Login
Login

National Vulnerability Database

{{Short description|American government data repository}}

The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics. NVD supports the Information Security Automation Program (ISAP). NVD is managed by the U.S. government agency the National Institute of Standards and Technology (NIST).

On Friday March 8, 2013, the database was taken offline after it was discovered that the system used to run multiple government sites had been compromised by a software vulnerability of Adobe ColdFusion.{{Cite web|url=https://www.theregister.co.uk/2013/03/14/adobe_coldfusion_vulns_compromise_us_malware_catalog/|title=Downed US vuln catalog infected for at least TWO MONTHS|last=at 17:55|first=Jack Clark in San Francisco 14 Mar 2013|website=www.theregister.co.uk|language=en|access-date=2019-10-29}}[https://www.theregister.co.uk/2013/03/14/us_malware_catalogue_hacked/ "US national vulnerability database hacked."]

The vulnerabilities in the NVD originate from the Common Vulnerabilities and Exposures (CVE) list, maintained by MITRE. New vulnerabilities are assigned by MITRE and CVE Numbering Authorities and subsequently added to the NVD.{{cite web |author1=NIST |author1-link=National Institute of Standards and Technology |title=CVEs and the NVD Process |url=https://nvd.nist.gov/general/cve-process |website=nvd.nist.gov}}

CVE Enrichment

When vulnerabilities are added to the list of Common Vulnerabilities and Exposures (CVEs), the NVD assigns them a score using the Common Vulnerability Scoring System (CVSS){{cite news |last1=Townsend |first1=Kevin |title=CVE and NVD – A Weak and Fractured Source of Vulnerability Truth |url=https://www.securityweek.com/cve-and-nvd-a-weak-and-fractured-source-of-vulnerability-truth/ |access-date=28 May 2025 |work=SecurityWeek |date=3 April 2024}}{{Cite journal |last1=Zhang |first1=Su |last2=Ou |first2=Xinming |last3=Caragea |first3=Doina |date=2015-12-31 |title=Predicting Cyber Risks through National Vulnerability Database |url=http://www.tandfonline.com/doi/full/10.1080/19393555.2015.1111961 |journal=Information Security Journal: A Global Perspective |language=en |volume=24 |issue=4–6 |pages=194–206 |doi=10.1080/19393555.2015.1111961 |s2cid=30587194 |issn=1939-3555|url-access=subscription }}. This score is based on metrics such as access complexity and potential impact{{cite web |url=http://nvd.nist.gov/cvsseq2.htm |title=NVD - CVSS v2 Equations |website=nvd.nist.gov |archive-url=https://web.archive.org/web/20131221044001/http://nvd.nist.gov/cvsseq2.htm |archive-date=2013-12-21 |url-status=dead }}, allowing organizations to prioritize remediation efforts depending on the severity.

In June 2017, threat intel firm Recorded Future revealed that the median lag between a CVE being revealed to ultimately being published to the NVD is 7 days and that 75% of vulnerabilities are published unofficially before making it to the NVD, giving attackers time to exploit the vulnerability.{{Cite web|url=https://www.darkreading.com/vulnerabilities---threats/75--of-vulns-shared-online-before-nvd-publication/d/d-id/1329066|title=75% of Vulns Shared Online Before NVD Publication|website=Dark Reading|date=7 June 2017 |language=en|access-date=2019-10-29}}

In August 2023, the NVD initially marked an integer overflow bug in old versions of cURL as a 9.8 out of 10 critical vulnerability. cURL lead developer Daniel Stenberg responded by saying this was not a security problem, the bug had been patched nearly 4 years prior, requested the CVE be rejected, and accused NVD of "scaremongering" and "grossly inflating the severity level of issues".{{cite web|last=Stenberg|first=Daniel|title=CVE-2020-19909 is everything that is wrong with CVEs|url=https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/|date=26 August 2023|website=Daniel Stenberg's Blog|access-date=2023-08-26}} MITRE disagreed with Stenberg and denied his request to reject the CVE, noting that "there is a valid weakness ... which can lead to a valid security impact."{{Cite web |title=curl - Bogus report filed by anonymous - CVE-2020-19909 |url=https://curl.se/docs/CVE-2020-19909.html |access-date=2023-08-31 |website=curl.se}}

In September 2023, the issue was rescored by the NVD as a 3.3 "low" vulnerability, stating that "it may (in theory) cause a denial of service" for attacked systems, but that this attack vector "is not especially plausible".{{Cite web |title=NVD - CVE-2020-19909 |url=https://nvd.nist.gov/vuln/detail/CVE-2020-19909 |access-date=2023-09-07 |website=nvd.nist.gov|archive-url=https://web.archive.org/web/20230905213507/https://nvd.nist.gov/vuln/detail/CVE-2020-19909|archive-date=2023-09-05}}

See also

References

{{reflist|30em}}

External links

  • {{Official website|https://nvd.nist.gov/}}
  • [https://csrc.nist.gov/projects/security-content-automation-protocol/ Security Content Automation Protocol (SCAP)]
  • [https://packetstormsecurity.com/ Packet Storm]
  • [https://www.exploit-db.com/ Exploit Database]
  • [https://vulners.com/ Security Content Database]

Category:Government databases in the United States

Category:Security vulnerability databases

{{US-gov-stub}}