cveproject.github.io
Open in
urlscan Pro
2606:50c0:8001::153
Public Scan
Submitted URL: https://cveproject.github.io/cve-schema/schema/docs/#oneOf_i0_containers_cna_tags_items_oneOf_i0
Effective URL: https://cveproject.github.io/cve-schema/schema/docs/
Submission: On July 16 via api from TR — Scanned from DE
Effective URL: https://cveproject.github.io/cve-schema/schema/docs/
Submission: On July 16 via api from TR — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
CVE JSON RECORD FORMAT
cve-schema specifies the CVE JSON record format. This is the blueprint for a
rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs)
and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of
CVE Record data include CVE ID number, affected product(s), affected version(s),
and public references. While those specific items are required when assigning a
CVE, there are many other optional data in the schema that can be used to enrich
CVE Records for community benefit. Learn more about the CVE program at the
official website. This CVE JSON record format is defined using JSON Schema.
Learn more about JSON Schema here.
ONE OF
* Published
* Rejected
root > oneOf > Published
Type: object
When a CNA populates the data associated with a CVE ID as a CVE Record, the
state of the CVE Record is Published.
No Additional Properties
DATATYPE REQUIRED
root > oneOf > Published > dataType
Type: enum (of string)
Indicates the type of information represented in the JSON instance.
MUST BE ONE OF:
* "CVE_RECORD"
DATAVERSION REQUIRED
root > oneOf > Published > dataVersion
Type: string Default: "5.1.0"
The version of the CVE schema used for validating this record. Used to support
multiple versions of this format.
Must match regular expression: ^5\.(0|[1-9][0-9]*)(\.(0|[1-9][0-9]*))?$
CVEMETADATA REQUIRED
root > oneOf > Published > cveMetadata
Type: object
This is meta data about the CVE ID such as the CVE ID, who requested it, who
assigned it, when it was requested, the current state (PUBLISHED, REJECTED,
etc.) and so on. These fields are controlled by the CVE Services.
No Additional Properties
CVEID REQUIRED
root > oneOf > Published > cveMetadata > cveId
Type: string
The CVE identifier that this record pertains to.
Must match regular expression: ^CVE-[0-9]{4}-[0-9]{4,19}$
ASSIGNERORGID REQUIRED
root > oneOf > Published > cveMetadata > assignerOrgId
Type: string
The UUID for the organization to which the CVE ID was originally assigned. This
UUID can be used to lookup the organization record in the user registry service.
Must match regular expression:
^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$
ASSIGNERSHORTNAME
root > oneOf > Published > cveMetadata > assignerShortName
Type: string
The short name for the organization to which the CVE ID was originally assigned.
Must be at least 2 characters long
Must be at most 32 characters long
REQUESTERUSERID
root > oneOf > Published > cveMetadata > requesterUserId
Type: string
The user that requested the CVE identifier.
Same definition as assignerOrgId
DATEUPDATED
root > oneOf > Published > cveMetadata > dateUpdated
Type: string
The date/time the record was last updated.
Must match regular expression:
^(((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30)))T(2[0-3]|[01][0-9]):([0-5][0-9]):([0-5][0-9])(\.[0-9]+)?(Z|[+-][0-9]{2}:[0-9]{2})?$
SERIAL
root > oneOf > Published > cveMetadata > serial
Type: integer
The system of record causes this to start at 1, and increment by 1 each time a
submission from a data provider changes this CVE Record. The incremented value
moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to
the Published schema upon a REJECTED->PUBLISHED transition.
Value must be greater or equal to 1
DATERESERVED
root > oneOf > Published > cveMetadata > dateReserved
Type: string
The date/time this CVE ID was reserved in the CVE automation workgroup services
system. Disclaimer: This date reflects when the CVE ID was reserved, and does
not necessarily indicate when this vulnerability was discovered, shared with the
affected vendor, publicly disclosed, or updated in CVE.
Same definition as dateUpdated
DATEPUBLISHED
root > oneOf > Published > cveMetadata > datePublished
Type: string
The date/time the CVE Record was first published in the CVE List.
Same definition as dateUpdated
STATE REQUIRED
root > oneOf > Published > cveMetadata > state
Type: enum (of string)
State of CVE - PUBLISHED, REJECTED.
MUST BE ONE OF:
* "PUBLISHED"
CONTAINERS REQUIRED
root > oneOf > Published > containers
Type: object
A set of structures (called containers) used to store vulnerability information
related to a specific CVE ID provided by a specific organization participating
in the CVE program. Each container includes information provided by a different
source.
At a minimum, a 'cna' container containing the vulnerability information
provided by the CNA who initially assigned the CVE ID must be included.
There can only be one 'cna' container, as there can only be one assigning CNA.
However, there can be multiple 'adp' containers, allowing multiple organizations
participating in the CVE program to add additional information related to the
vulnerability. For the most part, the 'cna' and 'adp' containers contain the
same properties. The main differences are the source of the information. The
'cna' container requires the CNA to include certain fields, while the 'adp'
container does not.
No Additional Properties
CNA REQUIRED
root > oneOf > Published > containers > cna
Type: object
An object containing the vulnerability information provided by a CVE Numbering
Authority (CNA) for a published CVE ID. There can only be one CNA container per
CVE record since there can only be one assigning CNA. The CNA container must
include the required information defined in the CVE Rules, which includes a
product, version, problem type, prose description, and a reference.
No Additional Properties
PROVIDERMETADATA REQUIRED
root > oneOf > Published > containers > cna > providerMetadata
Type: object
Details related to the information container provider (CNA or ADP).
No Additional Properties
ORGID REQUIRED
root > oneOf > Published > containers > cna > providerMetadata > orgId
Type: string
The container provider's organizational UUID.
Same definition as assignerOrgId
SHORTNAME
root > oneOf > Published > containers > cna > providerMetadata > shortName
Type: string
The container provider's organizational short name.
Same definition as assignerShortName
DATEUPDATED
root > oneOf > Published > containers > cna > providerMetadata > dateUpdated
Type: string
Timestamp to be set by the system of record at time of submission. If
dateUpdated is provided to the system of record it will be replaced by the
current timestamp at the time of submission.
Same definition as dateUpdated
DATEASSIGNED
root > oneOf > Published > containers > cna > dateAssigned
Type: string
The date/time this CVE ID was associated with a vulnerability by a CNA.
Same definition as dateUpdated
DATEPUBLIC
root > oneOf > Published > containers > cna > datePublic
Type: string
If known, the date/time the vulnerability was disclosed publicly.
Same definition as dateUpdated
TITLE
root > oneOf > Published > containers > cna > title
Type: string
A title, headline, or a brief phrase summarizing the CVE record. Eg., Buffer
overflow in Example Soft.
Must be at least 1 characters long
Must be at most 256 characters long
DESCRIPTIONS REQUIRED
root > oneOf > Published > containers > cna > descriptions
Type: array
A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE]
in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER]
to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT
CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].
Must contain a minimum of 1 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > descriptions > description
Type: object
Text in a particular language with optional alternate markup or formatted
representation (e.g., Markdown) or embedded media.
No Additional Properties
LANG REQUIRED
root > oneOf > Published > containers > cna > descriptions > items > lang
Type: string Default: "en"
BCP 47 language code, language-region.
Must match regular expression:
^[A-Za-z]{2,4}([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$
VALUE REQUIRED
root > oneOf > Published > containers > cna > descriptions > items > value
Type: string
Plain text description.
Must be at least 1 characters long
Must be at most 4096 characters long
SUPPORTINGMEDIA
root > oneOf > Published > containers > cna > descriptions > items >
supportingMedia
Type: array of object
Supporting media data for the description such as markdown, diagrams, ..
(optional). Similar to RFC 2397 each media object has three main parts: media
type, media data value, and an optional boolean flag to indicate if the media
data is base64 encoded.
Must contain a minimum of 1 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > descriptions > items >
supportingMedia > items
Type: object
No Additional Properties
TYPE REQUIRED
root > oneOf > Published > containers > cna > descriptions > items >
supportingMedia > items > type
Type: string
RFC2046 compliant IANA Media type for eg., text/markdown, text/html.
Must be at least 1 characters long
Must be at most 256 characters long
Examples:
"text/markdown"
"text/html"
"image/png"
"image/svg"
"audio/mp3"
BASE64
root > oneOf > Published > containers > cna > descriptions > items >
supportingMedia > items > base64
Type: boolean Default: false
If true then the value field contains the media data encoded in base64. If false
then the value field contains the UTF-8 media content.
VALUE REQUIRED
root > oneOf > Published > containers > cna > descriptions > items >
supportingMedia > items > value
Type: string
Supporting media content, up to 16K. If base64 is true, this field stores base64
encoded data.
Must be at least 1 characters long
Must be at most 16384 characters long
AT LEAST ONE OF THE ITEMS MUST BE:
root > oneOf > Published > containers > cna > descriptions >
englishLanguageDescription
Type: object
A description with lang set to an English language (en, enUS, enUK, and so on).
LANG REQUIRED
root > oneOf > Published > containers > cna > descriptions > contains > lang
Type: string
BCP 47 language code, language-region, required to be English.
Must match regular expression:
^en([_-][A-Za-z]{4})?([_-]([A-Za-z]{2}|[0-9]{3}))?$
AFFECTED REQUIRED
root > oneOf > Published > containers > cna > affected
Type: array
List of affected products.
Must contain a minimum of 1 items
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > affected > product
Type: object
Provides information about the set of products and services affected by this
vulnerability.
