From 541ce043b384c02462dd04a22fc2fea978617098 Mon Sep 17 00:00:00 2001 From: ziad hany Date: Thu, 30 Oct 2025 03:27:56 +0300 Subject: [PATCH 1/2] Update nvd test data Update NVD Importer v2 to use 2.0 API schema Migrate nvd importer v1 to use 2.0 API schema Signed-off-by: ziad hany --- vulnerabilities/pipelines/nvd_importer.py | 48 +- .../pipelines/v2_importers/nvd_importer.py | 36 +- .../pipelines/test_nvd_importer_pipeline.py | 384 ++++-- .../tests/test_data/nvd/nvd-expected.json | 110 +- .../test_data/nvd/nvd-rejected-expected.json | 4 +- .../tests/test_data/nvd/nvd_test.json | 1095 ++++++++--------- .../tests/test_data/nvd/rejected_nvd.json | 56 +- 7 files changed, 1018 insertions(+), 715 deletions(-) diff --git a/vulnerabilities/pipelines/nvd_importer.py b/vulnerabilities/pipelines/nvd_importer.py index 645b9f442..bbf9f6f23 100644 --- a/vulnerabilities/pipelines/nvd_importer.py +++ b/vulnerabilities/pipelines/nvd_importer.py @@ -11,6 +11,7 @@ import json import logging from datetime import date +from datetime import timezone from traceback import format_exc as traceback_format_exc from typing import Iterable @@ -94,7 +95,7 @@ def advisories_count(self): return advisory_count def collect_advisories(self) -> Iterable[AdvisoryData]: - for _year, cve_data in fetch_cve_data_1_1(logger=self.log): + for _year, cve_data in fetch_cve_data_2_0(logger=self.log): yield from to_advisories(cve_data=cve_data) @@ -107,7 +108,7 @@ def fetch(url, logger=None): return json.loads(data) -def fetch_cve_data_1_1(starting_year=2002, logger=None): +def fetch_cve_data_2_0(starting_year=2002, logger=None): """ Yield tuples of (year, lists of CVE mappings) from the NVD, one for each year since ``starting_year`` defaulting to 2002. @@ -115,7 +116,7 @@ def fetch_cve_data_1_1(starting_year=2002, logger=None): current_year = date.today().year # NVD json feeds start from 2002. for year in range(starting_year, current_year + 1): - download_url = f"https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-{year}.json.gz" + download_url = f"https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-{year}.json.gz" yield year, fetch(url=download_url, logger=logger) @@ -134,12 +135,14 @@ class CveItem: cve_item = attr.attrib(default=attr.Factory(dict), type=dict) @classmethod - def to_advisories(cls, cve_data, skip_hardware=True): + def to_advisories(cls, vulnerabilities, skip_hardware=True): """ Yield AdvisoryData objects from ``cve_data`` data for CVE JSON 1.1feed. Skip hardware """ - for cve_item in CveItem.from_cve_data(cve_data=cve_data, skip_hardware=skip_hardware): + for cve_item in CveItem.from_cve_data( + cve_data=vulnerabilities, skip_hardware=skip_hardware + ): yield cve_item.to_advisory() @classmethod @@ -147,7 +150,7 @@ def from_cve_data(cls, cve_data, skip_hardware=True): """ Yield CVE items mapping from a cve_data list of CVE mappings from the NVD. """ - for cve_item in cve_data.get("CVE_Items") or []: + for cve_item in cve_data.get("vulnerabilities") or []: if not cve_item: continue if not isinstance(cve_item, dict): @@ -159,20 +162,20 @@ def from_cve_data(cls, cve_data, skip_hardware=True): @property def cve_id(self): - return self.cve_item["cve"]["CVE_data_meta"]["ID"] + return self.cve_item["cve"]["id"] @property def summary(self): """ Return a descriptive summary. """ - # In 99% of cases len(cve_item['cve']['description']['description_data']) == 1 , so - # this usually returns cve_item['cve']['description']['description_data'][0]['value'] + # In 99% of cases len(cve_item['cve']['description']) == 1 , so + # this usually returns cve_item['cve']['description'][0]['value'] # In the remaining 1% cases this returns the longest summary. - # FIXME: we should retun the full description WITH the summry as the first line instead + # FIXME: we should return the full description WITH the summary as the first line instead summaries = [] - for desc in get_item(self.cve_item, "cve", "description", "description_data") or []: - if desc.get("value"): + for desc in get_item(self.cve_item, "cve", "descriptions") or []: + if desc.get("value") and desc.get("lang") == "en": summaries.append(desc["value"]) return max(summaries, key=len) if summaries else None @@ -183,11 +186,12 @@ def cpes(self): """ # FIXME: we completely ignore the configurations here cpes = [] - for node in get_item(self.cve_item, "configurations", "nodes") or []: - for cpe_data in node.get("cpe_match") or []: - cpe23_uri = cpe_data.get("cpe23Uri") - if cpe23_uri and cpe23_uri not in cpes: - cpes.append(cpe23_uri) + for nodes in get_item(self.cve_item, "cve", "configurations") or []: + for node in nodes.get("nodes") or []: + for cpe_data in node.get("cpeMatch") or []: + cpe23_uri = cpe_data.get("criteria") + if cpe23_uri and cpe23_uri not in cpes: + cpes.append(cpe23_uri) return cpes @property @@ -243,7 +247,7 @@ def reference_urls(self): # FIXME: we should also collect additional data from the references such as tags and ids urls = [] - for reference in get_item(self.cve_item, "cve", "references", "reference_data") or []: + for reference in get_item(self.cve_item, "cve", "references") or []: ref_url = reference.get("url") if ref_url and ref_url.startswith(("http", "ftp")) and ref_url not in urls: urls.append(ref_url) @@ -294,9 +298,7 @@ def weaknesses(self): Return a list of CWE IDs like: [119, 189] """ weaknesses = [] - for weaknesses_item in ( - get_item(self.cve_item, "cve", "problemtype", "problemtype_data") or [] - ): + for weaknesses_item in get_item(self.cve_item, "cve", "weaknesses") or []: weaknesses_description = weaknesses_item.get("description") or [] for weaknesses_value in weaknesses_description: cwe_id = ( @@ -315,7 +317,9 @@ def to_advisory(self): aliases=[self.cve_id], summary=self.summary, references=self.references, - date_published=dateparser.parse(self.cve_item.get("publishedDate")), + date_published=dateparser.parse(self.cve_item["cve"].get("published")).replace( + tzinfo=timezone.utc + ), weaknesses=self.weaknesses, url=f"https://nvd.nist.gov/vuln/detail/{self.cve_id}", ) diff --git a/vulnerabilities/pipelines/v2_importers/nvd_importer.py b/vulnerabilities/pipelines/v2_importers/nvd_importer.py index 876b7a905..23bc76c17 100644 --- a/vulnerabilities/pipelines/v2_importers/nvd_importer.py +++ b/vulnerabilities/pipelines/v2_importers/nvd_importer.py @@ -11,6 +11,7 @@ import json import logging from datetime import date +from datetime import timezone from traceback import format_exc as traceback_format_exc from typing import Iterable @@ -93,7 +94,7 @@ def advisories_count(self): return advisory_count def collect_advisories(self) -> Iterable[AdvisoryData]: - for _year, cve_data in fetch_cve_data_1_1(logger=self.log): + for _year, cve_data in fetch_cve_data_2_0(logger=self.log): yield from to_advisories(cve_data=cve_data) @@ -111,7 +112,7 @@ def fetch(url, logger=None): return json.loads(data) -def fetch_cve_data_1_1(starting_year=2025, logger=None): +def fetch_cve_data_2_0(starting_year=2002, logger=None): """ Yield tuples of (year, lists of CVE mappings) from the NVD, one for each year since ``starting_year`` defaulting to 2002. @@ -119,7 +120,7 @@ def fetch_cve_data_1_1(starting_year=2025, logger=None): current_year = date.today().year # NVD json feeds start from 2002. for year in range(starting_year, current_year + 1): - download_url = f"https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-{year}.json.gz" + download_url = f"https://nvd.nist.gov/feeds/json/cve/2.0/nvdcve-2.0-{year}.json.gz" yield year, fetch(url=download_url, logger=logger) @@ -151,7 +152,7 @@ def from_cve_data(cls, cve_data, skip_hardware=True): """ Yield CVE items mapping from a cve_data list of CVE mappings from the NVD. """ - for cve_item in cve_data.get("CVE_Items") or []: + for cve_item in cve_data.get("vulnerabilities") or []: if not cve_item: continue if not isinstance(cve_item, dict): @@ -163,7 +164,7 @@ def from_cve_data(cls, cve_data, skip_hardware=True): @property def cve_id(self): - return self.cve_item["cve"]["CVE_data_meta"]["ID"] + return self.cve_item["cve"]["id"] @property def summary(self): @@ -175,8 +176,8 @@ def summary(self): # In the remaining 1% cases this returns the longest summary. # FIXME: we should retun the full description WITH the summry as the first line instead summaries = [] - for desc in get_item(self.cve_item, "cve", "description", "description_data") or []: - if desc.get("value"): + for desc in get_item(self.cve_item, "cve", "descriptions") or []: + if desc.get("value") and desc.get("lang") == "en": summaries.append(desc["value"]) return max(summaries, key=len) if summaries else None @@ -187,11 +188,12 @@ def cpes(self): """ # FIXME: we completely ignore the configurations here cpes = [] - for node in get_item(self.cve_item, "configurations", "nodes") or []: - for cpe_data in node.get("cpe_match") or []: - cpe23_uri = cpe_data.get("cpe23Uri") - if cpe23_uri and cpe23_uri not in cpes: - cpes.append(cpe23_uri) + for nodes in get_item(self.cve_item, "cve", "configurations") or []: + for node in nodes.get("nodes") or []: + for cpe_data in