NVD – Data Feeds

NVD Data Feeds

NOTICE


It is assumed that users of the data feeds provided on this page have a moderate level of understanding of the XML and/or JSON standard and XML or JSON related technologies as defined by www.w3.org. Currently, the NVD provides no other specific tools or services for processing vulnerability data.

The entire NVD database can be downloaded from this web page for public use. All NIST publications are available in the public domain according to Title 17 of the United States Code, however acknowledgement of the NVD when using our information is always appreciated.

The following feeds are available:
How to keep up-to-date with the NVD data

The main vulnerability feeds provide CVE® data organized by the first four digits of a CVE® identifier except for the 2002 feeds which include vulnerabilities prior to and including “CVE-2002-“.  Each feed is updated only if the content of that feed has changed. For example the 2004 feeds will be updated only if there is an addition or modification to any vulnerability with a starting CVE® identifier of “CVE-2004-“. In addition, the “recent” feeds are a list of recently published vulnerabilities and the “modified” feeds are a list of recently published and modified vulnerabilities where “recently” and “modified” are defined as the previous eight days. These feeds are updated approximately every two hours.

If you are locally mirroring the NVD data, the data feeds should be used to stay synchronized. After performing a one-time import of the complete data set using the compressed XML/JSON vulnerability feeds, the “modified” feeds should be used to keep up-to-date. The META file should be used to determine if a given feed has been updated since your last import. This helps prevent unnecessary downloads of the .zip or .gz files and should result in a reasonable use of less than 200 requests per day.

META Files

In addition, each of the data feeds is described by an associated plain text file with the same name as the .xml file with a .meta extension. These files are updated approximately every two hours to reflect changes within their respective feed file. For example, if the name of the file is nvdcve-2.0-Modified.xml then the .meta file name will be nvdcve-2.0-Modified.meta. The .meta file contains information about the specific feed including the last modified date and time, the size of the file uncompressed, and a SHA256 value of the uncompressed file:

lastModifiedDate:2015-09-10T08:40:09-04:00
size:1273382
zipSize:91619
gzSize:91477
sha256:ac782e2db403e2b09ad5dd676501e8755fda3f2bef347b7503491700c6c5eaff

JSON Feeds

NVD is now offering a vulnerability data feed using the JSON format. This data feed includes both previously offered and new NVD data points. Changes made throughout the BETA phase are visible by viewing the changelog .

Feed Updated Download Size (MB)
CVE-Modified 10/30/2020; 12:01:33 PM -0400 META
GZ 0.33 MB
ZIP 0.33 MB
CVE-Recent 10/30/2020; 12:00:14 PM -0400 META
GZ 0.07 MB
ZIP 0.07 MB
CVE-2020 10/30/2020; 3:12:38 AM -0400 META
GZ 2.75 MB
ZIP 2.75 MB
CVE-2019 10/30/2020; 3:33:29 AM -0400 META
GZ 3.95 MB
ZIP 3.95 MB
CVE-2018 10/30/2020; 3:48:37 AM -0400 META
GZ 3.66 MB
ZIP 3.66 MB
CVE-2017 10/30/2020; 4:01:18 AM -0400 META
GZ 3.37 MB
ZIP 3.37 MB
CVE-2016 10/30/2020; 4:08:31 AM -0400 META
GZ 2.42 MB
ZIP 2.42 MB
CVE-2015 10/30/2020; 4:13:24 AM -0400 META
GZ 2.00 MB
ZIP 2.00 MB
CVE-2014 10/28/2020; 4:08:33 AM -0400 META
GZ 2.14 MB
ZIP 2.14 MB
CVE-2013 10/30/2020; 4:16:24 AM -0400 META
GZ 2.11 MB
ZIP 2.11 MB
CVE-2012 10/27/2020; 4:15:48 AM -0400 META
GZ 1.81 MB
ZIP 1.81 MB
CVE-2011 10/06/2020; 4:16:28 AM -0400 META
GZ 1.57 MB
ZIP 1.57 MB
CVE-2010 10/21/2020; 4:14:27 AM -0400 META
GZ 1.69 MB
ZIP 1.69 MB
CVE-2009 10/15/2020; 4:01:20 AM -0400 META
GZ 1.76 MB
ZIP 1.76 MB
CVE-2008 10/15/2020; 4:03:11 AM -0400 META
GZ 1.99 MB
ZIP 1.99 MB
CVE-2007 10/15/2020; 4:04:41 AM -0400 META
GZ 1.96 MB
ZIP 1.96 MB
CVE-2006 09/29/2020; 4:24:28 AM -0400 META
GZ 2.00 MB
ZIP 2.00 MB
CVE-2005 10/10/2020; 4:10:19 AM -0400 META
GZ 1.24 MB
ZIP 1.24 MB
CVE-2004 10/14/2020; 4:09:07 AM -0400 META
GZ 0.78 MB
ZIP 0.78 MB
CVE-2003 10/15/2020; 4:05:02 AM -0400 META
GZ 0.39 MB
ZIP 0.39 MB
CVE-2002 10/20/2020; 4:12:47 AM -0400 META
GZ 1.35 MB
ZIP 1.35 MB

XML Vulnerability Feeds

CPE Match Feed

This data feed provides a list of all CVE applicability statement match criteria (CPE match strings and CPE match ranges) and the CPE URIs from the official CPE dictionary that match. If a CPE URI expected to match a given criteria is missing, please contact cpe_dictionary@nist.gov as those CPEs may need approved to the official CPE dictionary. This feed is updated on a daily basis.

Feed Updated Download Size (MB)
CPE-Match 10/30/2020; 12:29:39 AM -0400 META
GZ 15.34 MB
ZIP 15.34 MB

NVD provides two RSS 1.0 data feeds. The first feed, nvd-rss.xml ( zip or gz ), provides information on all vulnerabilities within the previous eight days. The second feed, nvd-rss-analyzed.xml ( zip or gz ), provides only vulnerabilities which have been analyzed within the previous eight days. The advantage of the second feed is that we are able to provide vulnerable product names in the title. The advantage of the former is that you learn about new vulnerabilities as soon as possible.

NVD provides a service whereby software development organizations can submit “Official Vendor Comments” on the set of CVE vulnerabilities that apply to their products. Organizations can submit comments by contacting NVD staff at nvd@nist.gov . More information is provided on the vendor comment page.

All of the vendors comments can be downloaded from the following XML feed which is updated every 2 hours:

Feed Updated Download Size (MB)
Vendor Comments 10/30/2020; 12:45:06 AM -0400 META
GZ 0.07 MB
ZIP 0.07 MB

NVD/CVE Translated XML Feed (version 1.0)

NVD provides an XML feed for translations of CVE vulnerabilities into other languages.

Currently, INCIBE (Spanish National Cybersecurity Institute) is translating vulnerabilities into Spanish. INCIBE is solely responsible for the Spanish translation content. Incibe Logo

Feed Updated Download Size (MB)
CVE-Modified 10/30/2020; 12:40:03 AM -0400 META
GZ 0.05 MB
ZIP 0.05 MB
CVE-2020 10/30/2020; 12:36:05 AM -0400 META
GZ 1.09 MB
ZIP 1.09 MB
CVE-2019 10/30/2020; 12:37:32 AM -0400 META
GZ 1.41 MB
ZIP 1.41 MB
CVE-2018 10/30/2020; 12:39:04 AM -0400 META
GZ 1.31 MB
ZIP 1.31 MB
CVE-2017 10/30/2020; 12:40:34 AM -0400 META
GZ 1.25 MB
ZIP 1.25 MB
CVE-2016 10/30/2020; 12:41:28 AM -0400 META
GZ 0.72 MB
ZIP 0.72 MB
CVE-2015 10/30/2020; 12:42:13 AM -0400 META
GZ 0.63 MB
ZIP 0.63 MB
CVE-2014 10/30/2020; 12:43:00 AM -0400 META
GZ 0.65 MB
ZIP 0.65 MB
CVE-2013 10/30/2020; 12:43:36 AM -0400 META
GZ 0.54 MB
ZIP 0.54 MB
CVE-2012 10/30/2020; 12:44:08 AM -0400 META
GZ 0.47 MB
ZIP 0.47 MB
CVE-2011 10/30/2020; 12:44:35 AM -0400 META
GZ 0.41 MB
ZIP 0.41 MB
CVE-2010 10/30/2020; 12:45:03 AM -0400 META
GZ 0.45 MB
ZIP 0.45 MB
CVE-2009 10/30/2020; 12:45:29 AM -0400 META
GZ 0.48 MB
ZIP 0.48 MB
CVE-2008 10/30/2020; 12:46:06 AM -0400 META
GZ 0.64 MB
ZIP 0.64 MB
CVE-2007 10/30/2020; 12:46:49 AM -0400 META
GZ 0.63 MB
ZIP 0.63 MB
CVE-2006 10/30/2020; 12:47:14 AM -0400 META
GZ 0.39 MB
ZIP 0.39 MB
CVE-2005 10/30/2020; 12:47:18 AM -0400 META
GZ 0.04 MB
ZIP 0.04 MB
CVE-2004 10/30/2020; 12:47:23 AM -0400 META
GZ 0.06 MB
ZIP 0.06 MB
CVE-2003 10/30/2020; 12:47:29 AM -0400 META
GZ 0.07 MB
ZIP 0.07 MB
CVE-2002 10/30/2020; 12:47:35 AM -0400 META
GZ 0.07 MB
ZIP 0.07 MB

National Checklist Program (NCP) Checklists

Note: As of April 2017, the checklist schema was revised to make the SHA-1 element optional in accordance with NISTSP-131Ar1 .
Note: As of July 2017, tier has been made optional to support changes in the current draft of 800-70 Rev 4 .

checklist-0.1-feed.xml includes all checklists contained within the NCP repository. checklist-0.1-feed-modified.xml includes all recently modified checklists within the NCP repository.

Feed Updated Download Size (MB)
NCP-Complete 10/30/2020; 12:01:05 AM -0400 META
GZ 0.61 MB
ZIP 0.61 MB
NCP-Modified 10/30/2020; 12:01:08 AM -0400 META
GZ 0.05 MB
ZIP 0.05 MB

Election (in)security: What you may have missed

As Election Day draws near, here’s a snapshot of how this election cycle is faring in the hands of the would-be digitally meddlesome

We’ve been talking about election security for months now. With the current pre-election fever pitch in the U.S., there almost couldn’t be a stronger focus on getting it right; indeed, it could only be matched closely by the magnitude of interest from shady actors trying to make sure it doesn’t.

Officials are pulling out all the stops to deter threats, including via a Fed-sponsored $10 million bounty for information about individuals aiding election interference. That hefty amount hasn’t stopped hacking attempts, including from aspiring hackers. From accidents to low-level stunts, like changing the home address of the Florida Governor, to a tad more sophisticated attempts, here’s the current summary of how this election cycle is faring in the hands of the would-be digitally meddlesome.

First off, two tales that hit rather close to home, giving this all a touch of personal experience:

  • On October 16th, less than 24 hours after submitting his ballot, ESET researcher Aryeh Goretsky received a scam text message from a non-existent company, Public Opinion Research, from a phone number that showed up as (855) 550-0317 using spoofed Caller ID. The domain mentioned in the message, ballotverify[.]net, was registered anonymously on the previous day, Thursday, October 15th, according to DomainTools. The web site is hosted at 52.72.49.79 along with over 32,000 others by Rebrandly, a link redirection service. The domain redirects to thevotersurvey[.]com, which was registered a year ago and is hosted on AWS infrastructure at 63.234.29.71 along with ten other domains, most of which contain words like “survey” or “study” in the domain name. This may be an attempt to impersonate ballottrax[.]net, a legitimate website used by county governments to confirm ballot receipt.

  • My friend has received a mail-in ballot for her husband, who’s (sadly) been dead for three years now due to an illness. So there are still issues with mail-in ballots. During the last election cycle, I got two ballots in the mail in my name. I notified local election officials.
  • In early October, a ransomware attack disrupted an election administration system in Hall County, Georgia. The attack took out the county’s online precinct map and a database that the county uses for verifying voter signatures on absentee ballots. As has been quite common recently, the extortionists also stole some documents before dumping a sample of them online in a bid to coerce the victim into paying up.
  • In mid-October, an accidentally severed internet cable in Virginia took down the state’s website for online voter registration on what happened to be the last day for voters to register before Election Day. Everything was later back up and running, though, and the deadline was extended.
  • At around the same time, the government of Chenango County, New York, suffered a ransomware attack that hit around one-half of its 400 computers, including those used by the board of elections. The incident caused potential issues with the processing of absentee ballot applications, but state officials gave assurances that voting shouldn’t be affected overall.
  • Just days ago, a Florida man altered the home address of the Sunshine State’s governor Ron DeSantis in the voter registration database, preventing the governor from voting. The problem was fixed in short order and the perpetrator was charged with felony voter fraud.
  • Also this week, it was reported that local election officials in several states have apparently been targeted by a wave of suspicious emails, at least some of which impersonated state elections directors and attempted to send the recipients to phishing sites.
  • The FBI and CISA recently warned of campaigns that chain vulnerabilities in Windows and Virtual Private Network (VPN) services to target various government agencies, critical infrastructure and election organizations, including apparently to gain unauthorized access to elections support systems.

Indeed, the same two agencies recently put out another warning – that in order to “manipulate public opinion, sow discord, discredit the electoral process, and undermine confidence in U.S. democratic institutions”, threat actors will attempt to spread false information around hacked voter information.

This implies orchestrated efforts that often rely on social media bots acting as deliberate and serial purveyors of deception, spewing false narratives in coordinated fashion. Misleading claims can also gain traction in other ways; rumors – think the one about thousands of mail-in ballots allegedly discarded in a dumpster – can also spread like wildfires and ultimately undermine trust in the democratic process.

No matter what, next week a large chunk of the electorate will be celebrating, matched by a similarly-sized group working on a strong hangover. While we don’t have a specific recommendation for the latter, we hope this is just the start of teeing up serious and meaningful steps toward truly secure election cycles to come.

Stay tuned – chances are we haven’t seen the last of election shenanigans…

CVE-2020-7759

The package pimcore/pimcore from 6.7.2 and before 6.8.3 are vulnerable to SQL Injection in data classification functionality in ClassificationstoreController. This can be exploited by sending a specifically-crafted input in the relationIds parameter as demonstrated by the following request: http://vulnerable.pimcore.example/admin/classificationstore/relations?relationIds=[{"keyId"%3a"”","groupId"%3a"’asd’))+or+1%3d1+union+(select+1,2,3,4,5,6,name,8,password,”,11,12,”,14+from+users)+–+"}]

CVE-2020-7760

This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2.
The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/*.*?*/)*

5 scary data breaches that shook the world

Just in time for Halloween, we look at the haunting reality of data breaches and highlight five tales that spooked not only the cyber-world

Halloween, the scariest day of the year, is upon us! However, traditional observations of the popular holiday may be hindered by the pandemic raging outside. Instead of children roaming the streets sporting scary costumes trick-or-treating or adults attending costume parties, All Hallows’ Eve will have to be celebrated in other ways. Most of us will probably be bundled up in blankets in the comfort of our homes with mugs of pumpkin-flavored hot drinks watching eerie and horrifying stories, or better yet, telling them.

The cyber-world has many a scary story of its own as well. Unfortunately, contrary to those told on Halloween, these stories are very real.

Equifax

In 2017, Equifax, one of the largest credit reporting agencies in the United States, was the victim of an astounding data breach. The breach that lasted for approximately 78 days was caused by a vulnerability in the Apache Struts web application framework, for which a patch had been issued but that Equifax had failed to apply in time. The threat actors behind the incident were able to siphon the personal data of nearly 148 million Americans, 15.2 million Brits, and almost 19,000 Canadians. The data trove included a wide range of Personally Identifiable Information (PII) including social security numbers, birth dates, and addresses … all of which could be used to conduct identity fraud. As for the monetary damage incurred by Equifax, the company estimates that the current tally is about US$1.7 billion in costs emanating from the cybersecurity incident.

Marriott

In 2018, Marriott International, one of the largest hotel chains in the world, suffered a major data breach involving its reservations database. Marriot initially estimated that as many as 500 million of its customers might have been affected by the cyber-incident, but then went on to amend its estimate to 383 million. The guest information compromised in the incident included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (SPG) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. In some cases, the payment card numbers and their expiration dates were compromised as well. The compromised data could be used in a wide range of attacks, including phishing, social engineering attacks, credit card fraud, and identity fraud. So far, the company has incurred costs of around US$72 million for the breach, but US$71 million has been reimbursed by insurance. However, Marriott might still be looking at a hefty sum in penalties, since the UK data protection authority is looking to serve the hotel chain with a £99 million (US$123 million) fine.

eBay

As one of the world’s largest online marketplaces, most famous for its auction-style sales, eBay probably needs little in the way of introduction. In 2014, the company disclosed that it had been the victim of an attack in which as many as 145 million of its active users were affected. According to the company, the origin of the attack was traced back to the compromise of a small number of employee login credentials. The data compromised in the breach included customers’ PII, such as names, email and physical addresses, phone numbers, and dates of birth, as well as encrypted passwords, all of which could be used in various forms of cyberattacks and attempts to defraud potential victims.

Target

In 2013, Target, one of the largest retailers in the United States, suffered a major data breach that affected more than 41 million customer payment card accounts as well as the contact information of over 60 million customers. The cybercriminals behind the attack were able to access customer names, phone numbers, email addresses, credit and debit card numbers and expiration dates, and encrypted PINs and credit card verification codes. According to Target, the PIN codes were encrypted with the Triple Data Encryption Standard, which would make them difficult to crack. However, using the information gathered from the breach, the cybercriminals could commit credit card fraud and identity fraud. In the aftermath of the incident, Target offered credit monitoring services and settled a US$10 million class-action lawsuit in which it promised to pay up to US$10,000 to any customers who could prove they suffered losses due to the data breach. It also had to pay a multistate settlement of US$18.5 million.

Adult Friend Finder

In 2016 the adult dating and entertainment company FriendFinder Network was breached, exposing over 412 million user accounts. The enormous data breach included 339 million accounts from the AdultFriendFinder.com website as well as 15 million deleted accounts that hadn’t been eliminated from its databases. The data trove consisted of 20 years’ worth of records from the company’s largest websites and included usernames, email addresses, passwords, site membership data, browser information, IP address last used to log in, and even whether the user had paid for any items. It’s worth noting that the passwords, which had apparently been converted to all lowercase, were stored either in the clear or scrambled as a SHA-1 hash, which isn’t a sufficient security measure and most passwords were easily and quickly cracked. While people are more liberal in this day and age, they probably wouldn’t like to advertise their visits or activities on such websites with most probably keeping it secret. Unfortunately, the leaked data would allow black hats to easily target these individuals and use the data to ruin their reputations, blackmail them under the threat of revealing sensitive information they would like to keep hidden, or use the cracked passwords in further credential-stuffing attacks.

To be sure, these are just some of the scary stories the cyber-world has to offer. While they may be uncomfortable to read, these cyber-incidents should serve as cautionary tales for both consumers and companies – that cybersecurity should never be taken lightly.