ALL OF
* Requirement 1
* Requirement 2
root > oneOf > Published > containers > cna > affected > items > allOf > item 0
ANY OF
* Option 1
* Option 2
root > oneOf > Published > containers > cna > affected > items > allOf > item 0
> anyOf > item 0
Type: object
THE FOLLOWING PROPERTIES ARE REQUIRED:
* product
* vendor
root > oneOf > Published > containers > cna > affected > items > allOf > item 0
> anyOf > item 1
Type: object
THE FOLLOWING PROPERTIES ARE REQUIRED:
* packageName
* collectionURL
root > oneOf > Published > containers > cna > affected > items > allOf > item 1
ANY OF
* Option 1
* Option 2
root > oneOf > Published > containers > cna > affected > items > allOf > item 1
> anyOf > item 0
Type: object
THE FOLLOWING PROPERTIES ARE REQUIRED:
* versions
root > oneOf > Published > containers > cna > affected > items > allOf > item 1
> anyOf > item 1
Type: object
THE FOLLOWING PROPERTIES ARE REQUIRED:
* defaultStatus
VENDOR
root > oneOf > Published > containers > cna > affected > items > vendor
Type: string
Name of the organization, project, community, individual, or user that created
or maintains this product or hosted service. Can be 'N/A' if none of those
apply. When collectionURL and packageName are used, this field may optionally
represent the user or account within the package collection associated with the
package.
Must be at least 1 characters long
Must be at most 512 characters long
PRODUCT
root > oneOf > Published > containers > cna > affected > items > product
Type: string
Name of the affected product.
Must be at least 1 characters long
Must be at most 2048 characters long
COLLECTIONURL
root > oneOf > Published > containers > cna > affected > items > collectionURL
Type: string
URL identifying a package collection (determines the meaning of packageName).
Must be at least 1 characters long
Must be at most 2048 characters long
Examples:
"https://access.redhat.com/downloads/content/package-browser"
"https://addons.mozilla.org"
"https://addons.thunderbird.net"
"https://anaconda.org/anaconda/repo"
"https://app.vagrantup.com/boxes/search"
"https://apps.apple.com"
"https://archlinux.org/packages"
"https://atmospherejs.meteor.com"
"https://atom.io/packages"
"https://bitbucket.org"
"https://bower.io"
"https://brew.sh/"
"https://chocolatey.org/packages"
"https://chrome.google.com/webstore"
"https://clojars.org"
"https://cocoapods.org"
"https://code.dlang.org"
"https://conan.io/center"
"https://cpan.org/modules"
"https://cran.r-project.org"
"https://crates.io"
"https://ctan.org/pkg"
"https://drupal.org"
"https://exchange.adobe.com"
"https://forge.puppet.com/modules"
"https://github.com"
"https://gitlab.com/explore"
"https://golang.org/pkg"
"https://guix.gnu.org/packages"
"https://hackage.haskell.org"
"https://helm.sh"
"https://hub.docker.com"
"https://juliahub.com"
"https://lib.haxe.org"
"https://luarocks.org"
"https://marketplace.visualstudio.com"
"https://melpa.org"
"https://microsoft.com/en-us/store/apps"
"https://nimble.directory"
"https://nuget.org/packages"
"https://opam.ocaml.org/packages"
"https://openwrt.org/packages/index"
"https://package.elm-lang.org"
"https://packagecontrol.io"
"https://packages.debian.org"
"https://packages.gentoo.org"
"https://packagist.org"
"https://pear.php.net/packages.php"
"https://pecl.php.net"
"https://platformio.org/lib"
"https://play.google.com/store"
"https://plugins.gradle.org"
"https://projects.eclipse.org"
"https://pub.dev"
"https://pypi.python.org"
"https://registry.npmjs.org"
"https://registry.terraform.io"
"https://repo.hex.pm"
"https://repo.maven.apache.org/maven2"
"https://rubygems.org"
"https://search.nixos.org/packages"
"https://sourceforge.net"
"https://wordpress.org/plugins"
PACKAGENAME
root > oneOf > Published > containers > cna > affected > items > packageName
Type: string
Name or identifier of the affected software package as used in the package
collection.
Must be at least 1 characters long
Must be at most 2048 characters long
CPES
root > oneOf > Published > containers > cna > affected > items > cpes
Type: array of string
Affected products defined by CPE. This is an array of CPE values (vulnerable and
not), we use an array so that we can make multiple statements about the same
version and they are separate (if we used a JSON object we'd essentially be
keying on the CPE name and they would have to overlap). Also, this allows things
like cveDataVersion or cveDescription to be applied directly to the product
entry. This also allows more complex statements such as "Product X between
versions 10.2 and 10.8" to be put in a machine-readable format. As well since
multiple statements can be used multiple branches of the same product can be
defined here.
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > affected > items > cpes > CPE Name
Type: string
Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format
Must match regular expression:
([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\-~%]*){0,6})|(cpe:2\.3:[aho*\-](:(((\?*|\*?)([a-zA-Z0-9\-._]|(\\[\\*?!"#$%&'()+,/:;<=>@\[\]\^`{|}~]))+(\?*|\*?))|[*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-._]|(\\[\\*?!"#$%&'()+,/:;<=>@\[\]\^`{|}~]))+(\?*|\*?))|[*\-])){4})
Must be at least 1 characters long
Must be at most 2048 characters long
MODULES
root > oneOf > Published > containers > cna > affected > items > modules
Type: array of string
A list of the affected components, features, modules, sub-components,
sub-products, APIs, commands, utilities, programs, or functionalities
(optional).
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > affected > items > modules > items
Type: string
Name of the affected component, feature, module, sub-component, sub-product,
API, command, utility, program, or functionality (optional).
Must be at least 1 characters long
Must be at most 4096 characters long
PROGRAMFILES
root > oneOf > Published > containers > cna > affected > items > programFiles
Type: array of string
A list of the affected source code files (optional).
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > affected > items > programFiles >
items
Type: string
Name or path or location of the affected source code file.
Must be at least 1 characters long
Must be at most 1024 characters long
PROGRAMROUTINES
root > oneOf > Published > containers > cna > affected > items > programRoutines
Type: array of object
A list of the affected source code functions, methods, subroutines, or
procedures (optional).
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > affected > items > programRoutines
> items
Type: object
An object describing program routine.
No Additional Properties
NAME REQUIRED
root > oneOf > Published > containers > cna > affected > items > programRoutines
> items > name
Type: string
Name of the affected source code file, function, method, subroutine, or
procedure.
Must be at least 1 characters long
Must be at most 4096 characters long
PLATFORMS
root > oneOf > Published > containers > cna > affected > items > platforms
Type: array of string
List of specific platforms if the vulnerability is only relevant in the context
of these platforms (optional). Platforms may include execution environments,
operating systems, virtualization technologies, hardware models, or computing
architectures. The lack of this field or an empty array implies that the other
fields are applicable to all relevant platforms.
Must contain a minimum of 1 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > affected > items > platforms >
items
Type: string
Must be at most 1024 characters long
Examples:
"iOS"
"Android"
"Windows"
"macOS"
"x86"
"ARM"
"64 bit"
"Big Endian"
"iPad"
"Chromebook"
"Docker"
"Model T"
REPO
root > oneOf > Published > containers > cna > affected > items > repo
Type: string
The URL of the source code repository, for informational purposes and/or to
resolve git hash version ranges.
Same definition as collectionURL
DEFAULTSTATUS
root > oneOf > Published > containers > cna > affected > items > defaultStatus
Type: enum (of string)
The default status for versions that are not otherwise listed in the versions
list. If not specified, defaultStatus defaults to 'unknown'. Versions or
defaultStatus may be omitted, but not both.
MUST BE ONE OF:
* "affected"
* "unaffected"
* "unknown"
VERSIONS
root > oneOf > Published > containers > cna > affected > items > versions
Type: array of object
Set of product versions or version ranges related to the vulnerability. The
versions satisfy the CNA Rules 8.1.2 requirement. Versions or defaultStatus may
be omitted, but not both.
Must contain a minimum of 1 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > affected > items > versions >
items
A single version or a range of versions, with vulnerability status.
An entry with only 'version' and 'status' indicates the status of a single
version.
Otherwise, an entry describes a range; it must include the 'versionType'
property, to define the version numbering semantics in use, and 'limit', to
indicate the non-inclusive upper limit of the range. The object describes the
status for versions V such that 'version' <= V and V < 'limit', using the <= and
< semantics defined for the specific kind of 'versionType'. Status changes
within the range can be specified by an optional 'changes' list.
The algorithm to decide the status specified for a version V is:
for entry in product.versions {
if entry.lessThan is not present and entry.lessThanOrEqual is not present and v == entry.version {
return entry.status
}
if (entry.lessThan is present and entry.version <= v and v < entry.lessThan) or
(entry.lessThanOrEqual is present and entry.version <= v and v <= entry.lessThanOrEqual) { // <= and < defined by entry.versionType
status = entry.status
for change in entry.changes {
if change.at <= v {
status = change.status
}
}
return status
}
}
return product.defaultStatus
.
