a mistake in software that can be directly used by a hacker to gain access to a system or network
Property | Type | Description | Required? |
---|---|---|---|
description | Markdown String | A description that provides more details and context about the Vulnerability,potentially including its purpose and its key characteristics. | ✓ |
id | String | Globally unique URI identifying this object. | ✓ |
schema_version | String | CTIM schema version for this entity | ✓ |
type | VulnerabilityTypeIdentifier String | The fixed value vulnerability | ✓ |
cve | CVE Object | ||
external_ids | String List | ||
external_references | ExternalReference Object List | Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. | |
impact | VulnerabilityImpact Object | ||
language | ShortString String | The human language this object is specified in. | |
last_modified_date | Inst (Date) | ||
published_date | Inst (Date) | ||
revision | Integer | A monotonically increasing revision, incremented each time the object is changed. | |
short_description | MedString String | A single line, short summary of the object. | |
source | MedString String | ||
source_uri | String | ||
timestamp | Inst (Date) | The time this object was created at, or last modified. | |
title | ShortString String | A short title for this object, used as primary display and reference value | |
tlp | TLP String | Specification for how, and to whom, this object can be shared. |
A description that provides more details and context about the Vulnerability,potentially including its purpose and its key characteristics.
This entry is required
Specifies a list of external references which refers to non-CTIM information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
Globally unique URI identifying this object.
This entry is required
https://www.domain.com/ctia/judgement/judgement-de305d54-75b4-431b-adb2-eb6b9e546014
for a Judgement. This ID type compares to the STIX id field. The optional STIX idref field is not used.The human language this object is specified in.
This entry is optional
This entry is optional
This entry is optional
A monotonically increasing revision, incremented each time the object is changed.
This entry is optional
CTIM schema version for this entity
This entry is required
A single line, short summary of the object.
This entry is optional
This entry is optional
This entry is optional
The time this object was created at, or last modified.
This entry is optional
A short title for this object, used as primary display and reference value
This entry is optional
Specification for how, and to whom, this object can be shared.
This entry is optional
The fixed value vulnerability
This entry is required
External references are used to describe pointers to information represented outside of CTIM. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material.
Property | Type | Description | Required? |
---|---|---|---|
source_name | MedString String | The source within which the external-reference is defined (system, registry, organization, etc.) | ✓ |
description | Markdown String | ||
external_id | String | An identifier for the external reference content. | |
hashes | String List | Specifies a dictionary of hashes for the contents of the url. | |
url | String | A URL reference to an external resource |
This entry is optional
An identifier for the external reference content.
Specifies a dictionary of hashes for the contents of the url.
The source within which the external-reference is defined (system, registry, organization, etc.)
This entry is required
A URL reference to an external resource
This entry is optional
Property | Type | Description | Required? |
---|---|---|---|
cve_data_meta | CVEDataMeta Object | ✓ |
Property | Type | Description | Required? |
---|---|---|---|
assigner | ShortString String | ||
id | ShortString String |
This entry is optional
This entry is optional
Property | Type | Description | Required? |
---|---|---|---|
cvss_v2 | CVSSv2 Object | ||
cvss_v3 | CVSSv3 Object |
Property | Type | Description | Required? |
---|---|---|---|
base_score | Number | ✓ | |
base_severity | CVSSv3Severity String | ✓ | |
vector_string | String | ✓ | |
attack_complexity | CVSSv3AttackComplexity String | describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability | |
attack_vector | CVSSv3AttackVector String | Reflects the context by which vulnerability exploitation is possible | |
availability_impact | CVSSv3AvailabilityImpact String | measures the impact to the availability of the impacted component resulting from a successfullyexploited vulnerability | |
availability_requirement | CVSSv3SecurityRequirements String | ||
confidentiality_impact | CVSSv3ConfidentialityImpact String | measures the impact to the confidentiality ofthe information resources managed by a software component due to a successfully exploited vulnerability | |
confidentiality_requirement | CVSSv3SecurityRequirements String | ||
environmental_score | Number | ||
environmental_severity | CVSSv3Severity String | ||
exploit_code_maturity | CVSSv3ExploitCodeMaturity String | measures the likelihood of the vulnerability being attacked | |
exploitability_score | Number | ||
impact_score | Number | ||
integrity_impact | CVSSv3IntegrityImpact String | measures the impact to integrity of a successfully exploited vulnerability | |
integrity_requirement | CVSSv3SecurityRequirements String | ||
modified_attack_complexity | CVSSv3ModifiedAttackComplexity String | modified attack complexity | |
