CVE record

Vulnerabilities are linked to components by the Common Vulnerabilities and Exposures numbers (CVEs), as reported in the National Vulnerabilities Database (NVD) maintained by the National Institutes of Standards and Technology (NIST).

The CVE record provides overview information on a vulnerability, a list of affected projects, and links to references.

Overview tab

By default, the Overview tab appears and displays the following information:

The header bar displays the following information:
- CVE ID: The unique identifier assigned to the CVE, which serves as a reference for the specific vulnerability.
- Related Records: This section lists links to associated Black Duck Security Advisories (BDSA) and European Union Vulnerability Database (EUVD) records, offering users additional context and remediation options related to the same vulnerability or component.
- Published: The date when the National Vulnerability Database (NVD) published the CVE. This indicates when the vulnerability was officially recognized and made public.
- Updated: The last modified date by the NVD, reflecting when the CVE record was last updated with new information or corrections.
- URL: A direct link to the NVD webpage for the CVE, providing users with access to detailed information, including descriptions, impact assessments, and mitigation strategies.
The Overall Score graphic represents the Common Vulnerability Scoring System (CVSS) score for the CVE.

This score quantifies the severity of the vulnerability on a scale from 0 to 10, with higher scores indicating a greater level of risk. The CVSS score is calculated based on several factors, including the exploitability of the vulnerability, the impact on confidentiality, integrity, and availability, as well as the environmental context in which the vulnerability exists.
The Description section provides a detailed overview of the vulnerability associated with the CVE ID. It includes information on the nature of the vulnerability, its potential impact on affected systems, and the conditions under which it can be exploited. The description may also outline the software or components affected, attack vectors, and any known mitigations or recommendations for addressing the vulnerability. This information is crucial for users to understand the context and significance of the CVE, facilitating informed decision-making regarding remediation strategies.

Additionally, this section may contain the following information:
- If the CVE has CISA Known Exploited Vulnerability, it will be displayed here. This section highlights vulnerabilities listed in the Cybersecurity & Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog. Federal civilian executive branch agencies are required to remediate vulnerabilities in the KEV catalog within prescribed timeframes. Information in this section includes:
  - Vulnerability Title: A brief description of the vulnerability.
  - Added: The date the vulnerability was added to the KEV catalog.
  - Due Date: The deadline for remediation.
  - Action: Recommended actions for remediation.
- If the CVE has a related EUVD ID, it will be displayed here. This section provides additional vulnerability information sourced from the European Union Vulnerability Database, enhancing the context and coverage available for the CVE.
  
  The EUVD ID section contains the following details:
  - EUVD ID: The unique identifier assigned to the vulnerability in the EUVD.
  - Link: A direct link to the corresponding EUVD webpage for detailed information.
  - Score: The vulnerability severity score as assessed by the EUVD.
  - Vector: The CVSS vector string describing the characteristics of the vulnerability.
  - Published: The date when the EUVD published the vulnerability.
  - Updated: The date when the EUVD last updated the vulnerability information.
The Scores and Metrics section displays the scores for the related BDSA and NVD records (if applicable), based on the Common Vulnerability Scoring System (CVSS). Select a value above the graph to view the information in the graph and details below.

This section may also display a comparative, side-by-side graph if the vulnerability also has a BDSA record.

Note: For more information on vulnerability metrics, visit the NVD web site: https://nvd.nist.gov/vuln-metrics

Affected Projects tab

Select this tab to see a list of your projects that are affected by this vulnerability.

This tab lists all projects affected by this vulnerability:

Project name and version affected by this vulnerability.
Component name and version that contains this vulnerability.
Remediation status of this vulnerability. Possible values are: New, Needs review, Mitigated, Patched, Duplicate, Remediation Required, Remediation Complete, or Ignored.
Target date for remediating this vulnerability.
Actual date this vulnerability was remediated.

Select in the row of a project and select:

View all vulnerabilities to view all vulnerabilities affecting this project version.
View related files to view to display the Source tab filtered to display the affected files.

Use this tab to remediate the vulnerability for one or more projects by origin:

In the row of the single project you want to remediate, do one of the following:
- Select , select Update Remediation Plan, enter the remediation details, and click Update.
- Select and click Remediate. Enter the remediation details, and click Update.
For multiple projects that need the same remediation status, select in each row and click Remediate. In the Bulk Remediation dialog box, enter the remediation details, and click Update

References tab

Select the References tab to view links for additional information.

Settings tab

Use this tab to manage the global remediation for this vulnerability. Click here for more information.