No Additional Properties
ONE OF
* Option 1
* Option 2
* Option 3
* Option 4
root > oneOf > Published > containers > cna > affected > items > versions >
items > oneOf > item 0
Type: object
THE FOLLOWING PROPERTIES ARE REQUIRED:
* version
* status
root > oneOf > Published > containers > cna > affected > items > versions >
items > oneOf > item 1
Type: object
THE FOLLOWING PROPERTIES ARE REQUIRED:
* version
* versionType
* status
root > oneOf > Published > containers > cna > affected > items > versions >
items > oneOf > item 2
Type: object
THE FOLLOWING PROPERTIES ARE REQUIRED:
* lessThan
* version
* versionType
* status
root > oneOf > Published > containers > cna > affected > items > versions >
items > oneOf > item 3
Type: object
THE FOLLOWING PROPERTIES ARE REQUIRED:
* lessThanOrEqual
* version
* versionType
* status
VERSION
root > oneOf > Published > containers > cna > affected > items > versions >
items > version
Type: string
The single version being described, or the version at the start of the range. By
convention, typically 0 denotes the earliest possible version.
Must be at least 1 characters long
Must be at most 1024 characters long
STATUS
root > oneOf > Published > containers > cna > affected > items > versions >
items > status
Type: enum (of string)
The vulnerability status for the version or range of versions. For a range, the
status may be refined by the 'changes' list.
Same definition as defaultStatus
VERSIONTYPE
root > oneOf > Published > containers > cna > affected > items > versions >
items > versionType
Type: string
The version numbering system used for specifying the range. This defines the
exact semantics of the comparison (less-than) operation on versions, which is
required to understand the range itself. 'Custom' indicates that the version
type is unspecified and should be avoided whenever possible. It is included
primarily for use in conversion of older data files.
Must be at least 1 characters long
Must be at most 128 characters long
Examples:
"custom"
"git"
"maven"
"python"
"rpm"
"semver"
LESSTHAN
root > oneOf > Published > containers > cna > affected > items > versions >
items > lessThan
Type: string
The non-inclusive upper limit of the range. This is the least version NOT in the
range. The usual version syntax is expanded to allow a pattern to end in an
asterisk (*), indicating an arbitrarily large number in the version ordering.
For example, {version: 1.0 lessThan: 1.*} would describe the entire 1.X branch
for most range kinds, and {version: 2.0, lessThan: *} describes all versions
starting at 2.0, including 3.0, 5.1, and so on. Only one of lessThan and
lessThanOrEqual should be specified.
Same definition as version
LESSTHANOREQUAL
root > oneOf > Published > containers > cna > affected > items > versions >
items > lessThanOrEqual
Type: string
The inclusive upper limit of the range. This is the greatest version contained
in the range. Only one of lessThan and lessThanOrEqual should be specified. For
example, {version: 1.0, lessThanOrEqual: 1.3} covers all versions from 1.0 up to
and including 1.3.
Same definition as version
CHANGES
root > oneOf > Published > containers > cna > affected > items > versions >
items > changes
Type: array of object
A list of status changes that take place during the range. The array should be
sorted in increasing order by the 'at' field, according to the versionType, but
clients must re-sort the list themselves rather than assume it is sorted.
Must contain a minimum of 1 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > affected > items > versions >
items > changes > items
Type: object
The start of a single status change during the range.
No Additional Properties
AT REQUIRED
root > oneOf > Published > containers > cna > affected > items > versions >
items > changes > items > at
Type: string
The version at which a status change occurs.
Same definition as version
STATUS REQUIRED
root > oneOf > Published > containers > cna > affected > items > versions >
items > changes > items > status
Type: enum (of string)
The new status in the range starting at the given version.
Same definition as defaultStatus
PROBLEMTYPES
root > oneOf > Published > containers > cna > problemTypes
Type: array of object
This is problem type information (e.g. CWE identifier). Must contain: At least
one entry, can be text, OWASP, CWE, please note that while only one is required
you can use more than one (or indeed all three) as long as they are correct).
(CNA requirement: [PROBLEMTYPE]).
Must contain a minimum of 1 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > problemTypes > items
Type: object
No Additional Properties
DESCRIPTIONS REQUIRED
root > oneOf > Published > containers > cna > problemTypes > items >
descriptions
Type: array of object
Must contain a minimum of 1 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items
Type: object
No Additional Properties
LANG REQUIRED
root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > lang
Type: string Default: "en"
BCP 47 language code, language-region.
Same definition as lang
DESCRIPTION REQUIRED
root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > description
Type: string
Text description of problemType, or title from CWE or OWASP.
Must be at least 1 characters long
Must be at most 4096 characters long
CWEID
root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > cweId
Type: string
CWE ID of the CWE that best describes this problemType entry.
Must match regular expression: ^CWE-[1-9][0-9]*$
Must be at least 5 characters long
Must be at most 9 characters long
TYPE
root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > type
Type: string
Problemtype source, text, OWASP, CWE, etc.,
Must be at least 1 characters long
Must be at most 128 characters long
REFERENCES
root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > references
Type: array
This is reference data in the form of URLs or file objects (uuencoded and
embedded within the JSON file, exact format to be decided, e.g. we may require a
compressed format so the objects require unpacking before they are "dangerous").
Same definition as references
REFERENCES REQUIRED
root > oneOf > Published > containers > cna > references
Type: array
This is reference data in the form of URLs or file objects (uuencoded and
embedded within the JSON file, exact format to be decided, e.g. we may require a
compressed format so the objects require unpacking before they are "dangerous").
Must contain a minimum of 1 items
Must contain a maximum of 512 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > references > reference
Type: object
No Additional Properties
URL REQUIRED
root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > references > items > url
Type: string
The uniform resource locator (URL), according to RFC 3986, that can be used to
retrieve the referenced resource.
Same definition as collectionURL
NAME
root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > references > items > name
Type: string
User created name for the reference, often the title of the page.
Must be at least 1 characters long
Must be at most 512 characters long
TAGS
root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > references > items > tags
Type: array
An array of one or more tags that describe the resource referenced by 'url'.
Must contain a minimum of 1 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > references > items > tags > items
ONE OF
* tagExtension
* reference-tags.json
root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > references > items > tags > items > oneOf > tagExtension
Type: string
Same definition as tagExtension
root > oneOf > Published > containers > cna > problemTypes > items >
descriptions > items > references > items > tags > items > oneOf >
reference-tags.json
Type: enum (of string)
broken-link: The reference link is returning a 404 error, or the site is no
longer online.
customer-entitlement: Similar to Privileges Required, but specific to references
that require non-public/paid access for customers of the particular vendor.
exploit: Reference contains an in-depth/detailed description of steps to exploit
a vulnerability OR the reference contains any legitimate Proof of Concept (PoC)
code or exploit kit.
government-resource: All reference links that are from a government agency or
organization should be given the Government Resource tag.
issue-tracking: The reference is a post from a bug tracking tool such as
MantisBT, Bugzilla, JIRA, Github Issues, etc...
mailing-list: The reference is from a mailing list -- often specific to a
product or vendor.
mitigation: The reference contains information on steps to mitigate against the
vulnerability in the event a patch can't be applied or is unavailable or for EOL
product situations.
not-applicable: The reference link is not applicable to the vulnerability and
was likely associated by MITRE accidentally (should be used sparingly).
patch: The reference contains an update to the software that fixes the
vulnerability.
permissions-required: The reference link provided is blocked by a logon page. If
credentials are required to see any information this tag must be applied.
media-coverage: The reference is from a media outlet such as a newspaper,
magazine, social media, or weblog. This tag is not intended to apply to any
individual's personal social media account. It is strictly intended for public
media entities.
product: A reference appropriate for describing a product for the purpose of CPE
or SWID.
related: A reference that is for a related (but not the same) vulnerability.
release-notes: The reference is in the format of a vendor or open source
project's release notes or change log.
signature: The reference contains a method to detect or prevent the presence or
exploitation of the vulnerability.
technical-description: The reference contains in-depth technical information
about a vulnerability and its exploitation process, typically in the form of a
presentation or whitepaper.
third-party-advisory: Advisory is from an organization that is not the
vulnerable product's vendor/publisher/maintainer.
vendor-advisory: Advisory is from the vendor/publisher/maintainer of the product
or the parent organization.
vdb-entry: VDBs are loosely defined as sites that provide information about this
vulnerability, such as advisories, with identifiers. Included VDBs are free to
access, substantially public, and have broad scope and coverage (not limited to
a single vendor or research organization). See:
https://www.first.org/global/sigs/vrdx/vdb-catalog
MUST BE ONE OF:
* "broken-link"
* "customer-entitlement"
* "exploit"
* "government-resource"
* "issue-tracking"
* "mailing-list"
* "mitigation"
* "not-applicable"
* "patch"
* "permissions-required"
* "media-coverage"
* "product"
* "related"
* "release-notes"
* "signature"
* "technical-description"
* "third-party-advisory"
* "vendor-advisory"
* "vdb-entry"
IMPACTS
root > oneOf > Published > containers > cna > impacts
Type: array of object
Collection of impacts of this vulnerability.
Must contain a minimum of 1 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > impacts > items
Type: object
This is impact type information (e.g. a text description.
No Additional Properties
CAPECID
root > oneOf > Published > containers > cna > impacts > items > capecId
Type: string
CAPEC ID that best relates to this impact.
Must match regular expression: ^CAPEC-[1-9][0-9]{0,4}$
Must be at least 7 characters long
Must be at most 11 characters long
DESCRIPTIONS REQUIRED
root > oneOf > Published > containers > cna > impacts > items > descriptions
Type: array
Prose description of the impact scenario. At a minimum provide the description
given by CAPEC.
Same definition as descriptions
METRICS
root > oneOf > Published > containers > cna > metrics
Type: array of object
Collection of impact scores with attribution.
Must contain a minimum of 1 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > metrics > items
This is impact type information (e.g. a text description, CVSSv2, CVSSv3,
CVSSV4, etc.). Must contain: At least one entry, can be text, CVSSv2, CVSSv3,
others may be added.