modified_attack_vector | CVSSv3ModifiedAttackVector String | modified attack vector | |
modified_availability_impact | CVSSv3ModifiedAvailabilityImpact String | modified availability impact | |
modified_confidentiality_impact | CVSSv3ModifiedConfidentialityImpact String | modified confidentiality impact | |
modified_integrity_impact | CVSSv3ModifiedIntegrityImpact String | modified integrity impact | |
modified_privileges_required | CVSSv3ModifiedPrivilegesRequired String | modified privileges required | |
modified_scope | CVSSv3ModifiedScope String | modified scope | |
modified_user_interaction | CVSSv3ModifiedUserInteraction String | modified user interaction | |
privileges_required | CVSSv3PrivilegesRequired String | describes the level of privileges an attacker must possess before successfully exploiting the vulnerability | |
remediation_level | CVSSv3RemediationLevel String | Remediation Level of a vulnerability is an important factor for prioritization | |
report_confidence | CVSSv3ReportConfidence String | measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details | |
scope | CVSSv3Scope String | the ability for a vulnerability in one software component to impact resources beyond its means, or privileges | |
temporal_score | Number | Round up(CVSSv3BaseScore × CVSSv3ExploitCodeMaturity × CVSSv3RemediationLevel × CVSSv3ReportConfidence) | |
temporal_severity | Number | temporal severity | |
user_interaction | CVSSv3UserInteraction String | captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component |
describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability
This entry is optional
low
Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component. high
A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. For example, a successful attack may depend on an attacker overcoming any of the following conditions: - The attacker must conduct target-specific reconnaissance. For example, on target configuration settings, sequence numbers, shared secrets, etc. - The attacker must prepare the target environment to improve exploit reliability. For example, repeated exploitation to win a race condition, or overcoming advanced exploit mitigation techniques. The attacker must inject herself into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g. man in the middle attack).Reflects the context by which vulnerability exploitation is possible
This entry is optional
network
A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed remotely exploitable
and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers). An example of a network attack is an attacker causing a denial of service (DoS) by sending a specially crafted TCP packet from across the public Internet (e.g. CVE 2004 0230).adjacent_network
A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11) or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router). An example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery (IPv6) flood leading to a denial of service on the local LAN segment. See also CVE 2013 6014. local
A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file. physical
A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack) or persistent. An example of such an attack is a cold boot attack which allows an attacker to access to disk encryption keys after gaining physical access to the system, or peripheral attacks such as Firewire/USB Direct Memory Access attacks.measures the impact to the availability of the impacted component resulting from a successfullyexploited vulnerability
This entry is optional
high
: There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable). low
: There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the impacted component are either partially available all of the time, or fully available only some of the time but overall there is no direct, serious consequence to the impacted component. none
: There is no impact to availability within the impacted component. This metric value increases with the consequence to the impacted component.This entry is optional
not_defined
: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. high
: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). medium
: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).low
: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default).This entry is required
This entry is required
measures the impact to the confidentiality ofthe information resources managed by a software component due to a successfully exploited vulnerability
This entry is optional
high
: There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server. low
: There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component. none
: There is no loss of confidentiality within the impacted component. This metric value increases with the degree of loss to the impacted component.This entry is optional
not_defined
: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. high
: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). medium
: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).low
: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default).This entry is optional
This entry is optional
measures the likelihood of the vulnerability being attacked
This entry is optional
not_defined
: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. high
: Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools. functional
