Characterizes an individual vulnerability.
In addition to capturing basic information and references to vulnerability registries, this type is intended to be extended to enable the structured description of a vulnerability by using the XML Schema extension feature. The STIX default extension uses the Common Vulnerability Reporting Format (CVRF) schema to do so. The extension that defines this is captured in the CVRF1.1InstanceType in the http://stix.mitre.org/extensions/Vulnerability#CVRF1.1-1 namespace. This type is defined in the extensions/vulnerability/cvrf_1.1_vulnerability.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/vulnerability/cvrf_1.1/1.2/cvrf_1.1_vulnerability.xsd.
| Field Name | Type | Description |
|---|---|---|
| @is_knownoptional | boolean |
The @is_known field captures whether or not the vulnerability is known (i.e. not a 0-day) at the time of characterization. |
| @is_publicly_acknowledgedoptional | boolean |
The @is_publicly_acknowledged field captures whether or not the vulnerability is publicly acknowledged by the vendor. |
| Title0..1 | string |
The Title field provides a simple title for this vulnerability. |
| Description0..n | StructuredTextType |
The Description field provides an unstructured, text description of this vulnerability. |
| Short_Description0..n | StructuredTextType |
The Short_Description field provides a short, unstructured, text description of this vulnerability. |
| CVE_ID0..1 | CVE_IDInlineType |
The CVE_ID field specifies a CVE identifier for a particular vulnerability. |
| OSVDB_ID0..1 | positiveInteger |
The OSVDB_ID field specifies an OSVDB identifier for a particular vulnerability. |
| Source0..1 | string |
The Source field describes the source of the CVE or OSVDB as a textual description or URL. |
| CVSS_Score0..1 | CVSSVectorType |
The CVSS_Score field captures the full CVSS v2.0 base, temporal, and environmental vectors in their string format. |
| Discovered_DateTime0..1 | DateTimeWithPrecisionType |
The date and time that this vulnerability was first discovered. |
| Published_DateTime0..1 | DateTimeWithPrecisionType |
The date and time that this vulnerability was first published. |
| Affected_Software0..1 | AffectedSoftwareType |
The Affected_Software field captures the list of platforms and software that are affected by this vulnerability. It is implemented through the CybOX Observables, the suggested CybOX objects to use are the Product Object, the Device Object, the System Object, and the Code Object. |
| References0..1 | ReferencesType |
The References field captures a list of external references describing this vulnerability. |