No Additional Properties
ANY OF
* Option 1
* Option 2
* Option 3
* Option 4
* Option 5
root > oneOf > Published > containers > cna > metrics > items > anyOf > item 0
Type: object
THE FOLLOWING PROPERTIES ARE REQUIRED:
* cvssV4_0
root > oneOf > Published > containers > cna > metrics > items > anyOf > item 1
Type: object
THE FOLLOWING PROPERTIES ARE REQUIRED:
* cvssV3_1
root > oneOf > Published > containers > cna > metrics > items > anyOf > item 2
Type: object
THE FOLLOWING PROPERTIES ARE REQUIRED:
* cvssV3_0
root > oneOf > Published > containers > cna > metrics > items > anyOf > item 3
Type: object
THE FOLLOWING PROPERTIES ARE REQUIRED:
* cvssV2_0
root > oneOf > Published > containers > cna > metrics > items > anyOf > item 4
Type: object
THE FOLLOWING PROPERTIES ARE REQUIRED:
* other
FORMAT
root > oneOf > Published > containers > cna > metrics > items > format
Type: string
Name of the scoring format. This provides a bit of future proofing. Additional
properties are not prohibited, so this will support the inclusion of proprietary
formats. It also provides an easy future conversion mechanism when future score
formats become part of the schema. example: cvssV44, format = 'cvssV44', other =
cvssV4_4 JSON object. In the future, the other properties can be converted to
score properties when they become part of the schema.
Must be at least 1 characters long
Must be at most 64 characters long
SCENARIOS
root > oneOf > Published > containers > cna > metrics > items > scenarios
Type: array of object
Description of the scenarios this metrics object applies to. If no specific
scenario is given, GENERAL is used as the default and applies when no more
specific metric matches.
Must contain a minimum of 1 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > metrics > items > scenarios >
items
Type: object
No Additional Properties
LANG REQUIRED
root > oneOf > Published > containers > cna > metrics > items > scenarios >
items > lang
Type: string Default: "en"
BCP 47 language code, language-region.
Same definition as lang
VALUE REQUIRED
root > oneOf > Published > containers > cna > metrics > items > scenarios >
items > value
Type: string Default: "GENERAL"
Description of the scenario this metrics object applies to. If no specific
scenario is given, GENERAL is used as the default and applies when no more
specific metric matches.
Must be at least 1 characters long
Must be at most 4096 characters long
CVSSV4_0
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0
Type: object
No Additional Properties
ALL OF
* Requirement 1
* Requirement 2
* Requirement 3
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0
ANY OF
* Option 1
* Option 2
* Option 3
* Option 4
* Option 5
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 0
Type: object
BASESCORE
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 0 > baseScore
Type: number
Value must be greater or equal to 0.0 and lesser or equal to 0.0
BASESEVERITY
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 0 > baseSeverity
Type: const
Specific value: "NONE"
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 1
Type: object
BASESCORE
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 1 > baseScore
Type: number
Value must be greater or equal to 0.1 and lesser or equal to 3.9 and a multiple
of 0.1
BASESEVERITY
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 1 > baseSeverity
Type: const
Specific value: "LOW"
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 2
Type: object
BASESCORE
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 2 > baseScore
Type: number
Value must be greater or equal to 4.0 and lesser or equal to 6.9 and a multiple
of 0.1
BASESEVERITY
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 2 > baseSeverity
Type: const
Specific value: "MEDIUM"
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 3
Type: object
BASESCORE
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 3 > baseScore
Type: number
Value must be greater or equal to 7.0 and lesser or equal to 8.9 and a multiple
of 0.1
BASESEVERITY
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 3 > baseSeverity
Type: const
Specific value: "HIGH"
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 4
Type: object
BASESCORE
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 4 > baseScore
Type: number
Value must be greater or equal to 9.0 and lesser or equal to 10 and a multiple
of 0.1
BASESEVERITY
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 0 > anyOf > item 4 > baseSeverity
Type: const
Specific value: "CRITICAL"
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1
ANY OF
* Option 1
* Option 2
* Option 3
* Option 4
* Option 5
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 0
Type: object
THREATSCORE
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 0 > threatScore
Type: number
Same definition as baseScore
THREATSEVERITY
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 0 > threatSeverity
Type: const
Same definition as baseSeverity
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 1
Type: object
THREATSCORE
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 1 > threatScore
Type: number
Same definition as baseScore
THREATSEVERITY
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 1 > threatSeverity
Type: const
Same definition as baseSeverity
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 2
Type: object
THREATSCORE
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 2 > threatScore
Type: number
Same definition as baseScore
THREATSEVERITY
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 2 > threatSeverity
Type: const
Same definition as baseSeverity
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 3
Type: object
THREATSCORE
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 3 > threatScore
Type: number
Same definition as baseScore
THREATSEVERITY
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 3 > threatSeverity
Type: const
Same definition as baseSeverity
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 4
Type: object
THREATSCORE
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 4 > threatScore
Type: number
Same definition as baseScore
THREATSEVERITY
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 1 > anyOf > item 4 > threatSeverity
Type: const
Same definition as baseSeverity
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2
ANY OF
* Option 1
* Option 2
* Option 3
* Option 4
* Option 5
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 0
Type: object
ENVIRONMENTALSCORE
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 0 > environmentalScore
Type: number
Same definition as baseScore
ENVIRONMENTALSEVERITY
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 0 > environmentalSeverity
Type: const
Same definition as baseSeverity
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 1
Type: object
ENVIRONMENTALSCORE
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 1 > environmentalScore
Type: number
Same definition as baseScore
ENVIRONMENTALSEVERITY
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 1 > environmentalSeverity
Type: const
Same definition as baseSeverity
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 2
Type: object
ENVIRONMENTALSCORE
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 2 > environmentalScore
Type: number
Same definition as baseScore
ENVIRONMENTALSEVERITY
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 2 > environmentalSeverity
Type: const
Same definition as baseSeverity
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 3
Type: object
ENVIRONMENTALSCORE
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 3 > environmentalScore
Type: number
Same definition as baseScore
ENVIRONMENTALSEVERITY
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 3 > environmentalSeverity
Type: const
Same definition as baseSeverity
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 4
Type: object
ENVIRONMENTALSCORE
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 4 > environmentalScore
Type: number
Same definition as baseScore
ENVIRONMENTALSEVERITY
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 > allOf
> item 2 > anyOf > item 4 > environmentalSeverity
Type: const
Same definition as baseSeverity
VERSION REQUIRED
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
version
Type: enum (of string)
CVSS Version
MUST BE ONE OF:
* "4.0"
VECTORSTRING REQUIRED
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
vectorString
Type: string
Must match regular expression:
^CVSS:4[.]0/AV:[NALP]/AC:[LH]/AT:[NP]/PR:[NLH]/UI:[NPA]/VC:[HLN]/VI:[HLN]/VA:[HLN]/SC:[HLN]/SI:[HLN]/SA:[HLN](/E:[XAPU])?(/CR:[XHML])?(/IR:[XHML])?(/AR:[XHML])?(/MAV:[XNALP])?(/MAC:[XLH])?(/MAT:[XNP])?(/MPR:[XNLH])?(/MUI:[XNPA])?(/MVC:[XNLH])?(/MVI:[XNLH])?(/MVA:[XNLH])?(/MSC:[XNLH])?(/MSI:[XNLHS])?(/MSA:[XNLHS])?(/S:[XNP])?(/AU:[XNY])?(/R:[XAUI])?(/V:[XDC])?(/RE:[XLMH])?(/U:(X|Clear|Green|Amber|Red))?$
BASESCORE REQUIRED
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
baseScore
Type: number
Value must be greater or equal to 0.0 and lesser or equal to 10.0 and a multiple
of 0.1
BASESEVERITY REQUIRED
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
baseSeverity
Type: enum (of string)
MUST BE ONE OF:
* "NONE"
* "LOW"
* "MEDIUM"
* "HIGH"
* "CRITICAL"
ATTACKVECTOR
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
attackVector
Type: enum (of string)
MUST BE ONE OF:
* "NETWORK"
* "ADJACENT"
* "LOCAL"
* "PHYSICAL"
ATTACKCOMPLEXITY
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
attackComplexity
Type: enum (of string)
MUST BE ONE OF:
* "HIGH"
* "LOW"
ATTACKREQUIREMENTS
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
attackRequirements
Type: enum (of string)
MUST BE ONE OF:
* "NONE"
* "PRESENT"
PRIVILEGESREQUIRED
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