node.get("cpeMatch") or []: + cpe23_uri = cpe_data.get("criteria") + if cpe23_uri and cpe23_uri not in cpes: + cpes.append(cpe23_uri) return cpes @property @@ -250,7 +252,7 @@ def reference_urls(self): # FIXME: we should also collect additional data from the references such as tags and ids urls = [] - for reference in get_item(self.cve_item, "cve", "references", "reference_data") or []: + for reference in get_item(self.cve_item, "cve", "references") or []: ref_url = reference.get("url") if ref_url and ref_url.startswith(("http", "ftp")) and ref_url not in urls: urls.append(ref_url) @@ -300,9 +302,7 @@ def weaknesses(self): Return a list of CWE IDs like: [119, 189] """ weaknesses = [] - for weaknesses_item in ( - get_item(self.cve_item, "cve", "problemtype", "problemtype_data") or [] - ): + for weaknesses_item in get_item(self.cve_item, "cve", "weaknesses") or []: weaknesses_description = weaknesses_item.get("description") or [] for weaknesses_value in weaknesses_description: cwe_id = ( @@ -322,7 +322,9 @@ def to_advisory(self): aliases=[], summary=self.summary, references_v2=self.references, - date_published=dateparser.parse(self.cve_item.get("publishedDate")), + date_published=dateparser.parse(self.cve_item["cve"].get("published")).replace( + tzinfo=timezone.utc + ), weaknesses=self.weaknesses, severities=self.severities, url=f"https://nvd.nist.gov/vuln/detail/{self.cve_id}", diff --git a/vulnerabilities/tests/pipelines/test_nvd_importer_pipeline.py b/vulnerabilities/tests/pipelines/test_nvd_importer_pipeline.py index 5b90ca986..b97527327 100644 --- a/vulnerabilities/tests/pipelines/test_nvd_importer_pipeline.py +++ b/vulnerabilities/tests/pipelines/test_nvd_importer_pipeline.py @@ -76,96 +76,331 @@ def test_to_advisories_marks_rejected_cve(regen=REGEN): # TODO: use a JSON fixtures instead def get_test_cve_item(): - return { "cve": { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": {"ID": "CVE-2005-4895", "ASSIGNER": "cve@mitre.org"}, - "problemtype": { - "problemtype_data": [{"description": [{"lang": "en", "value": "CWE-189"}]}] - }, - "references": { - "reference_data": [ - { - "url": "http://code.google.com/p/gperftools/source/browse/tags/perftools-0.4/ChangeLog", - "name": "http://code.google.com/p/gperftools/source/browse/tags/perftools-0.4/ChangeLog", - "refsource": "CONFIRM", - "tags": [], - }, - { - "url": "http://kqueue.org/blog/2012/03/05/memory-allocator-security-revisited/", - "name": "http://kqueue.org/blog/2012/03/05/memory-allocator-security-revisited/", - "refsource": "MISC", - "tags": [], - }, - ] - }, - "description": { - "description_data": [ + "id": "CVE-2025-45988", + "sourceIdentifier": "cve@mitre.org", + "published": "2025-06-13T12:15:34.403", + "lastModified": "2025-07-10T12:16:15.107", + "vulnStatus": "Analyzed", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "Blink routers BL-WR9000 V2.4.9 , BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5 , BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 and BL-X26_DA3 v1.2.7 were discovered to contain multiple command injection vulnerabilities via the cmd parameter in the bs_SetCmd function.", + }, + { + "lang": "es", + "value": "Se descubrió que los enrutadores Blink BL-WR9000 V2.4.9, BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5, BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 v4.0.0 y BL-X26_DA3 v1.2.7 contenían múltiples vulnerabilidades de inyección de comandos a través del parámetro cmd en la función bs_SetCmd.", + }, + ], + "metrics": { + "cvssMetricV31": [ { - "lang": "en", - "value": "Multiple integer overflows in TCMalloc (tcmalloc.cc) in gperftools before 0.4 make it easier for context-dependent attackers to perform memory-related attacks such as buffer overflows via a large size value, which causes less memory to be allocated than expected.", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "baseScore": 9.8, + "baseSeverity": "CRITICAL", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "availabilityImpact": "HIGH", + }, + "exploitabilityScore": 3.9, + "impactScore": 5.9, } ] }, - }, - "configurations": { - "CVE_data_version": "4.0", - "nodes": [ + "weaknesses": [ + { + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary", + "description": [{"lang": "en", "value": "CWE-77"}], + } + ], + "configurations": [ { - "operator": "OR", - "cpe_match": [ + "operator": "AND", + "nodes": [ { - "vulnerable": True, - "cpe23Uri": "cpe:2.3:a:csilvers:gperftools:0.1:*:*:*:*:*:*:*", + "operator": "OR", + "negate": False, + "cpeMatch": [ + { + "vulnerable": True, + "criteria": "cpe:2.3:o:b-link:bl-wr9000_firmware:2.4.9:*:*:*:*:*:*:*", + "matchCriteriaId": "0D1A3280-9C15-4961-8C69-9ECE34528FDB", + } + ], }, { - "vulnerable": True, - "cpe23Uri": "cpe:2.3:a:csilvers:gperftools:0.2:*:*:*:*:*:*:*", + "operator": "OR", + "negate": False, + "cpeMatch": [ + { + "vulnerable": False, + "criteria": "cpe:2.3:h:b-link:bl-wr9000:-:*:*:*:*:*:*:*", + "matchCriteriaId": "2D5ADB0D-6D03-448A-A0F3-7C238A20AF46", + } + ], }, + ], + }, + { + "operator": "AND", + "nodes": [ { - "vulnerable": True, - "cpe23Uri": "cpe:2.3:a:csilvers:gperftools:*:*:*:*:*:*:*:*", - "versionEndIncluding": "0.3", + "operator": "OR", + "negate": False, + "cpeMatch": [ + { + "vulnerable": True, + "criteria": "cpe:2.3:o:b-link:bl-ac1900_firmware:1.0.2:*:*:*:*:*:*:*", + "matchCriteriaId": "BE554304-8F2B-40A1-98CB-DE641B4CCE61", + } + ], + }, + { + "operator": "OR", + "negate": False, + "cpeMatch": [ + { + "vulnerable": False, + "criteria": "cpe:2.3:h:b-link:bl-ac1900:-:*:*:*:*:*:*:*", + "matchCriteriaId": "2C5CA5E8-C497-475E-B0CE-6F54B6E9BFA8", + } + ], + }, + ], + }, + { + "operator": "AND", + "nodes": [ + { + "operator": "OR", + "negate": False, + "cpeMatch": [ + { + "vulnerable": True, + "criteria": "cpe:2.3:o:b-link:bl-ac2100_az3_firmware:1.0.4:*:*:*:*:*:*:*", + "matchCriteriaId": "05E31365-4655-4B8D-9B75-AE70292C12C3", + } + ], + }, + { + "operator": "OR", + "negate": False, + "cpeMatch": [ + { + "vulnerable": False, + "criteria": "cpe:2.3:h:b-link:bl-ac2100_az3:-:*:*:*:*:*:*:*", + "matchCriteriaId": "3B134A86-F380-4BE4-9CEC-5CBAE046CF8B", + } + ], + }, + ], + }, + { + "operator": "AND", + "nodes": [ + { + "operator": "OR", + "negate": False, + "cpeMatch": [ + { + "vulnerable": True, + "criteria": "cpe:2.3:o:b-link:bl-x10_ac8_firmware:1.0.5:*:*:*:*:*:*:*", + "matchCriteriaId": "AAA6D548-72E1-435B-8EDB-50C1C258CE9C", + } + ], + }, + { + "operator": "OR", + "negate": False, + "cpeMatch": [ + { + "vulnerable": False, + "criteria": "cpe:2.3:h:b-link:bl-x10_ac8:-:*:*:*:*:*:*:*", + "matchCriteriaId": "B153FF75-DDAF-4B43-8D54-C8211C607C2C", + } + ], }, ], + }, + { + "operator": "AND", + "nodes": [ + { + "operator": "OR", + "negate": False, + "cpeMatch": [ + { + "vulnerable": True, + "criteria": "cpe:2.3:o:b-link:bl-lte300_firmware:1.2.3:*:*:*:*:*:*:*", + "matchCriteriaId": "8907D058-539D-44B8-BC30-EC137B4C6841", + } + ], + }, + { + "operator": "OR", + "negate": False, + "cpeMatch": [ + { + "vulnerable": False, + "criteria": "cpe:2.3:h:b-link:bl-lte300:-:*:*:*:*:*:*:*", + "matchCriteriaId": "4CD2D0EC-F71B-4CD6-8013-EDCDE49B6BC9", + } + ], + }, + ], + }, + { + "operator": "AND", + "nodes": [ + { + "operator": "OR", + "negate": False, + "cpeMatch": [ + { + "vulnerable": True, + "criteria": "cpe:2.3:o:b-link:bl-f1200_at1_firmware:1.0.0:*:*:*:*:*:*:*", + "matchCriteriaId": "3DD8A5B3-0FF1-4512-9AEB-68A801956085", + } + ], + }, + { + "operator": "OR", + "negate": False, + "cpeMatch": [ + { + "vulnerable": False, + "criteria": "cpe:2.3:h:b-link:bl-f1200_at1:-:*:*:*:*:*:*:*", + "matchCriteriaId": "9391FA6B-40EF-4A53-9B38-3F5EA0611970", + } + ], + }, + ], + }, + { + "operator": "AND", + "nodes": [ + { + "operator": "OR", + "negate": False, + "cpeMatch": [ + { + "vulnerable": True, + "criteria": "cpe:2.3:o:b-link:bl-x26_ac8_firmware:1.2.8:*:*:*:*:*:*:*", + "matchCriteriaId": "FCE90D05-D32B-4C52-917C-024FB4814751", + } + ], + }, + { + "operator": "OR", + "negate": False, + "cpeMatch": [ + { + "vulnerable": False, + "criteria": "cpe:2.3:h:b-link:bl-x26_ac8:-:*:*:*:*:*:*:*", + "matchCriteriaId": "A13AD09A-4BF0-49B9-AB05-439D34413C81", + } + ], + }, + ], + }, + { + "operator": "AND", + "nodes": [ + { + "operator": "OR", + "negate": False, + "cpeMatch": [ + { + "vulnerable": True, + "criteria": "cpe:2.3:o:b-link:blac450m_ae4_firmware:4.0.0:*:*:*:*:*:*:*", + "matchCriteriaId": "5422B990-7572-42A1-89C4-D8FEEEC066ED", + } + ], + }, + { + "operator": "OR", + "negate": False, + "cpeMatch": [ + { + "vulnerable": False, + "criteria": "cpe:2.3:h:b-link:blac450m_ae4:-:*:*:*:*:*:*:*", + "matchCriteriaId": "A469F008-B95F-480C-A677-43E6D448FEEB", + } + ], + }, + ], + }, + { + "operator": "AND", + "nodes": [ + { + "operator": "OR", + "negate": False, + "cpeMatch": [ + { + "vulnerable": True, + "criteria": "cpe:2.3:o:b-link:bl-x26_da3_firmware:1.2.7:*:*:*:*:*:*:*", + "matchCriteriaId": "D3D8F5C4-F1A2-4E88-A795-DEAC4E77B3C1", + } + ], + }, + { + "operator": "OR", + "negate": False, + "cpeMatch": [ + { + "vulnerable": False, + "criteria": "cpe:2.3:h:b-link:bl-x26_da3:-:*:*:*:*:*:*:*", + "matchCriteriaId": "1C8F576A-7D13-4311-9FDD-9BFB4E5705D8", + } + ], + }, + ], + }, + ], + "references": [ + { + "url": "https://github.com/glkfc/IoT-Vulnerability/blob/main/LB-LINK/LB-LINK_cmd%20Indicates%20the%20unauthorized%20command%20injection/The%20LB-LINK_cmd%20command%20is%20used%20to%20inject%20information.md", + "source": "cve@mitre.org", + "tags": ["Exploit"], } ], - }, - "impact": { - "baseMetricV2": { - "cvssV2": { - "version": "2.0", - "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", - "accessVector": "NETWORK", - "accessComplexity": "LOW", - "authentication": "NONE", - "confidentialityImpact": "NONE", - "integrityImpact": "NONE", - "availabilityImpact": "PARTIAL", - "baseScore": 5.0, - }, - "severity": "MEDIUM", - "exploitabilityScore": 10.0, - "impactScore": 2.9, - "obtainAllPrivilege": False, - "obtainUserPrivilege": False, - "obtainOtherPrivilege": False, - "userInteractionRequired": False, - } - }, - "publishedDate": "2012-07-25T19:55Z", - "lastModifiedDate": "2012-08-09T04:00Z", + } } def test_CveItem_cpes(): expected_cpes = [ - "cpe:2.3:a:csilvers:gperftools:0.1:*:*:*:*:*:*:*", - "cpe:2.3:a:csilvers:gperftools:0.2:*:*:*:*:*:*:*", - "cpe:2.3:a:csilvers:gperftools:*:*:*:*:*:*:*:*", + "cpe:2.3:o:b-link:bl-wr9000_firmware:2.4.9:*:*:*:*:*:*:*", + "cpe:2.3:h:b-link:bl-wr9000:-:*:*:*:*:*:*:*", + "cpe:2.3:o:b-link:bl-ac1900_firmware:1.0.2:*:*:*:*:*:*:*", + "cpe:2.3:h:b-link:bl-ac1900:-:*:*:*:*:*:*:*", + "cpe:2.3:o:b-link:bl-ac2100_az3_firmware:1.0.4:*:*:*:*:*:*:*", + "cpe:2.3:h:b-link:bl-ac2100_az3:-:*:*:*:*:*:*:*", + "cpe:2.3:o:b-link:bl-x10_ac8_firmware:1.0.5:*:*:*:*:*:*:*", + "cpe:2.3:h:b-link:bl-x10_ac8:-:*:*:*:*:*:*:*", + "cpe:2.3:o:b-link:bl-lte300_firmware:1.2.3:*:*:*:*:*:*:*", + "cpe:2.3:h:b-link:bl-lte300:-:*:*:*:*:*:*:*", + "cpe:2.3:o:b-link:bl-f1200_at1_firmware:1.0.0:*:*:*:*:*:*:*", + "cpe:2.3:h:b-link:bl-f1200_at1:-:*:*:*:*:*:*:*", + "cpe:2.3:o:b-link:bl-x26_ac8_firmware:1.2.8:*:*:*:*:*:*:*", + "cpe:2.3:h:b-link:bl-x26_ac8:-:*:*:*:*:*:*:*", + "cpe:2.3:o:b-link:blac450m_ae4_firmware:4.0.0:*:*:*:*:*:*:*", + "cpe:2.3:h:b-link:blac450m_ae4:-:*:*:*:*:*:*:*", + "cpe:2.3:o:b-link:bl-x26_da3_firmware:1.2.7:*:*:*:*:*:*:*", + "cpe:2.3:h:b-link:bl-x26_da3:-:*:*:*:*:*:*:*", ] found_cpes = nvd_importer.CveItem(cve_item=get_test_cve_item()).cpes @@ -182,10 +417,10 @@ def test_is_related_to_hardware(): def test_CveItem_summary_with_single_summary(): expected_summary = ( - "Multiple integer overflows in TCMalloc (tcmalloc.cc) in gperftools " - "before 0.4 make it easier for context-dependent attackers to perform memory-related " - "attacks such as buffer overflows via a large size value, which causes less memory to " - "be allocated than expected." + "Blink routers BL-WR9000 V2.4.9 , BL-AC2100_AZ3 V1.0.4, BL-X10_AC8 v1.0.5 , " + "BL-LTE300 v1.2.3, BL-F1200_AT1 v1.0.0, BL-X26_AC8 v1.2.8, BLAC450M_AE4 " + "v4.0.0 and BL-X26_DA3 v1.2.7 were discovered to contain multiple command " + "injection vulnerabilities via the cmd parameter in the bs_SetCmd function." ) assert nvd_importer.CveItem(cve_item=get_test_cve_item()).summary == expected_summary @@ -193,8 +428,7 @@ def test_CveItem_summary_with_single_summary(): def test_CveItem_reference_urls(): expected_urls = [ - "http://code.google.com/p/gperftools/source/browse/tags/perftools-0.4/ChangeLog", - "http://kqueue.org/blog/2012/03/05/memory-allocator-security-revisited/", + "https://github.com/glkfc/IoT-Vulnerability/blob/main/LB-LINK/LB-LINK_cmd%20Indicates%20the%20unauthorized%20command%20injection/The%20LB-LINK_cmd%20command%20is%20used%20to%20inject%20information.md" ] assert nvd_importer.CveItem(cve_item=get_test_cve_item()).reference_urls == expected_urls diff --git a/vulnerabilities/tests/test_data/nvd/nvd-expected.json b/vulnerabilities/tests/test_data/nvd/nvd-expected.json index 7d5482fe5..10d33ee92 100644 --- a/vulnerabilities/tests/test_data/nvd/nvd-expected.json +++ b/vulnerabilities/tests/test_data/nvd/nvd-expected.json @@ -22,13 +22,7 @@ "reference_id": "CVE-2005-4895", "reference_type": "", "url": "https://nvd.nist.gov/vuln/detail/CVE-2005-4895", - "severities": [ - { - "system": "cvssv2", - "value": "5.0", - "scoring_elements": "AV:N/AC:L/Au:N/C:N/I:N/A:P" - } - ] + "severities": [] }, { "reference_id": "cpe:2.3:a:csilvers:gperftools:*:*:*:*:*:*:*:*", @@ -49,12 +43,104 @@ "severities": [] } ], - "date_published": "2012-07-25T19:55:00+00:00", + "date_published": "2012-07-25T19:55:01.273000+00:00", "weaknesses": [ 189 ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2005-4895" }, + { + "aliases": [ + "CVE-2005-4900" + ], + "summary": "SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2. NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation.", + "affected_packages": [], + "references": [ + { + "reference_id": "", + "reference_type": "", + "url": "http://ia.cr/2007/474", + "severities": [] + }, + { + "reference_id": "", + "reference_type": "", + "url": "http://shattered.io/", + "severities": [] + }, + { + "reference_id": "", + "reference_type": "", + "url": "http://www.cwi.nl/news/2017/cwi-and-google-announce-first-collision-industry-security-standard-sha-1", + "severities": [] + }, + { + "reference_id": "", + "reference_type": "", + "url": "http://www.securityfocus.com/bid/12577", + "severities": [] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/", + "severities": [] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10340", + "severities": [] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html", + "severities": [] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html", + "severities": [] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://sites.google.com/site/itstheshappening", + "severities": [] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://www.schneier.com/blog/archives/2005/02/sha1_broken.html", + "severities": [] + }, + { + "reference_id": "", + "reference_type": "", + "url": "https://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html", + "severities": [] + }, + { + "reference_id": "CVE-2005-4900", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2005-4900", + "severities": [] + }, + { + "reference_id": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", + "reference_type": "", + "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", + "severities": [] + } + ], + "date_published": "2016-10-14T16:59:00.187000+00:00", + "weaknesses": [ + 326 + ], + "url": "https://nvd.nist.gov/vuln/detail/CVE-2005-4900" + }, { "aliases": [ "CVE-2003-0001" @@ -156,13 +242,7 @@ "reference_id": "CVE-2003-0001", "reference_type": "", "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0001", - "severities": [ - { - "system": "cvssv2", - "value": "5.0", - "scoring_elements": "AV:N/AC:L/Au:N/C:P/I:N/A:N" - } - ] + "severities": [] }, { "reference_id": "cpe:2.3:o:freebsd:freebsd:4.2:*:*:*:*:*:*:*", diff --git a/vulnerabilities/tests/test_data/nvd/nvd-rejected-expected.json b/vulnerabilities/tests/test_data/nvd/nvd-rejected-expected.json index 71a50e410..93c155a6f 100644 --- a/vulnerabilities/tests/test_data/nvd/nvd-rejected-expected.json +++ b/vulnerabilities/tests/test_data/nvd/nvd-rejected-expected.json @@ -3,7 +3,7 @@ "aliases": [ "CVE-2022-0094" ], - "summary": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is unused by its CNA. Notes: none.", + "summary": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is unused by its CNA. Notes: none.", "affected_packages": [], "references": [ { @@ -13,7 +13,7 @@ "severities": [] } ], - "date_published": "2023-05-12T05:15:00+00:00", + "date_published": "2023-05-12T05:15:14.540000+00:00", "weaknesses": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0094" } diff --git a/vulnerabilities/tests/test_data/nvd/nvd_test.json b/vulnerabilities/tests/test_data/nvd/nvd_test.json index 5bb675aa5..6a9ac8c6a 100644 --- a/vulnerabilities/tests/test_data/nvd/nvd_test.json +++ b/vulnerabilities/tests/test_data/nvd/nvd_test.json @@ -1,552 +1,547 @@ { - "CVE_data_type": "CVE", - "CVE_data_format": "MITRE", - "CVE_data_version": "4.0", - "CVE_data_numberOfCVEs": "4758", - "CVE_data_timestamp": "2020-07-29T09:05Z", - "CVE_Items": [ - { - "cve": { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2005-4895", - "ASSIGNER": "cve@mitre.org" - }, - "problemtype": { - "problemtype_data": [ - { - "description": [ - { - "lang": "en", - "value": "CWE-189" - } - ] - } - ] - }, - "references": { - "reference_data": [ - { - "url": "http://code.google.com/p/gperftools/source/browse/tags/perftools-0.4/ChangeLog", - "name": "http://code.google.com/p/gperftools/source/browse/tags/perftools-0.4/ChangeLog", - "refsource": "CONFIRM", - "tags": [] - }, - { - "url": "http://kqueue.org/blog/2012/03/05/memory-allocator-security-revisited/", - "name": "http://kqueue.org/blog/2012/03/05/memory-allocator-security-revisited/", - "refsource": "MISC", - "tags": [] - } - ] - }, - "description": { - "description_data": [ - { - "lang": "en", - "value": "Multiple integer overflows in TCMalloc (tcmalloc.cc) in gperftools before 0.4 make it easier for context-dependent attackers to perform memory-related