Re: CVE and CPE synchronization

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Re: CVE and CPE synchronization

Brant Cheikes



This is a known issue.  NIST’s NVD is populated by a team of analysts who review incoming CVEs from MITRE and attempt to link those CVEs authoritatively to the affected CPEs.  This process causes new CPEs to be generated by the NVD analysts and submitted for inclusion in the CPE Dictionary—but the pipe is filled far faster than the CPE review team is able to drain it (i.e., vet the CPEs and enter them into the official dictionary).  This results in a situation in which some CVEs in the NVD refer to CPEs that aren’t yet in the dictionary; rather, they’re submitted and under review.  NIST is aware and working to improve synchronization between the two data feeds.




Brant A. Cheikes
The MITRE Corporation
202 Burlington Road, M/S K302
Bedford, MA 01730-1420
Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352


From: Miller, Ryan D.
Sent: Thursday, September 01, 2011 12:45 PM
Subject: CVE and CPE synchronization


Hello CPE/CVE expert(s),


Our project is working to integrate with the CVE list to provide a user of a prototype we’re building a sort of “security scorecard” based in part on the products on a system.  We ran across the situation below, which is (we think) essentially that CVEs are listed against a correctly formed CPE tag, but one which is not registered in the “official” CPE listing.  


Can CVE’s be written against unregistered--but correctly formatted—CPEs, or perhaps this is just an issue with the lists not always keeping in sync?


Thank you in advance for your help,



From: Clapis, Joe
Sent: Thursday, September 01, 2011 12:27 PM
Subject: CVE


We discovered an interesting… issue with CVEs today.


Observe a vulnerability for rails. Scroll about 75% of the way down and you’ll see lots of cpe tags for this vulnerability, for example:




However, when you go here and search for rails, it’s empty:




Upon further examination, it turns out that the CPE they referenced isn’t in the database. They were both updated recently, not sure what’s going on but it looks like CPE and CVE might be out of sync.


-- Joe

smime.p7s (4K) Download Attachment