same definition as dateUpdated


CONTAINERS REQUIRED

root > oneOf > Rejected > containers
Type: object


A set of structures (called containers) used to store vulnerability information
related to a specific CVE ID provided by a specific organization participating
in the CVE program. Each container includes information provided by a different
source.

At minimum, a 'cna' container containing the vulnerability information provided
by the CNA who initially assigned the CVE ID must be included.

There can only be one 'cna' container, as there can only be one assigning CNA.


No Additional Properties


CNA REQUIRED

root > oneOf > Rejected > containers > cna
Type: object


An object containing the vulnerability information provided by a CVE Numbering
Authority (CNA) for a rejected CVE ID. There can only be one CNA container per
CVE record since there can only be one assigning CNA.

No Additional Properties


PROVIDERMETADATA REQUIRED

root > oneOf > Rejected > containers > cna > providerMetadata
Type: object


Details related to the information container provider (CNA or ADP).

Same definition as providerMetadata


REJECTEDREASONS REQUIRED

root > oneOf > Rejected > containers > cna > rejectedReasons
Type: array


Reasons for rejecting this CVE Record.

Same definition as descriptions


REPLACEDBY

root > oneOf > Rejected > containers > cna > replacedBy
Type: array


Contains an array of CVE IDs that this CVE ID was rejected in favor of because
this CVE ID was assigned to the vulnerabilities.

Must contain a minimum of 1 items

All items must be unique

EACH ITEM OF THIS ARRAY MUST BE:

root > oneOf > Rejected > containers > cna > replacedBy > cveId
Type: string
Same definition as cveId


^X_[^.]*$ PATTERN PROPERTY


PATTERN PROPERTY

All property whose name matches the following regular expression must respect
the following conditions

Property name regular expression: ^x_[^.]*$

root > oneOf > Rejected > containers > cna > ^x_[^.]*$
Type: object


Generated using json-schema-for-humans on 2023-11-06 at 11:39:34 -0800