attacks such as buffer overflows via a large size value, which causes less memory to be allocated than expected." - } - ] - } - }, - "configurations": { - "CVE_data_version": "4.0", - "nodes": [ - { - "operator": "OR", - "cpe_match": [ - { - "vulnerable": true, - "cpe23Uri": "cpe:2.3:a:csilvers:gperftools:0.1:*:*:*:*:*:*:*" - }, - { - "vulnerable": true, - "cpe23Uri": "cpe:2.3:a:csilvers:gperftools:0.2:*:*:*:*:*:*:*" - }, - { - "vulnerable": true, - "cpe23Uri": "cpe:2.3:a:csilvers:gperftools:*:*:*:*:*:*:*:*", - "versionEndIncluding": "0.3" - } - ] - } - ] - }, - "impact": { - "baseMetricV2": { - "cvssV2": { - "version": "2.0", - "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", - "accessVector": "NETWORK", - "accessComplexity": "LOW", - "authentication": "NONE", - "confidentialityImpact": "NONE", - "integrityImpact": "NONE", - "availabilityImpact": "PARTIAL", - "baseScore": 5.0 - }, - "severity": "MEDIUM", - "exploitabilityScore": 10.0, - "impactScore": 2.9, - "obtainAllPrivilege": false, - "obtainUserPrivilege": false, - "obtainOtherPrivilege": false, - "userInteractionRequired": false - } - }, - "publishedDate": "2012-07-25T19:55Z", - "lastModifiedDate": "2012-08-09T04:00Z" - }, - { - "cve": { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2005-4900", - "ASSIGNER": "cve@mitre.org" - }, - "problemtype": { - "problemtype_data": [ - { - "description": [ - { - "lang": "en", - "value": "CWE-326" - } - ] - } - ] - }, - "references": { - "reference_data": [ - { - "url": "http://ia.cr/2007/474", - "name": "2007", - "refsource": "MISC", - "tags": [ - "Third Party Advisory" - ] - }, - { - "url": "http://shattered.io/", - "name": "http://shattered.io/", - "refsource": "MISC", - "tags": [] - }, - { - "url": "http://www.cwi.nl/news/2017/cwi-and-google-announce-first-collision-industry-security-standard-sha-1", - "name": "http://www.cwi.nl/news/2017/cwi-and-google-announce-first-collision-industry-security-standard-sha-1", - "refsource": "MISC", - "tags": [] - }, - { - "url": "http://www.securityfocus.com/bid/12577", - "name": "exceedsDBexceedsDBexceedsDBexceedsDBexceedsDBexceedsDB", - "refsource": "BID", - "tags": [] - }, - { - "url": "https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/", - "name": "https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/", - "refsource": "MISC", - "tags": [] - }, - { - "url": "https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html", - "name": "https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html", - "refsource": "MISC", - "tags": [ - "Third Party Advisory" - ] - }, - { - "url": "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html", - "name": "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html", - "refsource": "MISC", - "tags": [] - }, - { - "url": "https://sites.google.com/site/itstheshappening", - "name": "https://sites.google.com/site/itstheshappening", - "refsource": "MISC", - "tags": [ - "Third Party Advisory" - ] - }, - { - "url": "https://www.schneier.com/blog/archives/2005/02/sha1_broken.html", - "name": "https://www.schneier.com/blog/archives/2005/02/sha1_broken.html", - "refsource": "MISC", - "tags": [ - "Third Party Advisory" - ] - }, - { - "url": "https://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html", - "name": "https://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html", - "refsource": "MISC", - "tags": [ - "Third Party Advisory" - ] - } - ] - }, - "description": { - "description_data": [ - { - "lang": "en", - "value": "SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2. NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation." - }, - { - "lang": "en", - "value": "SHA-1 is likely present in a large number of products across the entire IT sector. The applicability statement for this CVE will be updated when specific products are identified, as time and resources permit." - } - ] - } - }, - "configurations": { - "CVE_data_version": "4.0", - "nodes": [ - { - "operator": "OR", - "cpe_match": [ - { - "vulnerable": true, - "cpe23Uri": "cpe:2.3:h:google:chrome:*:*:*:*:*:*:*:*", - "versionEndIncluding": "47.0.2526.111" - } - ] - } - ] - }, - "impact": { - "baseMetricV3": { - "cvssV3": { - "version": "3.0", - "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "attackVector": "NETWORK", - "attackComplexity": "HIGH", - "privilegesRequired": "NONE", - "userInteraction": "NONE", - "scope": "UNCHANGED", - "confidentialityImpact": "HIGH", - "integrityImpact": "NONE", - "availabilityImpact": "NONE", - "baseScore": 5.9, - "baseSeverity": "MEDIUM" - }, - "exploitabilityScore": 2.2, - "impactScore": 3.6 - }, - "baseMetricV2": { - "cvssV2": { - "version": "2.0", - "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", - "accessVector": "NETWORK", - "accessComplexity": "MEDIUM", - "authentication": "NONE", - "confidentialityImpact": "PARTIAL", - "integrityImpact": "NONE", - "availabilityImpact": "NONE", - "baseScore": 4.3 - }, - "severity": "MEDIUM", - "exploitabilityScore": 8.6, - "impactScore": 2.9, - "obtainAllPrivilege": false, - "obtainUserPrivilege": false, - "obtainOtherPrivilege": false, - "userInteractionRequired": false - } - }, - "publishedDate": "2016-10-14T16:59Z", - "lastModifiedDate": "2018-05-30T01:29Z" - }, - { - "cve" : { - "data_type" : "CVE", - "data_format" : "MITRE", - "data_version" : "4.0", - "CVE_data_meta" : { - "ID" : "CVE-2003-0001", - "ASSIGNER" : "cve@mitre.org" - }, - "problemtype" : { - "problemtype_data" : [ { - "description" : [ { - "lang" : "en", - "value" : "CWE-200" - } ] - } ] - }, - "references" : { - "reference_data" : [ { - "url" : "http://www.atstake.com/research/advisories/2003/a010603-1.txt", - "name" : "A010603-1", - "refsource" : "ATSTAKE", - "tags" : [ "Vendor Advisory" ] - }, { - "url" : "http://www.kb.cert.org/vuls/id/412115", - "name" : "VU#412115", - "refsource" : "CERT-VN", - "tags" : [ "Third Party Advisory", "US Government Resource" ] - }, { - "url" : "http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0016.html", - "name" : "20030110 More information regarding Etherleak", - "refsource" : "VULNWATCH", - "tags" : [ ] - }, { - "url" : "http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf", - "name" : "http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf", - "refsource" : "MISC", - "tags" : [ ] - }, { - "url" : "http://www.redhat.com/support/errata/RHSA-2003-025.html", - "name" : "RHSA-2003:025", - "refsource" : "REDHAT", - "tags" : [ ] - }, { - "url" : "http://www.redhat.com/support/errata/RHSA-2003-088.html", - "name" : "RHSA-2003:088", - "refsource" : "REDHAT", - "tags" : [ ] - }, { - "url" : "http://www.osvdb.org/9962", - "name" : "9962", - "refsource" : "OSVDB", - "tags" : [ ] - }, { - "url" : "http://secunia.com/advisories/7996", - "name" : "7996", - "refsource" : "SECUNIA", - "tags" : [ ] - }, { - "url" : "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", - "name" : "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", - "refsource" : "CONFIRM", - "tags" : [ ] - }, { - "url" : "http://marc.info/?l=bugtraq&m=104222046632243&w=2", - "name" : "20030110 More information regarding Etherleak", - "refsource" : "BUGTRAQ", - "tags" : [ ] - }, { - "url" : "http://www.securitytracker.com/id/1031583", - "name" : "1031583", - "refsource" : "SECTRACK", - "tags" : [ ] - }, { - "url" : "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2665", - "name" : "oval:org.mitre.oval:def:2665", - "refsource" : "OVAL", - "tags" : [ ] - }, { - "url" : "http://www.securitytracker.com/id/1040185", - "name" : "1040185", - "refsource" : "SECTRACK", - "tags" : [ ] - }, { - "url" : "http://www.securityfocus.com/archive/1/307564/30/26270/threaded", - "name" : "20030117 Re: More information regarding Etherleak", - "refsource" : "BUGTRAQ", - "tags" : [ ] - }, { - "url" : "http://www.securityfocus.com/archive/1/305335/30/26420/threaded", - "name" : "20030106 Etherleak: Ethernet frame padding information leakage (A010603-1)", - "refsource" : "BUGTRAQ", - "tags" : [ ] - } ] - }, - "description" : { - "description_data" : [ { - "lang" : "en", - "value" : "Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak." - } ] - } - }, - "configurations" : { - "CVE_data_version" : "4.0", - "nodes" : [ { - "operator" : "OR", - "children" : [ ], - "cpe_match" : [ { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.4.1:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:freebsd:freebsd:4.6:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:freebsd:freebsd:4.7:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.4.15:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.4.16:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.4.4:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.4.5:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.4.6:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:microsoft:windows_2000:*:sp1:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:microsoft:windows_2000_terminal_services:*:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:netbsd:netbsd:1.6:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:freebsd:freebsd:4.2:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:freebsd:freebsd:4.3:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.4.11:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.4.12:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.4.19:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.4.2:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.4.9:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:microsoft:windows_2000:*:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:microsoft:windows_2000:*:sp2:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:netbsd:netbsd:1.5:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:netbsd:netbsd:1.5.1:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.4.10:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.4.17:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.4.18:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.4.7:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.4.8:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:microsoft:windows_2000_terminal_services:*:sp1:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:microsoft:windows_2000_terminal_services:*:sp2:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:freebsd:freebsd:4.4:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:freebsd:freebsd:4.5:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.4.13:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.4.14:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.4.20:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:linux:linux_kernel:2.4.3:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:netbsd:netbsd:1.5.2:*:*:*:*:*:*:*", - "cpe_name" : [ ] - }, { - "vulnerable" : true, - "cpe23Uri" : "cpe:2.3:o:netbsd:netbsd:1.5.3:*:*:*:*:*:*:*", - "cpe_name" : [ ] - } ] - } ] - }, - "impact" : { - "baseMetricV2" : { - "cvssV2" : { - "version" : "2.0", - "vectorString" : "AV:N/AC:L/Au:N/C:P/I:N/A:N", - "accessVector" : "NETWORK", - "accessComplexity" : "LOW", - "authentication" : "NONE", - "confidentialityImpact" : "PARTIAL", - "integrityImpact" : "NONE", - "availabilityImpact" : "NONE", - "baseScore" : 5.0 - }, - "severity" : "MEDIUM", - "exploitabilityScore" : 10.0, - "impactScore" : 2.9, - "obtainAllPrivilege" : false, - "obtainUserPrivilege" : false, - "obtainOtherPrivilege" : false, - "userInteractionRequired" : false - } - }, - "publishedDate" : "2003-01-17T05:00Z", - "lastModifiedDate" : "2019-04-30T14:27Z" - } - ] + "resultsPerPage": 38743, + "startIndex": 0, + "totalResults": 38743, + "format": "NVD_CVE", + "version": "2.0", + "timestamp": "2025-12-25T03:00:00.7378299", + "vulnerabilities": [ + {"cve" : { + "id" : "CVE-2005-4895", + "sourceIdentifier" : "cve@mitre.org", + "published" : "2012-07-25T19:55:01.273", + "lastModified" : "2025-04-11T00:51:21.963", + "vulnStatus" : "Deferred", + "cveTags" : [ ], + "descriptions" : [ { + "lang" : "en", + "value" : "Multiple integer overflows in TCMalloc (tcmalloc.cc) in gperftools before 0.4 make it easier for context-dependent attackers to perform memory-related attacks such as buffer overflows via a large size value, which causes less memory to be allocated than expected." + }, { + "lang" : "es", + "value" : "Múltiples desbordamientos de enteros en TCMalloc (tcmalloc.cc) en gperftools antes v0.4 hace que sea más fácil para los atacantes dependientes de contexto realizar ataques relacionados con la memoria, tales como desbordamientos de memoria a través de un valor de tamaño grande, lo que causa que se asigne menos memoria de lo esperado." + } ], + "metrics" : { + "cvssMetricV2" : [ { + "source" : "nvd@nist.gov", + "type" : "Primary", + "cvssData" : { + "version" : "2.0", + "vectorString" : "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "baseScore" : 5.0, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authentication" : "NONE", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "PARTIAL" + }, + "baseSeverity" : "MEDIUM", + "exploitabilityScore" : 10.0, + "impactScore" : 2.9, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : false + } ] + }, + "weaknesses" : [ { + "source" : "nvd@nist.gov", + "type" : "Primary", + "description" : [ { + "lang" : "en", + "value" : "CWE-189" + } ] + } ], + "configurations" : [ { + "nodes" : [ { + "operator" : "OR", + "negate" : false, + "cpeMatch" : [ { + "vulnerable" : true, + "criteria" : "cpe:2.3:a:csilvers:gperftools:*:*:*:*:*:*:*:*", + "versionEndIncluding" : "0.3", + "matchCriteriaId" : "BEC9A6EA-129D-4A9E-A3F6-379FC64E4B22" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:a:csilvers:gperftools:0.1:*:*:*:*:*:*:*", + "matchCriteriaId" : "7BDB58C4-45E6-401B-9305-B422E7760FB3" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:a:csilvers:gperftools:0.2:*:*:*:*:*:*:*", + "matchCriteriaId" : "B0D76DB5-A8CA-4667-8B62-F38132D7A5C8" + } ] + } ] + } ], + "references" : [ { + "url" : "http://code.google.com/p/gperftools/source/browse/tags/perftools-0.4/ChangeLog", + "source" : "cve@mitre.org" + }, { + "url" : "http://kqueue.org/blog/2012/03/05/memory-allocator-security-revisited/", + "source" : "cve@mitre.org" + }, { + "url" : "http://code.google.com/p/gperftools/source/browse/tags/perftools-0.4/ChangeLog", + "source" : "af854a3a-2127-422b-91ae-364da2661108" + }, { + "url" : "http://kqueue.org/blog/2012/03/05/memory-allocator-security-revisited/", + "source" : "af854a3a-2127-422b-91ae-364da2661108" + } ] + }}, + {"cve" : { + "id" : "CVE-2005-4900", + "sourceIdentifier" : "cve@mitre.org", + "published" : "2016-10-14T16:59:00.187", + "lastModified" : "2025-04-12T10:46:40.837", + "vulnStatus" : "Deferred", + "cveTags" : [ ], + "descriptions" : [ { + "lang" : "en", + "value" : "SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2. NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation." + }, { + "lang" : "es", + "value" : "SHA-1 no es resistente a la colisión, lo que facilita a atacantes dependientes del contexto llevar a cabo ataques de espionaje, como es demostrado por ataques en el uso de SHA-1 en TLS 1.2. NOTA: esta CVE existe para dar un identificador común para referenciar este problema de SHA-1; la existencia de un identificador no es, en si misma, una recomendación tecnológica." + } ], + "metrics" : { + "cvssMetricV30" : [ { + "source" : "nvd@nist.gov", + "type" : "Primary", + "cvssData" : { + "version" : "3.0", + "vectorString" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "baseScore" : 5.9, + "baseSeverity" : "MEDIUM", + "attackVector" : "NETWORK", + "attackComplexity" : "HIGH", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "NONE", + "availabilityImpact" : "NONE" + }, + "exploitabilityScore" : 2.2, + "impactScore" : 3.6 + } ], + "cvssMetricV2" : [ { + "source" : "nvd@nist.gov", + "type" : "Primary", + "cvssData" : { + "version" : "2.0", + "vectorString" : "AV:N/AC:M/Au:N/C:P/I:N/A:N", + "baseScore" : 4.3, + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authentication" : "NONE", + "confidentialityImpact" : "PARTIAL", + "integrityImpact" : "NONE", + "availabilityImpact" : "NONE" + }, + "baseSeverity" : "MEDIUM", + "exploitabilityScore" : 8.6, + "impactScore" : 2.9, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : false + } ] + }, + "weaknesses" : [ { + "source" : "nvd@nist.gov", + "type" : "Primary", + "description" : [ { + "lang" : "en", + "value" : "CWE-326" + } ] + } ], + "configurations" : [ { + "nodes" : [ { + "operator" : "OR", + "negate" : false, + "cpeMatch" : [ { + "vulnerable" : true, + "criteria" : "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", + "versionEndIncluding" : "47.0.2526.111", + "matchCriteriaId" : "AFB52550-C3FC-4CDD-AA6E-500BD3304241" + } ] + } ] + } ], + "references" : [ { + "url" : "http://ia.cr/2007/474", + "source" : "cve@mitre.org", + "tags" : [ "Third Party Advisory" ] + }, { + "url" : "http://shattered.io/", + "source" : "cve@mitre.org" + }, { + "url" : "http://www.cwi.nl/news/2017/cwi-and-google-announce-first-collision-industry-security-standard-sha-1", + "source" : "cve@mitre.org" + }, { + "url" : "http://www.securityfocus.com/bid/12577", + "source" : "cve@mitre.org" + }, { + "url" : "https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/", + "source" : "cve@mitre.org" + }, { + "url" : "https://kc.mcafee.com/corporate/index?page=content&id=SB10340", + "source" : "cve@mitre.org" + }, { + "url" : "https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html", + "source" : "cve@mitre.org", + "tags" : [ "Third Party Advisory" ] + }, { + "url" : "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html", + "source" : "cve@mitre.org" + }, { + "url" : "https://sites.google.com/site/itstheshappening", + "source" : "cve@mitre.org", + "tags" : [ "Third Party Advisory" ] + }, { + "url" : "https://www.schneier.com/blog/archives/2005/02/sha1_broken.html", + "source" : "cve@mitre.org", + "tags" : [ "Third Party Advisory" ] + }, { + "url" : "https://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html", + "source" : "cve@mitre.org", + "tags" : [ "Third Party Advisory" ] + }, { + "url" : "http://ia.cr/2007/474", + "source" : "af854a3a-2127-422b-91ae-364da2661108", + "tags" : [ "Third Party Advisory" ] + }, { + "url" : "http://shattered.io/", + "source" : "af854a3a-2127-422b-91ae-364da2661108" + }, { + "url" : "http://www.cwi.nl/news/2017/cwi-and-google-announce-first-collision-industry-security-standard-sha-1", + "source" : "af854a3a-2127-422b-91ae-364da2661108" + }, { + "url" : "http://www.securityfocus.com/bid/12577", + "source" : "af854a3a-2127-422b-91ae-364da2661108" + }, { + "url" : "https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/", + "source" : "af854a3a-2127-422b-91ae-364da2661108" + }, { + "url" : "https://kc.mcafee.com/corporate/index?page=content&id=SB10340", + "source" : "af854a3a-2127-422b-91ae-364da2661108" + }, { + "url" : "https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html", + "source" : "af854a3a-2127-422b-91ae-364da2661108", + "tags" : [ "Third Party Advisory" ] + }, { + "url" : "https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html", + "source" : "af854a3a-2127-422b-91ae-364da2661108" + }, { + "url" : "https://sites.google.com/site/itstheshappening", + "source" : "af854a3a-2127-422b-91ae-364da2661108", + "tags" : [ "Third Party Advisory" ] + }, { + "url" : "https://www.schneier.com/blog/archives/2005/02/sha1_broken.html", + "source" : "af854a3a-2127-422b-91ae-364da2661108", + "tags" : [ "Third Party Advisory" ] + }, { + "url" : "https://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html", + "source" : "af854a3a-2127-422b-91ae-364da2661108", + "tags" : [ "Third Party Advisory" ] + } ], + "evaluatorComment" : "SHA-1 is likely present in a large number of products across the entire IT sector. The applicability statement for this CVE will be updated when specific products are identified, as time and resources permit." + }}, + {"cve" : { + "id" : "CVE-2003-0001", + "sourceIdentifier" : "cve@mitre.org", + "published" : "2003-01-17T05:00:00.000", + "lastModified" : "2025-04-03T01:03:51.193", + "vulnStatus" : "Deferred", + "cveTags" : [ ], + "descriptions" : [ { + "lang" : "en", + "value" : "Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak." + }, { + "lang" : "es", + "value" : "Múltiples controladores de dispositivo (device drivers) de Tarjetas de Interfaz de Red (Network Interface Card - NIC) Ethernet no rellenan las tramas con bytes nulos, lo que permite a atacantes remotos obtener información de paquetes anteriores o memoria del kernel usando paquetes malformados, como ha sido demostrado por Etherleak." + } ], + "metrics" : { + "cvssMetricV2" : [ { + "source" : "nvd@nist.gov", + "type" : "Primary", + "cvssData" : { + "version" : "2.0", + "vectorString" : "AV:N/AC:L/Au:N/C:P/I:N/A:N", + "baseScore" : 5.0, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authentication" : "NONE", + "confidentialityImpact" : "PARTIAL", + "integrityImpact" : "NONE", + "availabilityImpact" : "NONE" + }, + "baseSeverity" : "MEDIUM", + "exploitabilityScore" : 10.0, + "impactScore" : 2.9, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : false + } ] + }, + "weaknesses" : [ { + "source" : "nvd@nist.gov", + "type" : "Primary", + "description" : [ { + "lang" : "en", + "value" : "CWE-200" + } ] + } ], + "configurations" : [ { + "nodes" : [ { + "operator" : "OR", + "negate" : false, + "cpeMatch" : [ { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:freebsd:freebsd:4.2:*:*:*:*:*:*:*", + "matchCriteriaId" : "DF49BF03-C25E-4737-84D5-892895C86C58" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:freebsd:freebsd:4.3:*:*:*:*:*:*:*", + "matchCriteriaId" : "D2019E0E-426B-43AF-8904-1B811AE171E8" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:freebsd:freebsd:4.4:*:*:*:*:*:*:*", + "matchCriteriaId" : "55C5FC1A-1253-4390-A4FC-573BB14EA937" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:freebsd:freebsd:4.5:*:*:*:*:*:*:*", + "matchCriteriaId" : "44308D13-D935-4FF8-AB52-F0E115ED1AD2" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:freebsd:freebsd:4.6:*:*:*:*:*:*:*", + "matchCriteriaId" : "9C001822-FDF8-497C-AC2C-B59A00E9ACD2" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:freebsd:freebsd:4.7:*:*:*:*:*:*:*", + "matchCriteriaId" : "B86C77AB-B8FF-4376-9B4E-C88417396F3D" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:linux:linux_kernel:2.4.1:*:*:*:*:*:*:*", + "matchCriteriaId" : "55B85D5B-4EA1-4FCF-8D50-9C54E8FDA92F" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:linux:linux_kernel:2.4.2:*:*:*:*:*:*:*", + "matchCriteriaId" : "01408EC0-9C2D-4A44-8080-D7FC7E1A1FA1" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:linux:linux_kernel:2.4.3:*:*:*:*:*:*:*", + "matchCriteriaId" : "5F49A384-7222-41F3-9BE1-4E18C00E50A6" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:linux:linux_kernel:2.4.4:*:*:*:*:*:*:*", + "matchCriteriaId" : "05520FE3-C48D-42E8-BC24-C2396BD46CBA" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:linux:linux_kernel:2.4.5:*:*:*:*:*:*:*", + "matchCriteriaId" : "D865FBB6-E07D-492F-A75E-168B06C8ADEE" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:linux:linux_kernel:2.4.6:*:*:*:*:*:*:*", + "matchCriteriaId" : "598F24C2-0366-4799-865C-5EE4572B734B" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:linux:linux_kernel:2.4.7:*:*:*:*:*:*:*", + "matchCriteriaId" : "D0399660-6385-45AB-9785-E504D8788146" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:linux:linux_kernel:2.4.8:*:*:*:*:*:*:*", + "matchCriteriaId" : "DCBC50EA-130C-41B7-83EA-C523B3C3AAD7" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:linux:linux_kernel:2.4.9:*:*:*:*:*:*:*", + "matchCriteriaId" : "B91F6CBE-400F-4D0B-B893-34577B47A342" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:linux:linux_kernel:2.4.10:*:*:*:*:*:*:*", + "matchCriteriaId" : "1548ECFD-FCB5-4AE0-9788-42F61F25489F" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:linux:linux_kernel:2.4.11:*:*:*:*:*:*:*", + "matchCriteriaId" : "6ABB9787-5497-4BDC-8952-F99CF60A89BD" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:linux:linux_kernel:2.4.12:*:*:*:*:*:*:*", + "matchCriteriaId" : "615F6BA2-CD51-4159-B28A-A018CA9FC25C" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:linux:linux_kernel:2.4.13:*:*:*:*:*:*:*", + "matchCriteriaId" : "093848CB-68A1-4258-8357-373A477FE4E2" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:linux:linux_kernel:2.4.14:*:*:*:*:*:*:*", + "matchCriteriaId" : "E275F440-A427-465F-B314-BF0730C781DB" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:linux:linux_kernel:2.4.15:*:*:*:*:*:*:*", + "matchCriteriaId" : "98651D39-60CF-409F-8276-DBBB56B972AA" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:linux:linux_kernel:2.4.16:*:*:*:*:*:*:*", + "matchCriteriaId" : "067B8E09-C923-4DDA-92DB-4A2892CB526A" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:linux:linux_kernel:2.4.17:*:*:*:*:*:*:*", + "matchCriteriaId" : "9EBE3738-E530-4EC6-9FC6-1A063605BE05" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:linux:linux_kernel:2.4.18:*:*:*:*:*:*:*", + "matchCriteriaId" : "474384F1-FB2D-4C00-A4CD-0C2C5AE42DB4" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:linux:linux_kernel:2.4.19:*:*:*:*:*:*:*", + "matchCriteriaId" : "F677E992-8D37-438F-97DF-9D98B28F020C" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:linux:linux_kernel:2.4.20:*:*:*:*:*:*:*", + "matchCriteriaId" : "476687F9-722B-490C-BD0B-B5F2CD7891DC" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:microsoft:windows_2000:*:*:*:*:*:*:*:*", + "matchCriteriaId" : "4E545C63-FE9C-4CA1-AF0F-D999D84D2AFD" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:microsoft:windows_2000:*:sp1:*:*:*:*:*:*", + "matchCriteriaId" : "294EBA01-147B-4DA0-937E-ACBB655EDE53" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:microsoft:windows_2000:*:sp2:*:*:*:*:*:*", + "matchCriteriaId" : "4E8B7346-F2AA-434C-A048-7463EC1BB117" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:microsoft:windows_2000_terminal_services:*:*:*:*:*:*:*:*", + "matchCriteriaId" : "9D34EFE5-22B7-4E8D-B5B2-2423C37CFFA7" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:microsoft:windows_2000_terminal_services:*:sp1:*:*:*:*:*:*", + "matchCriteriaId" : "8208AFC9-0EFC-4A90-AD5A-FD94F5542885" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:microsoft:windows_2000_terminal_services:*:sp2:*:*:*:*:*:*", + "matchCriteriaId" : "4D4168AE-D19E-482E-8F2B-3E798B2D84E7" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:netbsd:netbsd:1.5:*:*:*:*:*:*:*", + "matchCriteriaId" : "E10D9BF9-FCC7-4680-AD3A-95757FC005EA" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:netbsd:netbsd:1.5.1:*:*:*:*:*:*:*", + "matchCriteriaId" : "78E8C3A4-9FA7-4F2A-8C65-D4404715E674" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:netbsd:netbsd:1.5.2:*:*:*:*:*:*:*", + "matchCriteriaId" : "DBA2E3A3-EB9B-4B20-B754-EEC914FB1D47" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:netbsd:netbsd:1.5.3:*:*:*:*:*:*:*", + "matchCriteriaId" : "7AC78BA4-70F4-4B9F-93C2-B107E4DCC418" + }, { + "vulnerable" : true, + "criteria" : "cpe:2.3:o:netbsd:netbsd:1.6:*:*:*:*:*:*:*", + "matchCriteriaId" : "28A10F5A-067E-4DD8-B585-ABCD6F6B324E" + } ] + } ] + } ], + "references" : [ { + "url" : "http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0016.html", + "source" : "cve@mitre.org" + }, { + "url" : "http://marc.info/?l=bugtraq&m=104222046632243&w=2", + "source" : "cve@mitre.org" + }, { + "url" : "http://secunia.com/advisories/7996", + "source" : "cve@mitre.org" + }, { + "url" : "http://www.atstake.com/research/advisories/2003/a010603-1.txt", + "source" : "cve@mitre.org", + "tags" : [ "Vendor Advisory" ] + }, { + "url" : "http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf", + "source" : "cve@mitre.org" + }, { + "url" : "http://www.kb.cert.org/vuls/id/412115", + "source" : "cve@mitre.org", + "tags" : [ "Third Party Advisory", "US Government Resource" ] + }, { + "url" : "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", + "source" : "cve@mitre.org" + }, { + "url" : "http://www.osvdb.org/9962", + "source" : "cve@mitre.org" + }, { + "url" : "http://www.redhat.com/support/errata/RHSA-2003-025.html", + "source" : "cve@mitre.org" + }, { + "url" : "http://www.redhat.com/support/errata/RHSA-2003-088.html", + "source" : "cve@mitre.org" + }, { + "url" : "http://www.securityfocus.com/archive/1/305335/30/26420/threaded", + "source" : "cve@mitre.org" + }, { + "url" : "http://www.securityfocus.com/archive/1/307564/30/26270/threaded", + "source" : "cve@mitre.org" + }, { + "url" : "http://www.securitytracker.com/id/1031583", + "source" : "cve@mitre.org" + }, { + "url" : "http://www.securitytracker.com/id/1040185", + "source" : "cve@mitre.org" + }, { + "url" : "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2665", + "source" : "cve@mitre.org" + }, { + "url" : "http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0016.html", + "source" : "af854a3a-2127-422b-91ae-364da2661108" + }, { + "url" : "http://marc.info/?l=bugtraq&m=104222046632243&w=2", + "source" : "af854a3a-2127-422b-91ae-364da2661108" + }, { + "url" : "http://secunia.com/advisories/7996", + "source" : "af854a3a-2127-422b-91ae-364da2661108" + }, { + "url" : "http://www.atstake.com/research/advisories/2003/a010603-1.txt", + "source" : "af854a3a-2127-422b-91ae-364da2661108", + "tags" : [ "Vendor Advisory" ] + }, { + "url" : "http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf", + "source" : "af854a3a-2127-422b-91ae-364da2661108" + }, { + "url" : "http://www.kb.cert.org/vuls/id/412115", + "source" : "af854a3a-2127-422b-91ae-364da2661108", + "tags" : [ "Third Party Advisory", "US Government Resource" ] + }, { + "url" : "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", + "source" : "af854a3a-2127-422b-91ae-364da2661108" + }, { + "url" : "http://www.osvdb.org/9962", + "source" : "af854a3a-2127-422b-91ae-364da2661108" + }, { + "url" : "http://www.redhat.com/support/errata/RHSA-2003-025.html", + "source" : "af854a3a-2127-422b-91ae-364da2661108" + }, { + "url" : "http://www.redhat.com/support/errata/RHSA-2003-088.html", + "source" : "af854a3a-2127-422b-91ae-364da2661108" + }, { + "url" : "http://www.securityfocus.com/archive/1/305335/30/26420/threaded", + "source" : "af854a3a-2127-422b-91ae-364da2661108" + }, { + "url" : "http://www.securityfocus.com/archive/1/307564/30/26270/threaded", + "source" : "af854a3a-2127-422b-91ae-364da2661108" + }, { + "url" : "http://www.securitytracker.com/id/1031583", + "source" : "af854a3a-2127-422b-91ae-364da2661108" + }, { + "url" : "http://www.securitytracker.com/id/1040185", + "source" : "af854a3a-2127-422b-91ae-364da2661108" + }, { + "url" : "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2665", + "source" : "af854a3a-2127-422b-91ae-364da2661108" + } ] + }} + ] } \ No newline at end of file diff --git a/vulnerabilities/tests/test_data/nvd/rejected_nvd.json b/vulnerabilities/tests/test_data/nvd/rejected_nvd.json index f9b060877..349d2d0df 100644 --- a/vulnerabilities/tests/test_data/nvd/rejected_nvd.json +++ b/vulnerabilities/tests/test_data/nvd/rejected_nvd.json @@ -1,40 +1,28 @@ { - "CVE_Items": [ + "resultsPerPage": 27259, + "startIndex": 0, + "totalResults": 27259, + "format": "NVD_CVE", + "version": "2.0", + "timestamp": "2025-12-25T03:00:54.3217243", + "vulnerabilities": [ { "cve": { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2022-0094", - "ASSIGNER": "cve@mitre.org" - }, - "problemtype": { - "problemtype_data": [ - { - "description": [] - } - ] - }, - "references": { - "reference_data": [] - }, - "description": { - "description_data": [ - { - "lang": "en", - "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is unused by its CNA. Notes: none." - } - ] - } - }, - "configurations": { - "CVE_data_version": "4.0", - "nodes": [] - }, - "impact": {}, - "publishedDate": "2023-05-12T05:15Z", - "lastModifiedDate": "2023-05-12T05:15Z" + "id": "CVE-2022-0094", + "sourceIdentifier": "security_alert@emc.com", + "published": "2023-05-12T05:15:14.540", + "lastModified": "2023-11-07T03:40:56.960", + "vulnStatus": "Rejected", + "cveTags": [], + "descriptions": [ + { + "lang": "en", + "value": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is unused by its CNA. Notes: none." + } + ], + "metrics": {}, + "references": [] + } } ] } \ No newline at end of file From 2ca2aae6d3d6758618b79f5a317f42e4cffdb4c0 Mon Sep 17 00:00:00 2001 From: ziad hany Date: Sat, 27 Dec 2025 00:32:13 +0200 Subject: [PATCH 2/2] Fix nvd importer to collect severities correctly Add a test Signed-off-by: ziad hany --- vulnerabilities/pipelines/nvd_importer.py | 61 +++--- .../pipelines/v2_importers/nvd_importer.py | 64 +++--- .../pipelines/test_nvd_importer_pipeline.py | 199 +++++++++++++++++- .../tests/test_data/nvd/nvd-expected.json | 29 ++- 4 files changed, 267 insertions(+), 86 deletions(-) diff --git a/vulnerabilities/pipelines/nvd_importer.py b/vulnerabilities/pipelines/nvd_importer.py index bbf9f6f23..ccb067ec9 100644 --- a/vulnerabilities/pipelines/nvd_importer.py +++ b/vulnerabilities/pipelines/nvd_importer.py @@ -200,43 +200,32 @@ def severities(self): Return a list of VulnerabilitySeverity for this CVE. """ severities = [] - impact = self.cve_item.get("impact") or {} - base_metric_v4 = impact.get("baseMetricV4") or {} - if base_metric_v4: - cvss_v4 = base_metric_v4.get("cvssV4") or {} - vs = VulnerabilitySeverity( - system=severity_systems.CVSSV4, - value=str(cvss_v4.get("baseScore") or ""), - scoring_elements=str(cvss_v4.get("vectorString") or ""), - ) - severities.append(vs) - - base_metric_v3 = impact.get("baseMetricV3") or {} - if base_metric_v3: - cvss_v3 = get_item(base_metric_v3, "cvssV3") - version = cvss_v3.get("version") - system = None - if version == "3.1": - system = severity_systems.CVSSV31 - else: - system = severity_systems.CVSSV3 - vs = VulnerabilitySeverity( - system=system, - value=str(cvss_v3.get("baseScore") or ""), - scoring_elements=str(cvss_v3.get("vectorString") or ""), - ) - severities.append(vs) - - base_metric_v2 = impact.get("baseMetricV2") or {} - if base_metric_v2: - cvss_v2 = base_metric_v2.get("cvssV2") or {} - vs = VulnerabilitySeverity( - system=severity_systems.CVSSV2, - value=str(cvss_v2.get("baseScore") or ""), - scoring_elements=str(cvss_v2.get("vectorString") or ""), - ) - severities.append(vs) + metrics = get_item(self.cve_item, "cve", "metrics") or {} + url = f"https://nvd.nist.gov/vuln/detail/{self.cve_id}" + metric_configs = [ + ("cvssMetricV40", severity_systems.CVSSV4), + ("cvssMetricV31", severity_systems.CVSSV31), + ("cvssMetricV30", severity_systems.CVSSV3), + ("cvssMetricV2", severity_systems.CVSSV2), + ] + for key, default_system in metric_configs: + items = metrics.get(key) or [] + + for item in items: + cvss_data = item.get("cvssData") or {} + system = default_system + if key == "cvssMetricV31" and cvss_data.get("version") != "3.1": + system = severity_systems.CVSSV3 + + severities.append( + VulnerabilitySeverity( + system=system, + value=str(cvss_data.get("baseScore") or ""), + scoring_elements=str(cvss_data.get("vectorString") or ""), + url=url, + ) + ) return severities @property diff --git a/vulnerabilities/pipelines/v2_importers/nvd_importer.py b/vulnerabilities/pipelines/v2_importers/nvd_importer.py index 23bc76c17..290314219 100644 --- a/vulnerabilities/pipelines/v2_importers/nvd_importer.py +++ b/vulnerabilities/pipelines/v2_importers/nvd_importer.py @@ -202,46 +202,32 @@ def severities(self): Return a list of VulnerabilitySeverity for this CVE. """ severities = [] - impact = self.cve_item.get("impact") or {} - base_metric_v4 = impact.get("baseMetricV4") or {} - if base_metric_v4: - cvss_v4 = base_metric_v4.get("cvssV4") or {} - vs = VulnerabilitySeverity( - system=severity_systems.CVSSV4, - value=str(cvss_v4.get("baseScore") or ""), - scoring_elements=str(cvss_v4.get("vectorString") or ""), - url=f"https://nvd.nist.gov/vuln/detail/{self.cve_id}", - ) - severities.append(vs) - - base_metric_v3 = impact.get("baseMetricV3") or {} - if base_metric_v3: - cvss_v3 = get_item(base_metric_v3, "cvssV3") - version = cvss_v3.get("version") - system = None - if version == "3.1": - system = severity_systems.CVSSV31 - else: - system = severity_systems.CVSSV3 - vs = VulnerabilitySeverity( - system=system, - value=str(cvss_v3.get("baseScore") or ""), - scoring_elements=str(cvss_v3.get("vectorString") or ""), - url=f"https://nvd.nist.gov/vuln/detail/{self.cve_id}", - ) - severities.append(vs) - - base_metric_v2 = impact.get("baseMetricV2") or {} - if base_metric_v2: - cvss_v2 = base_metric_v2.get("cvssV2") or {} - vs = VulnerabilitySeverity( - system=severity_systems.CVSSV2, - value=str(cvss_v2.get("baseScore") or ""), - scoring_elements=str(cvss_v2.get("vectorString") or ""), - url=f"https://nvd.nist.gov/vuln/detail/{self.cve_id}", - ) - severities.append(vs) + metrics = get_item(self.cve_item, "cve", "metrics") or {} + url = f"https://nvd.nist.gov/vuln/detail/{self.cve_id}" + metric_configs = [ + ("cvssMetricV40", severity_systems.CVSSV4), + ("cvssMetricV31", severity_systems.CVSSV31), + ("cvssMetricV30", severity_systems.CVSSV3), + ("cvssMetricV2", severity_systems.CVSSV2), + ] + for key, default_system in metric_configs: + items = metrics.get(key) or [] + + for item in items: + cvss_data = item.get("cvssData") or {} + system = default_system + if key == "cvssMetricV31" and cvss_data.get("version") != "3.1": + system = severity_systems.CVSSV3 + + severities.append( + VulnerabilitySeverity( + system=system, + value=str(cvss_data.get("baseScore") or ""), + scoring_elements=str(cvss_data.get("vectorString") or ""), + url=url, + ) + ) return severities @property diff --git a/vulnerabilities/tests/pipelines/test_nvd_importer_pipeline.py b/vulnerabilities/tests/pipelines/test_nvd_importer_pipeline.py index b97527327..15ecb462b 100644 --- a/vulnerabilities/tests/pipelines/test_nvd_importer_pipeline.py +++ b/vulnerabilities/tests/pipelines/test_nvd_importer_pipeline.py @@ -10,7 +10,11 @@ import json from pathlib import Path +from vulnerabilities.importer import VulnerabilitySeverity from vulnerabilities.pipelines import nvd_importer +from vulnerabilities.severity_systems import Cvssv2ScoringSystem +from vulnerabilities.severity_systems import Cvssv3ScoringSystem +from vulnerabilities.severity_systems import Cvssv4ScoringSystem from vulnerabilities.tests.util_tests import VULNERABLECODE_REGEN_TEST_FIXTURES as REGEN TEST_DATA = Path(__file__).parent.parent / "test_data" / "nvd" @@ -95,28 +99,139 @@ def get_test_cve_item(): }, ], "metrics": { + "cvssMetricV40": [ + { + "source": "cna@vuldb.com", + "type": "Secondary", + "cvssData": { + "version": "4.0", + "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "attackRequirements": "NONE", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "vulnConfidentialityImpact": "LOW", + "vulnIntegrityImpact": "LOW", + "vulnAvailabilityImpact": "LOW", + "subConfidentialityImpact": "NONE", + "subIntegrityImpact": "NONE", + "subAvailabilityImpact": "NONE", + "exploitMaturity": "NOT_DEFINED", + "confidentialityRequirement": "NOT_DEFINED", + "integrityRequirement": "NOT_DEFINED", + "availabilityRequirement": "NOT_DEFINED", + "modifiedAttackVector": "NOT_DEFINED", + "modifiedAttackComplexity": "NOT_DEFINED", + "modifiedAttackRequirements": "NOT_DEFINED", + "modifiedPrivilegesRequired": "NOT_DEFINED", + "modifiedUserInteraction": "NOT_DEFINED", + "modifiedVulnConfidentialityImpact": "NOT_DEFINED", + "modifiedVulnIntegrityImpact": "NOT_DEFINED", + "modifiedVulnAvailabilityImpact": "NOT_DEFINED", + "modifiedSubConfidentialityImpact": "NOT_DEFINED", + "modifiedSubIntegrityImpact": "NOT_DEFINED", + "modifiedSubAvailabilityImpact": "NOT_DEFINED", + "Safety": "NOT_DEFINED", + "Automatable": "NOT_DEFINED", + "Recovery": "NOT_DEFINED", + "valueDensity": "NOT_DEFINED", + "vulnerabilityResponseEffort": "NOT_DEFINED", + "providerUrgency": "NOT_DEFINED", + }, + } + ], "cvssMetricV31": [ { - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "source": "cna@vuldb.com", "type": "Secondary", "cvssData": { "version": "3.1", - "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "baseScore": 9.8, - "baseSeverity": "CRITICAL", + "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + "baseScore": 3.5, + "baseSeverity": "LOW", + "attackVector": "ADJACENT_NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "LOW", + }, + "exploitabilityScore": 2.1, + "impactScore": 1.4, + }, + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.1", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "baseScore": 7.5, + "baseSeverity": "HIGH", + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "HIGH", + }, + "exploitabilityScore": 3.9, + "impactScore": 3.6, + }, + ], + "cvssMetricV30": [ + { + "source": "nvd@nist.gov", + "type": "Primary", + "cvssData": { + "version": "3.0", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "baseScore": 7.5, + "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", - "confidentialityImpact": "HIGH", - "integrityImpact": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", "availabilityImpact": "HIGH", }, "exploitabilityScore": 3.9, - "impactScore": 5.9, + "impactScore": 3.6, } - ] + ], + "cvssMetricV2": [ + { + "source": "cna@vuldb.com", + "type": "Secondary", + "cvssData": { + "version": "2.0", + "vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P", + "baseScore": 2.7, + "accessVector": "ADJACENT_NETWORK", + "accessComplexity": "LOW", + "authentication": "SINGLE", + "confidentialityImpact": "NONE", + "integrityImpact": "NONE", + "availabilityImpact": "PARTIAL", + }, + "baseSeverity": "LOW", + "exploitabilityScore": 5.1, + "impactScore": 2.9, + "acInsufInfo": False, + "obtainAllPrivilege": False, + "obtainUserPrivilege": False, + "obtainOtherPrivilege": False, + "userInteractionRequired": False, + } + ], }, "weaknesses": [ { @@ -381,6 +496,74 @@ def get_test_cve_item(): } +def test_CveItem_severities(): + expected_severities = [ + VulnerabilitySeverity( + system=Cvssv4ScoringSystem( + identifier="cvssv4", + name="CVSSv4 Base Score", + url="https://www.first.org/cvss/v4-0/", + notes="CVSSv4 base score and " "vector", + ), + value="5.3", + scoring_elements="CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", + published_at=None, + url="https://nvd.nist.gov/vuln/detail/CVE-2025-45988", + ), + VulnerabilitySeverity( + system=Cvssv3ScoringSystem( + identifier="cvssv3.1", + name="CVSSv3.1 Base Score", + url="https://www.first.org/cvss/v3-1/", + notes="CVSSv3.1 base score and vector", + ), + value="3.5", + scoring_elements="CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", + published_at=None, + url="https://nvd.nist.gov/vuln/detail/CVE-2025-45988", + ), + VulnerabilitySeverity( + system=Cvssv3ScoringSystem( + identifier="cvssv3.1", + name="CVSSv3.1 Base Score", + url="https://www.first.org/cvss/v3-1/", + notes="CVSSv3.1 base score and vector", + ), + value="7.5", + scoring_elements="CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + published_at=None, + url="https://nvd.nist.gov/vuln/detail/CVE-2025-45988", + ), + VulnerabilitySeverity( + system=Cvssv3ScoringSystem( + identifier="cvssv3", + name="CVSSv3 Base Score", + url="https://www.first.org/cvss/v3-0/", + notes="CVSSv3 base score and " "vector", + ), + value="7.5", + scoring_elements="CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + published_at=None, + url="https://nvd.nist.gov/vuln/detail/CVE-2025-45988", + ), + VulnerabilitySeverity( + system=Cvssv2ScoringSystem( + identifier="cvssv2", + name="CVSSv2 Base Score", + url="https://www.first.org/cvss/v2/", + notes="CVSSv2 base score and vector", + ), + value="2.7", + scoring_elements="AV:A/AC:L/Au:S/C:N/I:N/A:P", + published_at=None, + url="https://nvd.nist.gov/vuln/detail/CVE-2025-45988", + ), + ] + + found_severities = nvd_importer.CveItem(cve_item=get_test_cve_item()).severities + assert found_severities == expected_severities + + def test_CveItem_cpes(): expected_cpes = [ "cpe:2.3:o:b-link:bl-wr9000_firmware:2.4.9:*:*:*:*:*:*:*", diff --git a/vulnerabilities/tests/test_data/nvd/nvd-expected.json b/vulnerabilities/tests/test_data/nvd/nvd-expected.json index 10d33ee92..26c714af8 100644 --- a/vulnerabilities/tests/test_data/nvd/nvd-expected.json +++ b/vulnerabilities/tests/test_data/nvd/nvd-expected.json @@ -22,7 +22,13 @@ "reference_id": "CVE-2005-4895", "reference_type": "", "url": "https://nvd.nist.gov/vuln/detail/CVE-2005-4895", - "severities": [] + "severities": [ + { + "system": "cvssv2", + "value": "5.0", + "scoring_elements": "AV:N/AC:L/Au:N/C:N/I:N/A:P" + } + ] }, { "reference_id": "cpe:2.3:a:csilvers:gperftools:*:*:*:*:*:*:*:*", @@ -126,7 +132,18 @@ "reference_id": "CVE-2005-4900", "reference_type": "", "url": "https://nvd.nist.gov/vuln/detail/CVE-2005-4900", - "severities": [] + "severities": [ + { + "system": "cvssv2", + "value": "4.3", + "scoring_elements": "AV:N/AC:M/Au:N/C:P/I:N/A:N" + }, + { + "system": "cvssv3", + "value": "5.9", + "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ] }, { "reference_id": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", @@ -242,7 +259,13 @@ "reference_id": "CVE-2003-0001", "reference_type": "", "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0001", - "severities": [] + "severities": [ + { + "system": "cvssv2", + "value": "5.0", + "scoring_elements": "AV:N/AC:L/Au:N/C:P/I:N/A:N" + } + ] }, { "reference_id": "cpe:2.3:o:freebsd:freebsd:4.2:*:*:*:*:*:*:*",