http://debianws.lexgopc.com/wiki143/index.php?action=history&feed=atom&title=National_Vulnerability_DatabaseNational Vulnerability Database - Revision history2026-06-10T01:13:59ZRevision history for this page on the wikiMediaWiki 1.43.1http://debianws.lexgopc.com/wiki143/index.php?title=National_Vulnerability_Database&diff=5643388&oldid=previmported>WikiCleanerBot: v2.05b - Bot T20 CW#61 - Fix errors for CW project (Reference before punctuation)2025-06-28T07:24:37Z<p>v2.05b - <a href="/wiki143/index.php?title=User:WikiCleanerBot&action=edit&redlink=1" class="new" title="User:WikiCleanerBot (page does not exist)">Bot T20 CW#61</a> - Fix errors for <a href="/wiki143/index.php?title=WP:WCW&action=edit&redlink=1" class="new" title="WP:WCW (page does not exist)">CW project</a> (Reference before punctuation)</p>
<p><b>New page</b></p><div>{{Short description|American government data repository}}<br />
The '''National Vulnerability Database''' ('''NVD''') is the U.S. government repository of standards-based vulnerability management data represented using the [[Security Content Automation Protocol]] (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics. NVD supports the [[Information Security Automation Program]] (ISAP). NVD is managed by the U.S. government agency the [[National Institute of Standards and Technology]] (NIST).<br />
<br />
On Friday March 8, 2013, the database was taken offline after it was discovered that the system used to run multiple government sites had been compromised by a software vulnerability of [[Adobe ColdFusion]].<ref>{{Cite web|url=https://www.theregister.co.uk/2013/03/14/adobe_coldfusion_vulns_compromise_us_malware_catalog/|title=Downed US vuln catalog infected for at least TWO MONTHS|last=at 17:55|first=Jack Clark in San Francisco 14 Mar 2013|website=www.theregister.co.uk|language=en|access-date=2019-10-29}}</ref><ref>[https://www.theregister.co.uk/2013/03/14/us_malware_catalogue_hacked/ "US national vulnerability database hacked."]</ref><br />
<br />
The vulnerabilities in the NVD originate from the [[Common Vulnerabilities and Exposures]] (CVE) list, maintained by [[MITRE]]. New vulnerabilities are assigned by MITRE and CVE Numbering Authorities and subsequently added to the NVD.<ref>{{cite web |author1=NIST |author1-link=National Institute of Standards and Technology |title=CVEs and the NVD Process |url=https://nvd.nist.gov/general/cve-process |website=nvd.nist.gov}}</ref><br />
<br />
==CVE Enrichment==<br />
When vulnerabilities are added to the list of [[Common Vulnerabilities and Exposures]] (CVEs), the NVD assigns them a score using the [[Common Vulnerability Scoring System|Common Vulnerability Scoring System (CVSS)]].<ref name=":1">{{cite news |last1=Townsend |first1=Kevin |title=CVE and NVD – A Weak and Fractured Source of Vulnerability Truth |url=https://www.securityweek.com/cve-and-nvd-a-weak-and-fractured-source-of-vulnerability-truth/ |access-date=28 May 2025 |work=SecurityWeek |date=3 April 2024}}</ref><ref>{{Cite journal |last1=Zhang |first1=Su |last2=Ou |first2=Xinming |last3=Caragea |first3=Doina |date=2015-12-31 |title=Predicting Cyber Risks through National Vulnerability Database |url=http://www.tandfonline.com/doi/full/10.1080/19393555.2015.1111961 |journal=Information Security Journal: A Global Perspective |language=en |volume=24 |issue=4–6 |pages=194–206 |doi=10.1080/19393555.2015.1111961 |s2cid=30587194 |issn=1939-3555|url-access=subscription }}</ref> This score is based on metrics such as access complexity and potential impact,<ref>{{cite web |url=http://nvd.nist.gov/cvsseq2.htm |title=NVD - CVSS v2 Equations |website=nvd.nist.gov |archive-url=https://web.archive.org/web/20131221044001/http://nvd.nist.gov/cvsseq2.htm |archive-date=2013-12-21 |url-status=dead }}</ref> allowing organizations to prioritize remediation efforts depending on the severity.<ref name=":1" /><br />
<br />
In June 2017, threat intel firm [[Recorded Future]] revealed that the median lag between a CVE being revealed to ultimately being published to the NVD is 7 days and that 75% of vulnerabilities are published unofficially before making it to the NVD, giving attackers time to exploit the vulnerability.<ref>{{Cite web|url=https://www.darkreading.com/vulnerabilities---threats/75--of-vulns-shared-online-before-nvd-publication/d/d-id/1329066|title=75% of Vulns Shared Online Before NVD Publication|website=Dark Reading|date=7 June 2017 |language=en|access-date=2019-10-29}}</ref><br />
<br />
In August 2023, the NVD initially marked an integer overflow bug in old versions of [[cURL]] as a 9.8 out of 10 critical vulnerability. cURL lead developer [[Daniel Stenberg]] responded by saying this was not a security problem, the bug had been patched nearly 4 years prior, requested the CVE be rejected, and accused NVD of "scaremongering" and "grossly inflating the severity level of issues".<ref>{{cite web|last=Stenberg|first=Daniel|title=CVE-2020-19909 is everything that is wrong with CVEs|url=https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/|date=26 August 2023|website=Daniel Stenberg's Blog|access-date=2023-08-26}}</ref> MITRE disagreed with Stenberg and denied his request to reject the CVE, noting that "there is a valid weakness ... which can lead to a valid security impact."<ref>{{Cite web |title=curl - Bogus report filed by anonymous - CVE-2020-19909 |url=https://curl.se/docs/CVE-2020-19909.html |access-date=2023-08-31 |website=curl.se}}</ref><br />
In September 2023, the issue was rescored by the NVD as a 3.3 "low" vulnerability, stating that "it may (in theory) cause a denial of service" for attacked systems, but that this attack vector "is not especially plausible".<ref>{{Cite web |title=NVD - CVE-2020-19909 |url=https://nvd.nist.gov/vuln/detail/CVE-2020-19909 |access-date=2023-09-07 |website=nvd.nist.gov|archive-url=https://web.archive.org/web/20230905213507/https://nvd.nist.gov/vuln/detail/CVE-2020-19909|archive-date=2023-09-05}}</ref><br />
<br />
==See also==<br />
*[[Common Vulnerabilities and Exposures]]<br />
*[[Common Weakness Enumeration]]<br />
*[[European Union Vulnerability Database]]<br />
*[[Software composition analysis]]<br />
<br />
== References ==<br />
{{reflist|30em}}<br />
<br />
==External links==<br />
* {{Official website|https://nvd.nist.gov/}}<br />
*[https://csrc.nist.gov/projects/security-content-automation-protocol/ Security Content Automation Protocol (SCAP)]<br />
*[https://packetstormsecurity.com/ Packet Storm]<br />
*[https://www.exploit-db.com/ Exploit Database]<br />
* [https://vulners.com/ Security Content Database]<br />
<br />
[[Category:Government databases in the United States]]<br />
[[Category:Security vulnerability databases]]<br />
<br />
<br />
{{US-gov-stub}}</div>imported>WikiCleanerBot