privilegesRequired
Type: enum (of string)
MUST BE ONE OF:
* "HIGH"
* "LOW"
* "NONE"
USERINTERACTION
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
userInteraction
Type: enum (of string)
MUST BE ONE OF:
* "NONE"
* "PASSIVE"
* "ACTIVE"
VULNCONFIDENTIALITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
vulnConfidentialityImpact
Type: enum (of string)
MUST BE ONE OF:
* "NONE"
* "LOW"
* "HIGH"
VULNINTEGRITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
vulnIntegrityImpact
Type: enum (of string)
Same definition as vulnConfidentialityImpact
VULNAVAILABILITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
vulnAvailabilityImpact
Type: enum (of string)
Same definition as vulnConfidentialityImpact
SUBCONFIDENTIALITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
subConfidentialityImpact
Type: enum (of string)
MUST BE ONE OF:
* "NONE"
* "LOW"
* "HIGH"
SUBINTEGRITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
subIntegrityImpact
Type: enum (of string)
Same definition as subConfidentialityImpact
SUBAVAILABILITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
subAvailabilityImpact
Type: enum (of string)
Same definition as subConfidentialityImpact
EXPLOITMATURITY
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
exploitMaturity
Type: enum (of string) Default: "NOT_DEFINED"
MUST BE ONE OF:
* "UNREPORTED"
* "PROOF_OF_CONCEPT"
* "ATTACKED"
* "NOT_DEFINED"
CONFIDENTIALITYREQUIREMENT
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
confidentialityRequirement
Type: enum (of string) Default: "NOT_DEFINED"
MUST BE ONE OF:
* "LOW"
* "MEDIUM"
* "HIGH"
* "NOT_DEFINED"
INTEGRITYREQUIREMENT
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
integrityRequirement
Type: enum (of string) Default: "NOT_DEFINED"
Same definition as confidentialityRequirement
AVAILABILITYREQUIREMENT
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
availabilityRequirement
Type: enum (of string) Default: "NOT_DEFINED"
Same definition as confidentialityRequirement
MODIFIEDATTACKVECTOR
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
modifiedAttackVector
Type: enum (of string) Default: "NOT_DEFINED"
MUST BE ONE OF:
* "NETWORK"
* "ADJACENT"
* "LOCAL"
* "PHYSICAL"
* "NOT_DEFINED"
MODIFIEDATTACKCOMPLEXITY
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
modifiedAttackComplexity
Type: enum (of string) Default: "NOT_DEFINED"
MUST BE ONE OF:
* "HIGH"
* "LOW"
* "NOT_DEFINED"
MODIFIEDATTACKREQUIREMENTS
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
modifiedAttackRequirements
Type: enum (of string) Default: "NOT_DEFINED"
MUST BE ONE OF:
* "NONE"
* "PRESENT"
* "NOT_DEFINED"
MODIFIEDPRIVILEGESREQUIRED
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
modifiedPrivilegesRequired
Type: enum (of string) Default: "NOT_DEFINED"
MUST BE ONE OF:
* "HIGH"
* "LOW"
* "NONE"
* "NOT_DEFINED"
MODIFIEDUSERINTERACTION
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
modifiedUserInteraction
Type: enum (of string) Default: "NOT_DEFINED"
MUST BE ONE OF:
* "NONE"
* "PASSIVE"
* "ACTIVE"
* "NOT_DEFINED"
MODIFIEDVULNCONFIDENTIALITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
modifiedVulnConfidentialityImpact
Type: enum (of string) Default: "NOT_DEFINED"
MUST BE ONE OF:
* "NONE"
* "LOW"
* "HIGH"
* "NOT_DEFINED"
MODIFIEDVULNINTEGRITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
modifiedVulnIntegrityImpact
Type: enum (of string) Default: "NOT_DEFINED"
Same definition as modifiedVulnConfidentialityImpact
MODIFIEDVULNAVAILABILITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
modifiedVulnAvailabilityImpact
Type: enum (of string) Default: "NOT_DEFINED"
Same definition as modifiedVulnConfidentialityImpact
MODIFIEDSUBCONFIDENTIALITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
modifiedSubConfidentialityImpact
Type: enum (of string) Default: "NOT_DEFINED"
MUST BE ONE OF:
* "NONE"
* "LOW"
* "HIGH"
* "NOT_DEFINED"
MODIFIEDSUBINTEGRITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
modifiedSubIntegrityImpact
Type: enum (of string) Default: "NOT_DEFINED"
MUST BE ONE OF:
* "NONE"
* "LOW"
* "HIGH"
* "SAFETY"
* "NOT_DEFINED"
MODIFIEDSUBAVAILABILITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
modifiedSubAvailabilityImpact
Type: enum (of string) Default: "NOT_DEFINED"
Same definition as modifiedSubIntegrityImpact
SAFETY
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
Safety
Type: enum (of string) Default: "NOT_DEFINED"
MUST BE ONE OF:
* "NEGLIGIBLE"
* "PRESENT"
* "NOT_DEFINED"
AUTOMATABLE
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
Automatable
Type: enum (of string) Default: "NOT_DEFINED"
MUST BE ONE OF:
* "NO"
* "YES"
* "NOT_DEFINED"
RECOVERY
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
Recovery
Type: enum (of string) Default: "NOT_DEFINED"
MUST BE ONE OF:
* "AUTOMATIC"
* "USER"
* "IRRECOVERABLE"
* "NOT_DEFINED"
VALUEDENSITY
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
valueDensity
Type: enum (of string) Default: "NOT_DEFINED"
MUST BE ONE OF:
* "DIFFUSE"
* "CONCENTRATED"
* "NOT_DEFINED"
VULNERABILITYRESPONSEEFFORT
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
vulnerabilityResponseEffort
Type: enum (of string) Default: "NOT_DEFINED"
MUST BE ONE OF:
* "LOW"
* "MODERATE"
* "HIGH"
* "NOT_DEFINED"
PROVIDERURGENCY
root > oneOf > Published > containers > cna > metrics > items > cvssV4_0 >
providerUrgency
Type: enum (of string) Default: "NOT_DEFINED"
MUST BE ONE OF:
* "CLEAR"
* "GREEN"
* "AMBER"
* "RED"
* "NOT_DEFINED"
CVSSV3_1
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1
Type: object
No Additional Properties
VERSION REQUIRED
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
version
Type: enum (of string)
CVSS Version
MUST BE ONE OF:
* "3.1"
VECTORSTRING REQUIRED
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
vectorString
Type: string
Must match regular expression:
^CVSS:3[.]1/((AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[NLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$
ATTACKVECTOR
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
attackVector
Type: enum (of string)
MUST BE ONE OF:
* "NETWORK"
* "ADJACENT_NETWORK"
* "LOCAL"
* "PHYSICAL"
ATTACKCOMPLEXITY
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
attackComplexity
Type: enum (of string)
MUST BE ONE OF:
* "HIGH"
* "LOW"
PRIVILEGESREQUIRED
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
privilegesRequired
Type: enum (of string)
MUST BE ONE OF:
* "HIGH"
* "LOW"
* "NONE"
USERINTERACTION
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
userInteraction
Type: enum (of string)
MUST BE ONE OF:
* "NONE"
* "REQUIRED"
SCOPE
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 > scope
Type: enum (of string)
MUST BE ONE OF:
* "UNCHANGED"
* "CHANGED"
CONFIDENTIALITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
confidentialityImpact
Type: enum (of string)
MUST BE ONE OF:
* "NONE"
* "LOW"
* "HIGH"
INTEGRITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
integrityImpact
Type: enum (of string)
Same definition as confidentialityImpact
AVAILABILITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
availabilityImpact
Type: enum (of string)
Same definition as confidentialityImpact
BASESCORE REQUIRED
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
baseScore
Type: number
Value must be greater or equal to 0 and lesser or equal to 10
BASESEVERITY REQUIRED
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
baseSeverity
Type: enum (of string)
MUST BE ONE OF:
* "NONE"
* "LOW"
* "MEDIUM"
* "HIGH"
* "CRITICAL"
EXPLOITCODEMATURITY
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
exploitCodeMaturity
Type: enum (of string)
MUST BE ONE OF:
* "UNPROVEN"
* "PROOF_OF_CONCEPT"
* "FUNCTIONAL"
* "HIGH"
* "NOT_DEFINED"
REMEDIATIONLEVEL
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
remediationLevel
Type: enum (of string)
MUST BE ONE OF:
* "OFFICIAL_FIX"
* "TEMPORARY_FIX"
* "WORKAROUND"
* "UNAVAILABLE"
* "NOT_DEFINED"
REPORTCONFIDENCE
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
reportConfidence
Type: enum (of string)
MUST BE ONE OF:
* "UNKNOWN"
* "REASONABLE"
* "CONFIRMED"
* "NOT_DEFINED"
TEMPORALSCORE
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
temporalScore
Type: number
Same definition as baseScore
TEMPORALSEVERITY
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
temporalSeverity
Type: enum (of string)
Same definition as baseSeverity
CONFIDENTIALITYREQUIREMENT
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
confidentialityRequirement
Type: enum (of string)
MUST BE ONE OF:
* "LOW"
* "MEDIUM"
* "HIGH"
* "NOT_DEFINED"
INTEGRITYREQUIREMENT
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
integrityRequirement
Type: enum (of string)
Same definition as confidentialityRequirement
AVAILABILITYREQUIREMENT
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
availabilityRequirement
Type: enum (of string)
Same definition as confidentialityRequirement
MODIFIEDATTACKVECTOR
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
modifiedAttackVector
Type: enum (of string)
MUST BE ONE OF:
* "NETWORK"
* "ADJACENT_NETWORK"
* "LOCAL"
* "PHYSICAL"
* "NOT_DEFINED"
MODIFIEDATTACKCOMPLEXITY
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
modifiedAttackComplexity
Type: enum (of string)
MUST BE ONE OF:
* "HIGH"
* "LOW"
* "NOT_DEFINED"
MODIFIEDPRIVILEGESREQUIRED
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
modifiedPrivilegesRequired
Type: enum (of string)
MUST BE ONE OF:
* "HIGH"
* "LOW"
* "NONE"
* "NOT_DEFINED"
MODIFIEDUSERINTERACTION
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
modifiedUserInteraction
Type: enum (of string)
MUST BE ONE OF:
* "NONE"
* "REQUIRED"
* "NOT_DEFINED"
MODIFIEDSCOPE
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
modifiedScope
Type: enum (of string)
MUST BE ONE OF:
* "UNCHANGED"
* "CHANGED"
* "NOT_DEFINED"
MODIFIEDCONFIDENTIALITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
modifiedConfidentialityImpact
Type: enum (of string)
MUST BE ONE OF:
* "NONE"
* "LOW"
* "HIGH"
* "NOT_DEFINED"
MODIFIEDINTEGRITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
modifiedIntegrityImpact
Type: enum (of string)
Same definition as modifiedConfidentialityImpact
MODIFIEDAVAILABILITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
modifiedAvailabilityImpact
Type: enum (of string)
Same definition as modifiedConfidentialityImpact
ENVIRONMENTALSCORE
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
environmentalScore
Type: number
Same definition as baseScore
ENVIRONMENTALSEVERITY
root > oneOf > Published > containers > cna > metrics > items > cvssV3_1 >
environmentalSeverity
Type: enum (of string)
Same definition as baseSeverity
CVSSV3_0
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0
Type: object
No Additional Properties
VERSION REQUIRED
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
version
Type: enum (of string)
CVSS Version
MUST BE ONE OF:
* "3.0"
VECTORSTRING REQUIRED
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
vectorString
Type: string
Must match regular expression:
^CVSS:3[.]0/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$
ATTACKVECTOR
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
attackVector
Type: enum (of string)
MUST BE ONE OF:
* "NETWORK"
* "ADJACENT_NETWORK"
* "LOCAL"
* "PHYSICAL"
ATTACKCOMPLEXITY
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
attackComplexity
Type: enum (of string)
MUST BE ONE OF:
* "HIGH"
* "LOW"
PRIVILEGESREQUIRED
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
privilegesRequired
Type: enum (of string)
MUST BE ONE OF:
* "HIGH"
* "LOW"
* "NONE"
USERINTERACTION
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
userInteraction
Type: enum (of string)
MUST BE ONE OF:
* "NONE"
* "REQUIRED"
SCOPE
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 > scope
Type: enum (of string)
MUST BE ONE OF:
* "UNCHANGED"
* "CHANGED"
CONFIDENTIALITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
confidentialityImpact
Type: enum (of string)
MUST BE ONE OF:
* "NONE"
* "LOW"
* "HIGH"
INTEGRITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
integrityImpact
Type: enum (of string)
Same definition as confidentialityImpact
AVAILABILITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
availabilityImpact
Type: enum (of string)
Same definition as confidentialityImpact
BASESCORE REQUIRED
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
baseScore
Type: number
Value must be greater or equal to 0 and lesser or equal to 10
BASESEVERITY REQUIRED
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
baseSeverity
Type: enum (of string)
MUST BE ONE OF:
* "NONE"
* "LOW"
* "MEDIUM"
* "HIGH"
* "CRITICAL"
EXPLOITCODEMATURITY
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
exploitCodeMaturity
Type: enum (of string)
MUST BE ONE OF:
* "UNPROVEN"
* "PROOF_OF_CONCEPT"
* "FUNCTIONAL"
* "HIGH"
* "NOT_DEFINED"
REMEDIATIONLEVEL
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
remediationLevel
Type: enum (of string)
MUST BE ONE OF:
* "OFFICIAL_FIX"
* "TEMPORARY_FIX"
* "WORKAROUND"
* "UNAVAILABLE"
* "NOT_DEFINED"
REPORTCONFIDENCE
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
reportConfidence
Type: enum (of string)
MUST BE ONE OF:
* "UNKNOWN"
* "REASONABLE"
* "CONFIRMED"
* "NOT_DEFINED"
TEMPORALSCORE
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
temporalScore
Type: number
Same definition as baseScore
TEMPORALSEVERITY
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
temporalSeverity
Type: enum (of string)
Same definition as baseSeverity
CONFIDENTIALITYREQUIREMENT
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
confidentialityRequirement
Type: enum (of string)
MUST BE ONE OF:
* "LOW"
* "MEDIUM"
* "HIGH"
* "NOT_DEFINED"
INTEGRITYREQUIREMENT
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
integrityRequirement
Type: enum (of string)
Same definition as confidentialityRequirement
AVAILABILITYREQUIREMENT
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
availabilityRequirement
Type: enum (of string)
Same definition as confidentialityRequirement
MODIFIEDATTACKVECTOR
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
modifiedAttackVector
Type: enum (of string)
MUST BE ONE OF:
* "NETWORK"
* "ADJACENT_NETWORK"
* "LOCAL"
* "PHYSICAL"
* "NOT_DEFINED"
MODIFIEDATTACKCOMPLEXITY
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
modifiedAttackComplexity
Type: enum (of string)
MUST BE ONE OF:
* "HIGH"
* "LOW"
* "NOT_DEFINED"
MODIFIEDPRIVILEGESREQUIRED
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
modifiedPrivilegesRequired
Type: enum (of string)
MUST BE ONE OF:
* "HIGH"
* "LOW"
* "NONE"
* "NOT_DEFINED"
MODIFIEDUSERINTERACTION
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
modifiedUserInteraction
Type: enum (of string)
MUST BE ONE OF:
* "NONE"
* "REQUIRED"
* "NOT_DEFINED"
MODIFIEDSCOPE
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
modifiedScope
Type: enum (of string)
MUST BE ONE OF:
* "UNCHANGED"
* "CHANGED"
* "NOT_DEFINED"
MODIFIEDCONFIDENTIALITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
modifiedConfidentialityImpact
Type: enum (of string)
MUST BE ONE OF:
* "NONE"
* "LOW"
* "HIGH"
* "NOT_DEFINED"
MODIFIEDINTEGRITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
modifiedIntegrityImpact
Type: enum (of string)
Same definition as modifiedConfidentialityImpact
MODIFIEDAVAILABILITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
modifiedAvailabilityImpact
Type: enum (of string)
Same definition as modifiedConfidentialityImpact
ENVIRONMENTALSCORE
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
environmentalScore
Type: number
Same definition as baseScore
ENVIRONMENTALSEVERITY
root > oneOf > Published > containers > cna > metrics > items > cvssV3_0 >
environmentalSeverity
Type: enum (of string)
Same definition as baseSeverity
CVSSV2_0
root > oneOf > Published > containers > cna > metrics > items > cvssV2_0
Type: object
No Additional Properties
VERSION REQUIRED
root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
version
Type: enum (of string)
CVSS Version
MUST BE ONE OF:
* "2.0"
VECTORSTRING REQUIRED
root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
vectorString
Type: string
Must match regular expression:
^((AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))/)*(AV:[NAL]|AC:[LMH]|Au:[MSN]|[CIA]:[NPC]|E:(U|POC|F|H|ND)|RL:(OF|TF|W|U|ND)|RC:(UC|UR|C|ND)|CDP:(N|L|LM|MH|H|ND)|TD:(N|L|M|H|ND)|[CIA]R:(L|M|H|ND))$
ACCESSVECTOR
root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
accessVector
Type: enum (of string)
MUST BE ONE OF:
* "NETWORK"
* "ADJACENT_NETWORK"
* "LOCAL"
ACCESSCOMPLEXITY
root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
accessComplexity
Type: enum (of string)
MUST BE ONE OF:
* "HIGH"
* "MEDIUM"
* "LOW"
AUTHENTICATION
root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
authentication
Type: enum (of string)
MUST BE ONE OF:
* "MULTIPLE"
* "SINGLE"
* "NONE"
CONFIDENTIALITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
confidentialityImpact
Type: enum (of string)
MUST BE ONE OF:
* "NONE"
* "PARTIAL"
* "COMPLETE"
INTEGRITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
integrityImpact
Type: enum (of string)
Same definition as confidentialityImpact
AVAILABILITYIMPACT
root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
availabilityImpact
Type: enum (of string)
Same definition as confidentialityImpact
BASESCORE REQUIRED
root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
baseScore
Type: number
Value must be greater or equal to 0 and lesser or equal to 10
EXPLOITABILITY
root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
exploitability
Type: enum (of string)
MUST BE ONE OF:
* "UNPROVEN"
* "PROOF_OF_CONCEPT"
* "FUNCTIONAL"
* "HIGH"
* "NOT_DEFINED"
REMEDIATIONLEVEL
root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
remediationLevel
Type: enum (of string)
MUST BE ONE OF:
* "OFFICIAL_FIX"
* "TEMPORARY_FIX"
* "WORKAROUND"
* "UNAVAILABLE"
* "NOT_DEFINED"
REPORTCONFIDENCE
root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
reportConfidence
Type: enum (of string)
MUST BE ONE OF:
* "UNCONFIRMED"
* "UNCORROBORATED"
* "CONFIRMED"
* "NOT_DEFINED"
TEMPORALSCORE
root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
temporalScore
Type: number
Same definition as baseScore
COLLATERALDAMAGEPOTENTIAL
root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
collateralDamagePotential
Type: enum (of string)
MUST BE ONE OF:
* "NONE"
* "LOW"
* "LOW_MEDIUM"
* "MEDIUM_HIGH"
* "HIGH"
* "NOT_DEFINED"
TARGETDISTRIBUTION
root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
targetDistribution
Type: enum (of string)
MUST BE ONE OF:
* "NONE"
* "LOW"
* "MEDIUM"
* "HIGH"
* "NOT_DEFINED"
CONFIDENTIALITYREQUIREMENT
root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
confidentialityRequirement
Type: enum (of string)
MUST BE ONE OF:
* "LOW"
* "MEDIUM"
* "HIGH"
* "NOT_DEFINED"
INTEGRITYREQUIREMENT
root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
integrityRequirement
Type: enum (of string)
Same definition as confidentialityRequirement
AVAILABILITYREQUIREMENT
root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
availabilityRequirement
Type: enum (of string)
Same definition as confidentialityRequirement
ENVIRONMENTALSCORE
root > oneOf > Published > containers > cna > metrics > items > cvssV2_0 >
environmentalScore
Type: number
Same definition as baseScore
OTHER
root > oneOf > Published > containers > cna > metrics > items > other
Type: object
A non-standard impact description, may be prose or JSON block.