: Functional exploit code is available. The code works in most situations where the vulnerability exists. proof_of_concept
: Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker. unproven
: No exploit code is available, or an exploit is theoretical.This entry is optional
This entry is optional
measures the impact to integrity of a successfully exploited vulnerability
This entry is optional
high
: There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component. low
: Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component.none
: There is no loss of integrity within the impacted component.this metric value increases with the consequence to the impacted component.This entry is optional
not_defined
: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. high
: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). medium
: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).low
: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default).modified attack complexity
This entry is optional
modified attack vector
This entry is optional
modified availability impact
This entry is optional
modified confidentiality impact
This entry is optional
modified integrity impact
This entry is optional
modified privileges required
This entry is optional
modified scope
This entry is optional
modified user interaction
This entry is optional
describes the level of privileges an attacker must possess before successfully exploiting the vulnerability
This entry is optional
none
: The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack. low
: The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources. high
: The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files.Remediation Level of a vulnerability is an important factor for prioritization
This entry is optional
not_defined
: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. unavailable
: There is either no solution available or it is impossible to apply. workaround
: There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate the vulnerability. temporary_fix
: There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool, or workaround.official_fix
: A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available. The less official and permanent a fix, the higher the vulnerability score.measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details
This entry is optional
not_defined
: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. confirmed
: Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify theassertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability. reasonable
: Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this). An example is a detailed write-up of research into a vulnerability with an explanation (possibly obfuscated or 'left as an exercise to the reader') that gives assurances on how to reproduce the results. unknown
: There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described. An example is a bug report which notes that an intermittent but non-reproducible crash occurs, with evidence of memory corruption suggesting that denial of service, or possible more serious impacts, may result. The more a vulnerability is validated by the vendor or other reputable sources, the higher the score.the ability for a vulnerability in one software component to impact resources beyond its means, or privileges
This entry is optional
unchanged
: An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same. changed
: An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different.Round up(CVSSv3BaseScore × CVSSv3ExploitCodeMaturity × CVSSv3RemediationLevel × CVSSv3ReportConfidence)
This entry is optional
temporal severity
This entry is optional
captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component
This entry is optional
none
: The vulnerable system can be exploited without interaction from any user. required
: Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator.This entry is required
Property | Type | Description | Required? |
---|---|---|---|
base_score | Number | ✓ | |
base_severity | HighMedLow String | ✓ | |
vector_string | String | ✓ | |
access_complexity | CVSSv2AccessComplexity String | ||
access_vector | CVSSv2AccessVector String | ||
authentication | CVSSv2Authentication String | ||
availability_impact | CVSSv2AvailabilityImpact String | ||
availability_requirement | CVSSv2SecurityRequirement String | ||
collateral_damage_potential | CVSSv2CollateralDamagePotential String | ||
confidentiality_impact | CVSSv2ConfidentialityImpact String | ||
confidentiality_requirement | CVSSv2SecurityRequirement String | ||
environmental_vector_string | String | ||
exploitability | CVSSv2Exploitability String | ||
exploitability_score | Number | ||
impact_score | Number | ||
integrity_impact | CVSSv2IntegrityImpact String | ||
integrity_requirement | CVSSv2SecurityRequirement String | ||
obtain_all_privilege | Boolean | ||
obtain_other_privilege | Boolean | ||
obtain_user_privilege | Boolean | ||
remediation_level | CVSSv2RemediationLevel String | ||
report_confidence | CVSSv2ReportConfidence String | ||
target_distribution | CVSSv2TargetDistribution String | ||
temporal_vector_string | String | ||
user_interaction_required | Boolean |
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is required
This entry is required
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is optional
This entry is required
Can you improve this documentation?Edit on GitHub
cljdoc is a website building & hosting documentation for Clojure/Script libraries
× close