Chapter 3. CVE

3.1. List all CVEs

Abstract

List all the recent CVEs when no parameter is passed. Returns a convenience object as response with very minimum attributes.

JSON

GET /cve.json

XML

GET /cve.xml

HTML

GET /cve

3.2. Parameters

Name	Description	Example
before	CVEs before the query date. [ISO 8601 is the expected format]	2016-03-01
after	CVEs after the query date. [ISO 8601 is the expected format]	2016-02-01
ids	CVEs for Ids separated by comma	CVE-2017-8797,CVE-2014-0161
bug	CVEs for Bugzilla Ids	1326598,1084875
advisory	CVEs for advisory	RHSA-2016:0614,RHSA-2016:0610
severity	CVEs for severity	low,moderate,important
package	CVEs which affect the package	samba,thunderbird
product	CVEs which affect the product. The parameter supports Perl compatible regular expressions.	linux 7,openstack
cwe	CVEs with CWE	295,300
cvss_score	CVEs with CVSS score greater than or equal to this value	7.0
cvss3_score	CVEs with CVSSv3 score greater than or equal to this value	7.0
page	CVEs for page number	Default: 1
per_page	Number of CVEs to return per page	Default: 1000
created_days_ago	Index of CVEs definitions created days ago	10
include_package_state	CVEs with package_state information	true, false
isCompressed	Return response in compressed 'gzip' format	Default: true

By default, search will return the first page of 1000 results, ordered by date. To change the page size use the 'per_page' param, and then iterate through pages using the 'page' param.

Note

All the above query parameters can be used in combination with each other to retrieve the desired result.

3.3. Retrieve a CVE

Abstract

Retrieve full CVE details.

Path

GET /cve/<CVE>.json

Example: /cve/CVE-2016-3706.json

Returns a JSON representation of the CVE data for CVE-2016-3706.

3.4. CVE format

Abstract

Unlike CSAF or OVAL, the CVE representation is not a standard. Notes on what fields may exist and what they mean follow.

Name	Description	Additional Information
ThreatSeverity	The Severity of the flaw.	See this document for more information.
PublicDate	When the flaw became public.	ISO 8601 format.
Bugzilla	Id, URL, and Description of the bug in Red Hat’s Bugzilla.
CVSS	CVSSv2 score and metrics.	The 'status' attribute may have a value of 'draft' or 'verified', indicating how far along the investigation of the flaw has progressed. See this document for more information.
CVSS3	CVSSv3 score and metrics.	The 'status' attribute may have a value of 'draft' or 'verified', indicating how far along the investigation of the flaw has progressed. See this document for more information.
CWE	The CWE chain for this flaw.	See the mitre.org description and our list of possible cwe values.
Details	Details about the flaw, possibly from Red Hat or Mitre.
Statement	A statement from Red Hat about the issue.
References	Links to more information about the issue.
Acknowledgements	People or organizations that are being recognized.
Mitigation	A way to fix or reduce the problem without updated software.
AffectedRelease	A released Erratum that fixes the flaw for a particular product.	Contains product name and CPE, and Erratum link, type, and release date. Optionally also includes "Package" information that describes the name and version of the src.rpm that fixes the issue (will not exist if multiple src.rpms are in the same Erratum).
PackageState	Information about a package / product where no fix has been released yet.	Contains product name and CPE, package (src.rpm) name, and fix state, which is one of ['Affected','Fix deferred','New','Not affected','Will not fix'].
UpstreamFix	The version of the upstream project that fixes the flaw.