No Additional Properties
TYPE REQUIRED
root > oneOf > Published > containers > cna > metrics > items > other > type
Type: string
Name of the non-standard impact metrics format used.
Must be at least 1 characters long
Must be at most 128 characters long
CONTENT REQUIRED
root > oneOf > Published > containers > cna > metrics > items > other > content
Type: object
JSON object not covered by another metrics format.
CONFIGURATIONS
root > oneOf > Published > containers > cna > configurations
Type: array
Configurations required for exploiting this vulnerability.
Must contain a minimum of 1 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > configurations > description
Type: object
Text in a particular language with optional alternate markup or formatted
representation (e.g., Markdown) or embedded media.
Same definition as description
WORKAROUNDS
root > oneOf > Published > containers > cna > workarounds
Type: array
Workarounds and mitigations for this vulnerability.
Must contain a minimum of 1 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > workarounds > description
Type: object
Text in a particular language with optional alternate markup or formatted
representation (e.g., Markdown) or embedded media.
Same definition as description
SOLUTIONS
root > oneOf > Published > containers > cna > solutions
Type: array
Information about solutions or remediations available for this vulnerability.
Must contain a minimum of 1 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > solutions > description
Type: object
Text in a particular language with optional alternate markup or formatted
representation (e.g., Markdown) or embedded media.
Same definition as description
EXPLOITS
root > oneOf > Published > containers > cna > exploits
Type: array
Information about exploits of the vulnerability.
Must contain a minimum of 1 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > exploits > description
Type: object
Text in a particular language with optional alternate markup or formatted
representation (e.g., Markdown) or embedded media.
Same definition as description
TIMELINE
root > oneOf > Published > containers > cna > timeline
Type: array of object
This is timeline information for significant events about this vulnerability or
changes to the CVE Record.
Must contain a minimum of 1 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > timeline > items
Type: object
No Additional Properties
TIME REQUIRED
root > oneOf > Published > containers > cna > timeline > items > time
Type: string
Timestamp representing when the event in the timeline occurred. The timestamp
format is based on RFC3339 and ISO ISO8601, with an optional timezone.
yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM - if the timezone offset is not given, GMT (+00:00)
is assumed.
Same definition as dateUpdated
LANG REQUIRED
root > oneOf > Published > containers > cna > timeline > items > lang
Type: string Default: "en"
The language used in the description of the event. The language field is
included so that CVE Records can support translations. The value must be a BCP
47 language code.
Same definition as lang
VALUE REQUIRED
root > oneOf > Published > containers > cna > timeline > items > value
Type: string
A summary of the event.
Must be at least 1 characters long
Must be at most 4096 characters long
CREDITS
root > oneOf > Published > containers > cna > credits
Type: array of object
Statements acknowledging specific people, organizations, or tools recognizing
the work done in researching, discovering, remediating or helping with
activities related to this CVE.
Must contain a minimum of 1 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > credits > items
Type: object
No Additional Properties
LANG REQUIRED
root > oneOf > Published > containers > cna > credits > items > lang
Type: string Default: "en"
The language used when describing the credits. The language field is included so
that CVE Records can support translations. The value must be a BCP 47 language
code.
Same definition as lang
VALUE REQUIRED
root > oneOf > Published > containers > cna > credits > items > value
Type: string
Must be at least 1 characters long
Must be at most 4096 characters long
USER
root > oneOf > Published > containers > cna > credits > items > user
Type: string
UUID of the user being credited if present in the CVE User Registry (optional).
This UUID can be used to lookup the user record in the user registry service.
Same definition as assignerOrgId
TYPE
root > oneOf > Published > containers > cna > credits > items > type
Type: enum (of string) Default: "finder"
Type or role of the entity being credited (optional). finder: identifies the
vulnerability.
reporter: notifies the vendor of the vulnerability to a CNA.
analyst: validates the vulnerability to ensure accuracy or severity.
coordinator: facilitates the coordinated response process.
remediation developer: prepares a code change or other remediation plans.
remediation reviewer: reviews vulnerability remediation plans or code changes
for effectiveness and completeness.
remediation verifier: tests and verifies the vulnerability or its remediation.
tool: names of tools used in vulnerability discovery or identification.
sponsor: supports the vulnerability identification or remediation activities.
MUST BE ONE OF:
* "finder"
* "reporter"
* "analyst"
* "coordinator"
* "remediation developer"
* "remediation reviewer"
* "remediation verifier"
* "tool"
* "sponsor"
* "other"
SOURCE
root > oneOf > Published > containers > cna > source
Type: object
This is the source information (who discovered it, who researched it, etc.) and
optionally a chain of CNA information (e.g. the originating CNA and subsequent
parent CNAs who have processed it before it arrives at the MITRE root).
Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF
this source entry is NOT in the root (e.g. it is part of a vendor statement)
then it must contain at least one type of data entry.
TAGS
root > oneOf > Published > containers > cna > tags
Type: array
Tags provided by a CNA describing the CVE Record.
Must contain a minimum of 1 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > tags > items
ONE OF
* tagExtension
* cna-tags.json
root > oneOf > Published > containers > cna > tags > items > oneOf >
tagExtension
Type: string
Must match regular expression: ^x_.*$
Must be at least 2 characters long
Must be at most 128 characters long
root > oneOf > Published > containers > cna > tags > items > oneOf >
cna-tags.json
Type: enum (of string)
exclusively-hosted-service: All known software and/or hardware affected by this
CVE Record is known to exist only in the affected hosted service. If the
vulnerability affects both hosted and on-prem software and/or hardware, then the
tag should not be used.
unsupported-when-assigned: Used by the assigning CNA to indicate that when a
request for a CVE assignment was received, the product was already end-of-life
(EOL) or a product or specific version was deemed not to be supported by the
vendor. This tag should only be applied to a CVE Record when all affected
products or version lines referenced in the CVE-Record are EOL.
disputed: When one party disagrees with another party's assertion that a
particular issue in software is a vulnerability, a CVE Record assigned to that
issue may be tagged as being 'disputed'.
MUST BE ONE OF:
* "unsupported-when-assigned"
* "exclusively-hosted-service"
* "disputed"
TAXONOMYMAPPINGS
root > oneOf > Published > containers > cna > taxonomyMappings
Type: array of object
List of taxonomy items related to the vulnerability.
Must contain a minimum of 1 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > taxonomyMappings > items
Type: object
A taxonomy mapping object identifies the taxonomy by a name and version (eg.,
ATT&CK v13.1, CVSS 3.1, CWE 4.12) along with a list of relations relevant to
this CVE.
No Additional Properties
TAXONOMYNAME REQUIRED
root > oneOf > Published > containers > cna > taxonomyMappings > items >
taxonomyName
Type: string
The name of the taxonomy, eg., ATT&CK, D3FEND, CWE, CVSS
Must be at least 1 characters long
Must be at most 128 characters long
TAXONOMYVERSION
root > oneOf > Published > containers > cna > taxonomyMappings > items >
taxonomyVersion
Type: string
The version of taxonomy the identifiers come from.
Must be at least 1 characters long
Must be at most 128 characters long
TAXONOMYRELATIONS REQUIRED
root > oneOf > Published > containers > cna > taxonomyMappings > items >
taxonomyRelations
Type: array of object
List of relationships to the taxonomy for the vulnerability.
Must contain a minimum of 1 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > cna > taxonomyMappings > items >
taxonomyRelations > items
Type: object
A relationship between the taxonomy and the CVE or two taxonomy items.
No Additional Properties
TAXONOMYID REQUIRED
root > oneOf > Published > containers > cna > taxonomyMappings > items >
taxonomyRelations > items > taxonomyId
Type: string
Identifier of the item in the taxonomy. Used as the subject of the relationship.
Must be at least 1 characters long
Must be at most 2048 characters long
RELATIONSHIPNAME REQUIRED
root > oneOf > Published > containers > cna > taxonomyMappings > items >
taxonomyRelations > items > relationshipName
Type: string
A description of the relationship.
Must be at least 1 characters long
Must be at most 128 characters long
RELATIONSHIPVALUE REQUIRED
root > oneOf > Published > containers > cna > taxonomyMappings > items >
taxonomyRelations > items > relationshipValue
Type: string
The target of the relationship. Can be the CVE ID or another taxonomy
identifier.
Must be at least 1 characters long
Must be at most 2048 characters long
^X_[^.]*$ PATTERN PROPERTY
PATTERN PROPERTY
All property whose name matches the following regular expression must respect
the following conditions
Property name regular expression: ^x_[^.]*$
root > oneOf > Published > containers > cna > ^x_[^.]*$
Type: object
ADP
root > oneOf > Published > containers > adp
Type: array
Must contain a minimum of 1 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > adp > adpContainer
Type: object
An object containing the vulnerability information provided by an Authorized
Data Publisher (ADP). Since multiple ADPs can provide information for a CVE ID,
an ADP container must indicate which ADP is the source of the information in the
object.
