Description

CWE - Common Weakness Enumeration Targeted to developers and security practitioners, the Common Weakness Enumeration (CWE) is a formal list of software weakness types created to: a) Serve as a common language for describing soft-ware security weaknesses in architecture, design, or code. b) Serve as a standard measuring stick for software security tools targeting these weaknesses. c) Provide a common baseline standard for weakness identification, mitigation, and prevention efforts

The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. CVSS consists of 3 groups: Base, Temporal and Environmental. Each group produces a numeric score ranging from 0 to 10, and a Vector, a compressed textual representation that reflects the values used to derive the score. The Base group represents the intrinsic qualities of a vulnerability. The Temporal group reflects the characteristics of a vulnerability that change over time. The Environmental group represents the characteristics of a vulnerability that are unique to any user's environment. CVSS enables IT managers, vulnerability bulletin providers, security vendors, application vendors and researchers to all benefit by adopting this common language of scoring IT vulnerabilities.

• Access Vector (AV): This metric reflects how the vulnerability is exploited.
• Access Complexity (AC): This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.
• Authentication (Au): This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability.
• Confidentiality Impact (C) This metric measures the impact on confidentiality of a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.
• Integrity Impact (I) This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and guaranteed veracity of information.
• Availability Impact (A) This metric measures the impact to availability of a successfully exploited vulnerability. Availability refers to the accessibility of information resources.

Affected Technologies and Products: The data for the affected technologies and products for a particular vulnerability is obtained by processing the CPE tag associated with that vulnerability. CPE is a structured naming scheme for information technology systems, software, and packages. Thus from Data Source 1 we have obtained a table that contains the Vulnerability Unique Identifier (CVE-ID) along with its associated target technologies. The total number of entries in this table are = 115116. Each entry in this table follows a one-to-many relation, i.e. each CVE-ID can be associated with one or many technologies (basically, this is because a given vulnerability can be used to exploit multiple technologies and platforms).

See Also:

• https://nvd.nist.gov/vuln/data-feeds#JSON_FEED
• https://www.cvedetails.com/browse-by-date.php
• https://cwe.mitre.org/data/index.html
• https://www.first.org/cvss/v2/guide