Status Update, CVSS v4.0 and CISA ADP Support

919 views
Skip to first unread message

nvd-news

unread,
Jul 2, 2024, 2:28:49 PM (3 days ago) Jul 2
to nvd-news

Status Update
NIST has made recent updates to improve functionality of the NVD. We are aware of availability issues with the NVD API Endpoints and are working to resolve them. If you are experiencing schema validation errors, please ensure that you or the tools you use have the latest schema files, which were recently updated. Stability should return once users make these updates and implement best practices to reduce unnecessary request volume.

---

NVD CVSS v4.0 Official Support

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. CVSS version 4.0 is the next generation of the Common Vulnerability Scoring System standard; released November 1, 2023. CVSS v4.0 provides increased granularity for Base metrics, a new Supplemental metric group, a different methodology for determining severity and more. For more information regarding CVSS v4.0 please visit https://www.first.org/cvss/v4.0/specification-document.

CVSS v4.0 information will be displayed throughout the NVD website: 

Vulnerability Detail Pages

The Metrics section of the Vulnerability detail pages will now contain CVSS v4.0 data when available. CVSS v4.0 data will be displayed in a similar fashion to CVSS v3.x and CVSS v2.0 and will be displayed if available through NVD enrichment or CVE Program related CNA and/or ADP contributions. 

CVSS v4.0 Calculator

A CVSS v4.0 Calculator (based on the one provided by the FIRST CVSS SIG) has been included on the website. While visually distinct from previous calculators, the same functionality exists when including CVE IDs or CVSS vector string parameters in the URL to the page (See Calculator Product Integration). 

Vulnerability Search Form

The advanced section of the vulnerability search page has been updated to allow searching by CVSS v4.0 criteria. 

Vulnerability Search Results

The search results will now include CVSS v4.0 badges when appropriate. 

For questions and concerns, please contact n...@nist.gov.

---

CISA Authorized Data Publisher (ADP) Support

As of July 3, 2024, the NVD will support inclusion of data from CISA’s Vulnrichment CVSS and CWE information.  

The Vulnrichment data will now be displayed on the vulnerability detail pages and attributed to the CISA-ADP (Authorized Data Publisher) source along with any relevant CVSS data contributed by NVD enrichment efforts or CNAs. 

This information can also be accessed using the NVD 2.0 APIs! The CVSS information can be located within the metrics object and the CWE information can be found within weaknesses array.  

No schema changes were necessary to support this update.   

Note:  The legacy data feed files will not contain the Vulnrichment information.

For questions and concerns, please contact n...@nist.gov.

Reply all
Reply to author
Forward
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages