Chapter 3. CVE

3.1. List all CVEs

Abstract

List all the recent CVEs when no parameter is passed. Returns a convenience object as response with very minimum attributes.

JSON

GET /cve.json

XML

GET /cve.xml

HTML

GET /cve

3.2. Parameters

NameDescriptionExample

before

CVEs before the query date. [ISO 8601 is the expected format]

2016-03-01

after

CVEs after the query date. [ISO 8601 is the expected format]

2016-02-01

ids

CVEs for Ids separated by comma

CVE-2017-8797,CVE-2014-0161

bug

CVEs for Bugzilla Ids

1326598,1084875

advisory

CVEs for advisory

RHSA-2016:0614,RHSA-2016:0610

severity

CVEs for severity

low,moderate,important

package

CVEs which affect the package

samba,thunderbird

product

CVEs which affect the product. The parameter supports Perl compatible regular expressions.

linux 7,openstack

cwe

CVEs with CWE

295,300

cvss_score

CVEs with CVSS score greater than or equal to this value

7.0

cvss3_score

CVEs with CVSSv3 score greater than or equal to this value

7.0

page

CVEs for page number

Default: 1

per_page

Number of CVEs to return per page

Default: 1000

created_days_ago

Index of CVEs definitions created days ago

10

By default, search will return the first page of 1000 results, ordered by date. To change the page size use the 'per_page' param, and then iterate through pages using the 'page' param.
Note

All the above query parameters can be used in combination with each other to retrieve the desired result.

3.3. Retrieve a CVE

Abstract

Retrieve full CVE details.

Path

GET /cve/<CVE>.json

Example: /cve/CVE-2016-3706.json

Returns a JSON representation of the CVE data for CVE-2016-3706.

3.4. CVE format

Abstract

Unlike CVRF or OVAL, the CVE representation is not a standard. Notes on what fields may exist and what they mean follow.

NameDescriptionAdditional Information

ThreatSeverity

The Severity of the flaw.

See this document for more information.

PublicDate

When the flaw became public.

ISO 8601 format.

Bugzilla

Id, URL, and Description of the bug in Red Hat’s Bugzilla.

 

CVSS

CVSSv2 score and metrics.

The 'status' attribute may have a value of 'draft' or 'verified', indicating how far along the investigation of the flaw has progressed. See this document for more information.

CVSS3

CVSSv3 score and metrics.

The 'status' attribute may have a value of 'draft' or 'verified', indicating how far along the investigation of the flaw has progressed. See this document for more information.

CWE

The CWE chain for this flaw.

See the mitre.org description and our list of possible cwe values.

Details

Details about the flaw, possibly from Red Hat or Mitre.

 

Statement

A statement from Red Hat about the issue.

 

References

Links to more information about the issue.

 

Acknowledgements

People or organizations that are being recognized.

 

Mitigation

A way to fix or reduce the problem without updated software.

 

AffectedRelease

A released Erratum that fixes the flaw for a particular product.

Contains product name and CPE, and Erratum link, type, and release date. Optionally also includes "Package" information that describes the name and version of the src.rpm that fixes the issue (will not exist if multiple src.rpms are in the same Erratum).

PackageState

Information about a package / product where no fix has been released yet.

Contains product name and CPE, package (src.rpm) name, and fix state, which is one of ['Affected','Fix deferred','New','Not affected','Will not fix'].

UpstreamFix

The version of the upstream project that fixes the flaw.