No Additional Properties
PROVIDERMETADATA REQUIRED
root > oneOf > Published > containers > adp > items > providerMetadata
Type: object
Details related to the information container provider (CNA or ADP).
Same definition as providerMetadata
DATEPUBLIC
root > oneOf > Published > containers > adp > items > datePublic
Type: string
If known, the date/time the vulnerability was disclosed publicly.
Same definition as dateUpdated
TITLE
root > oneOf > Published > containers > adp > items > title
Type: string
A title, headline, or a brief phrase summarizing the information in an ADP
container.
Must be at least 1 characters long
Must be at most 256 characters long
DESCRIPTIONS
root > oneOf > Published > containers > adp > items > descriptions
Type: array
A list of multi-lingual descriptions of the vulnerability. E.g., [PROBLEMTYPE]
in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER]
to [IMPACT] via [VECTOR]. OR [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] [ROOT
CAUSE], which allows [ATTACKER] to [IMPACT] via [VECTOR].
Same definition as descriptions
AFFECTED
root > oneOf > Published > containers > adp > items > affected
Type: array
List of affected products.
Same definition as affected
PROBLEMTYPES
root > oneOf > Published > containers > adp > items > problemTypes
Type: array of object
This is problem type information (e.g. CWE identifier). Must contain: At least
one entry, can be text, OWASP, CWE, please note that while only one is required
you can use more than one (or indeed all three) as long as they are correct).
(CNA requirement: [PROBLEMTYPE]).
Same definition as problemTypes
REFERENCES
root > oneOf > Published > containers > adp > items > references
Type: array
This is reference data in the form of URLs or file objects (uuencoded and
embedded within the JSON file, exact format to be decided, e.g. we may require a
compressed format so the objects require unpacking before they are "dangerous").
Same definition as references
IMPACTS
root > oneOf > Published > containers > adp > items > impacts
Type: array of object
Collection of impacts of this vulnerability.
Same definition as impacts
METRICS
root > oneOf > Published > containers > adp > items > metrics
Type: array of object
Collection of impact scores with attribution.
Same definition as metrics
CONFIGURATIONS
root > oneOf > Published > containers > adp > items > configurations
Type: array
Configurations required for exploiting this vulnerability.
Same definition as configurations
WORKAROUNDS
root > oneOf > Published > containers > adp > items > workarounds
Type: array
Workarounds and mitigations for this vulnerability.
Same definition as workarounds
SOLUTIONS
root > oneOf > Published > containers > adp > items > solutions
Type: array
Information about solutions or remediations available for this vulnerability.
Same definition as solutions
EXPLOITS
root > oneOf > Published > containers > adp > items > exploits
Type: array
Information about exploits of the vulnerability.
Same definition as exploits
TIMELINE
root > oneOf > Published > containers > adp > items > timeline
Type: array of object
This is timeline information for significant events about this vulnerability or
changes to the CVE Record.
Same definition as timeline
CREDITS
root > oneOf > Published > containers > adp > items > credits
Type: array of object
Statements acknowledging specific people, organizations, or tools recognizing
the work done in researching, discovering, remediating or helping with
activities related to this CVE.
Same definition as credits
SOURCE
root > oneOf > Published > containers > adp > items > source
Type: object
This is the source information (who discovered it, who researched it, etc.) and
optionally a chain of CNA information (e.g. the originating CNA and subsequent
parent CNAs who have processed it before it arrives at the MITRE root).
Must contain: IF this is in the root level it MUST contain a CNA_chain entry, IF
this source entry is NOT in the root (e.g. it is part of a vendor statement)
then it must contain at least one type of data entry.
Same definition as source
TAGS
root > oneOf > Published > containers > adp > items > tags
Type: array
Tags provided by an ADP describing the CVE Record.
Must contain a minimum of 1 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Published > containers > adp > items > tags > items
ONE OF
* tagExtension
* adp-tags.json
root > oneOf > Published > containers > adp > items > tags > items > oneOf >
tagExtension
Type: string
Same definition as tagExtension
root > oneOf > Published > containers > adp > items > tags > items > oneOf >
adp-tags.json
Type: enum (of string)
disputed: When one party disagrees with another party's assertion that a
particular issue in software is a vulnerability, a CVE Record assigned to that
issue may be tagged as being 'disputed'.
MUST BE ONE OF:
* "disputed"
TAXONOMYMAPPINGS
root > oneOf > Published > containers > adp > items > taxonomyMappings
Type: array of object
List of taxonomy items related to the vulnerability.
Same definition as taxonomyMappings
^X_[^.]*$ PATTERN PROPERTY
PATTERN PROPERTY
All property whose name matches the following regular expression must respect
the following conditions
Property name regular expression: ^x_[^.]*$
root > oneOf > Published > containers > adp > items > ^x_[^.]*$
Type: object
root > oneOf > Rejected
Type: object
If the CVE ID and associated CVE Record should no longer be used, the CVE Record
is placed in the Rejected state. A Rejected CVE Record remains on the CVE List
so that users can know when it is invalid.
No Additional Properties
DATATYPE REQUIRED
root > oneOf > Rejected > dataType
Type: enum (of string)
Indicates the type of information represented in the JSON instance.
Same definition as dataType
DATAVERSION REQUIRED
root > oneOf > Rejected > dataVersion
Type: string Default: "5.1.0"
The version of the CVE schema used for validating this record. Used to support
multiple versions of this format.
Same definition as dataVersion
CVEMETADATA REQUIRED
root > oneOf > Rejected > cveMetadata
Type: object
This is meta data about the CVE ID such as the CVE ID, who requested it, who
assigned it, when it was requested, the current state (PUBLISHED, REJECTED,
etc.) and so on. These fields are controlled by the CVE Services.
No Additional Properties
CVEID REQUIRED
root > oneOf > Rejected > cveMetadata > cveId
Type: string
The CVE identifier that this record pertains to.
Same definition as cveId
ASSIGNERORGID REQUIRED
root > oneOf > Rejected > cveMetadata > assignerOrgId
Type: string
The UUID for the organization to which the CVE ID was originally assigned.
Same definition as assignerOrgId
ASSIGNERSHORTNAME
root > oneOf > Rejected > cveMetadata > assignerShortName
Type: string
The short name for the organization to which the CVE ID was originally assigned.
Same definition as assignerShortName
SERIAL
root > oneOf > Rejected > cveMetadata > serial
Type: integer
The system of record causes this to start at 1, and increment by 1 each time a
submission from a data provider changes this CVE Record. The incremented value
moves to the Rejected schema upon a PUBLISHED->REJECTED transition, and moves to
the Published schema upon a REJECTED->PUBLISHED transition.
Value must be greater or equal to 1
DATEUPDATED
root > oneOf > Rejected > cveMetadata > dateUpdated
Type: string
The date/time the record was last updated.
Same definition as dateUpdated
DATEPUBLISHED
root > oneOf > Rejected > cveMetadata > datePublished
Type: string
The date/time the CVE Record was first published in the CVE List.
Same definition as dateUpdated
DATEREJECTED
root > oneOf > Rejected > cveMetadata > dateRejected
Type: string
The date/time the CVE ID was rejected.
Same definition as dateUpdated
STATE REQUIRED
root > oneOf > Rejected > cveMetadata > state
Type: enum (of string)
State of CVE - PUBLISHED, REJECTED.
MUST BE ONE OF:
* "REJECTED"
DATERESERVED
root > oneOf > Rejected > cveMetadata > dateReserved
Type: string
The date/time this CVE ID was reserved in the CVE automation workgroup services
system. Disclaimer: This date reflects when the CVE ID was reserved, and does
not necessarily indicate when this vulnerability was discovered, shared with the
affected vendor, publicly disclosed, or updated in CVE.
Same definition as dateUpdated
CONTAINERS REQUIRED
root > oneOf > Rejected > containers
Type: object
A set of structures (called containers) used to store vulnerability information
related to a specific CVE ID provided by a specific organization participating
in the CVE program. Each container includes information provided by a different
source.
At minimum, a 'cna' container containing the vulnerability information provided
by the CNA who initially assigned the CVE ID must be included.
There can only be one 'cna' container, as there can only be one assigning CNA.
No Additional Properties
CNA REQUIRED
root > oneOf > Rejected > containers > cna
Type: object
An object containing the vulnerability information provided by a CVE Numbering
Authority (CNA) for a rejected CVE ID. There can only be one CNA container per
CVE record since there can only be one assigning CNA.
No Additional Properties
PROVIDERMETADATA REQUIRED
root > oneOf > Rejected > containers > cna > providerMetadata
Type: object
Details related to the information container provider (CNA or ADP).
Same definition as providerMetadata
REJECTEDREASONS REQUIRED
root > oneOf > Rejected > containers > cna > rejectedReasons
Type: array
Reasons for rejecting this CVE Record.
Same definition as descriptions
REPLACEDBY
root > oneOf > Rejected > containers > cna > replacedBy
Type: array
Contains an array of CVE IDs that this CVE ID was rejected in favor of because
this CVE ID was assigned to the vulnerabilities.
Must contain a minimum of 1 items
All items must be unique
EACH ITEM OF THIS ARRAY MUST BE:
root > oneOf > Rejected > containers > cna > replacedBy > cveId
Type: string
Same definition as cveId
^X_[^.]*$ PATTERN PROPERTY
PATTERN PROPERTY
All property whose name matches the following regular expression must respect
the following conditions
Property name regular expression: ^x_[^.]*$
root > oneOf > Rejected > containers > cna > ^x_[^.]*$
Type: object
Generated using json-schema-for-humans on 2023-11-06 at 11:39:34 -0800