The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics. NVD supports the Information Security Automation Program (ISAP). NVD is managed by the U.S. government agency the National Institute of Standards and Technology (NIST).
On Friday March 8, 2013, the database was taken offline after it was discovered that the system used to run multiple government sites had been compromised by a software vulnerability of Adobe ColdFusion.[1][2]
In June 2017, threat intel firm Recorded Future revealed that the median lag between a CVE being revealed to ultimately being published to the NVD is 7 days and that 75% of vulnerabilities are published unofficially before making it to the NVD, giving attackers time to exploit the vulnerability.[3]
In addition to providing a list of Common Vulnerabilities and Exposures (CVEs), the NVD scores vulnerabilities using the Common Vulnerability Scoring System (CVSS)[4] which is based on a set of equations using metrics such as access complexity and availability of a remedy.[5]
In August 2023, the NVD initially marked an integer overflow bug in old versions of cURL as a 9.8 out of 10 critical vulnerability. cURL lead developer Daniel Stenberg responded by saying this was not a security problem, the bug had been patched nearly 4 years prior, requested the CVE be rejected, and accused NVD of "scaremongering" and "grossly inflating the severity level of issues".[6] MITRE disagreed with Stenberg and denied his request to reject the CVE, noting that "there is a valid weakness ... which can lead to a valid security impact."[7]
In September 2023, the issue was rescored by the NVD as a 3.3 "low" vulnerability, stating that "it may (in theory) cause a denial of service" for attacked systems, but that this attack vector "is not especially plausible".[8]
^at 17:55, Jack Clark in San Francisco 14 Mar 2013. "Downed US vuln catalog infected for at least TWO MONTHS". www.theregister.co.uk. Retrieved 2019-10-29.{{cite web}}: CS1 maint: numeric names: authors list (link)
^"US national vulnerability database hacked."
^"75% of Vulns Shared Online Before NVD Publication". Dark Reading. 7 June 2017. Retrieved 2019-10-29.
^Zhang, Su; Ou, Xinming; Caragea, Doina (2015-12-31). "Predicting Cyber Risks through National Vulnerability Database". Information Security Journal: A Global Perspective. 24 (4–6): 194–206. doi:10.1080/19393555.2015.1111961. ISSN 1939-3555. S2CID 30587194.
^"NVD - CVSS v2 Equations". nvd.nist.gov. Archived from the original on 2013-12-21.
^Stenberg, Daniel (26 August 2023). "CVE-2020-19909 is everything that is wrong with CVEs". Daniel Stenberg's Blog. Retrieved 2023-08-26.
The NationalVulnerabilityDatabase (NVD) is the U.S. government repository of standards-based vulnerability management data represented using the Security...
about discovered computer security vulnerabilities. The database will customarily describe the identified vulnerability, assess the potential impact on affected...
a vulnerability or potential vulnerability it helps to acquire a CVE number early on. CVE numbers may not appear in the MITRE or NVD CVE databases for...
a vulnerability, temporal metrics for characteristics that evolve over the lifetime of vulnerability, and environmental metrics for vulnerabilities that...
The approach of vulnerability in itself brings great expectations of social policy and gerontological planning. Types of vulnerability include social,...
Information Security Management Act, 2002) compliance. The NationalVulnerabilityDatabase (NVD) is the U.S. government content repository for SCAP. An...
(CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed...
similar exploit was found. Ping of death "NationalVulnerabilityDatabase (NVD) NationalVulnerabilityDatabase (CVE-1999-0153)". Web.nvd.nist.gov. Retrieved...
Japan Vulnerability Notes (JVN) is Japan's nationalvulnerabilitydatabase. It is maintained by the Japan Computer Emergency Response Team Coordination...
or reduced. Common Vulnerabilities and Exposures (CVE) Common Vulnerability Scoring System (CVSS) NationalVulnerabilityDatabase "CWE - About CWE". at...
content is either contained within, or referenced by, the NationalVulnerabilityDatabase. ISAP is being formalized through a trilateral memorandum of...
December 6, 2007. "CVE-2014-1244 Detail". NationalVulnerabilityDatabase. Gaithersburg, Maryland: National Institute of Standards and Technology. February...
or alters their NationalVulnerabilityDatabase (CNNVD) to coverup espionage activities. According to the analysis, "vulnerabilities commonly exploited...
bypassed by malicious actors. CVE-2022-41091 was added to the NationalVulnerabilityDatabase on November 8, 2022, and refers to the now patched ability...
on 1 April 2024. Retrieved 2 April 2024. "CVE-2024-3094". NationalVulnerabilityDatabase. NIST. Archived from the original on 2 April 2024. Retrieved...
FSTEC of Russia maintains the Data Security Threats Database, Russia's nationalvulnerabilitydatabase. and requires Western technology companies to submit...
2013-04-01. "NationalVulnerabilityDatabase (NVD) Search Vulnerabilities Statistics". Retrieved 2019-11-22. "PHP-related vulnerabilities on the National Vulnerability...
or genetic genealogy. DNA databases may be public or private, the largest ones being national DNA databases. DNA databases are often employed in forensic...
security-related updates. Common vulnerabilities are assigned CVE IDs and listed in the US NationalVulnerabilityDatabase. Secunia PSI is an example of...
the original on August 3, 2020. Retrieved October 2, 2020. "NationalVulnerabilityDatabase". Archived from the original on September 25, 2011. Retrieved...
Remote Code Execution and Denial of Service Vulnerability". tools.cisco.com. "CVE-2018-0101 - A vulnerability in the Secure Sockets Layer (SSL) VPN functionality...
Global Information