cveapi: API for CVE data

This API returns detailed information on specific security issues, specified by CVE number.

Contents

(Top)
How to use this API
  1.1  Request
  1.2  Response
  1.3  Authentication
Staying informed of changes
FAQ
  3.1  What’s a CVE number?
  3.2  Where does the data come from?
  3.3  What if this doesn’t solve my problem?
  3.4  Is there a Premium tier?
  3.5  Who built this and how can I reach out?

   

How to use this API

Deprecated

This service relied on data feeds that the NVD provided. Since December 15th 2023 however, those feeds have been retired in favor of an API made by the NVD themselves.

I created this API because the NVD did not provide one. Now that that has changed I think this one is no longer needed. Until further notice you will still be able to query all CVE's prior to December 15th, but no new ones will be added.

If you have any questions or remarks, feel free to reach out. See my contact info at the bottom of this page

   

Request

GET https://v1.cveapi.com/CVE-2019-9956.json

   

Response

{
  "cve": {
    "data_type": "CVE",
    "data_format": "MITRE",
    "data_version": "4.0",
    "CVE_data_meta": {
      "ID": "CVE-2019-9956",
      "ASSIGNER": "cve@mitre.org"
    },
    "affects": {
      "vendor": {
        "vendor_data": [
          {
            "vendor_name": "imagemagick",
            "product": {
              "product_data": [
                {
                  "product_name": "imagemagick",
                  "version": {
                    "version_data": [
                      {
                        "version_value": "7.0.8-35",
                        "version_affected": "="
                      }
                    ]
                  }
                }
              ]
            }
          },
          {
            "vendor_name": "debian",
            "product": {
              "product_data": [
                {
                  "product_name": "debian_linux",
                  "version": {
                    "version_data": [
                      {
                        "version_value": "9.0",
                        "version_affected": "="
                      }
                    ]
                  }
                }
              ]
            }
          }
        ]
      }
    },
    "problemtype": {
      "problemtype_data": [
        {
          "description": [
            {
              "lang": "en",
              "value": "CWE-119"
            }
          ]
        }
      ]
    },
    "references": {
      "reference_data": [
        {
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00006.html",
          "name": "openSUSE-SU-2019:1320",
          "refsource": "SUSE",
          "tags": []
        },
        {
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00010.html",
          "name": "openSUSE-SU-2019:1331",
          "refsource": "SUSE",
          "tags": []
        },
        ...
        }
      ]
    },
    "description": {
      "description_data": [
        {
          "lang": "en",
          "value": "In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted image file."
        }
      ]
    }
  },
  "configurations": {
    "CVE_data_version": "4.0",
    "nodes": [
      {
        "operator": "OR",
        "cpe_match": [
          {
            "vulnerable": true,
            "cpe23Uri": "cpe:2.3:a:imagemagick:imagemagick:7.0.8-35:q16:*:*:*:*:*:*"
          }
        ]
      },
      {
        "operator": "OR",
        "cpe_match": [
          {
            "vulnerable": true,
            "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"
          }
        ]
      }
    ]
  },
  "impact": {
    "baseMetricV3": {
      "cvssV3": {
        "version": "3.0",
        "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "attackVector": "NETWORK",
        "attackComplexity": "LOW",
        "privilegesRequired": "NONE",
        "userInteraction": "REQUIRED",
        "scope": "UNCHANGED",
        "confidentialityImpact": "HIGH",
        "integrityImpact": "HIGH",
        "availabilityImpact": "HIGH",
        "baseScore": 8.8,
        "baseSeverity": "HIGH"
      },
      "exploitabilityScore": 2.8,
      "impactScore": 5.9
    },
    "baseMetricV2": {
      "cvssV2": {
        "version": "2.0",
        "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
        "accessVector": "NETWORK",
        "accessComplexity": "MEDIUM",
        "authentication": "NONE",
        "confidentialityImpact": "PARTIAL",
        "integrityImpact": "PARTIAL",
        "availabilityImpact": "PARTIAL",
        "baseScore": 6.8
      },
      "severity": "MEDIUM",
      "exploitabilityScore": 8.6,
      "impactScore": 6.4,
      "acInsufInfo": false,
      "obtainAllPrivilege": false,
      "obtainUserPrivilege": false,
      "obtainOtherPrivilege": false,
      "userInteractionRequired": true
    }
  },
  "publishedDate": "2019-03-24T00:29Z",
  "lastModifiedDate": "2019-05-14T13:29Z"
}


   

Authentication

No authentication is required. But let me know below how I can contact you, should that ever change. See next paragraph.

   

Staying informed of changes

If you depend on this API in any important way please send me a quick email at cveapi@dietervds.be. Should anything change with the API format or authentication I will let you know. Cheers!

   

FAQ

   

What’s a CVE number?

Whenever a security vulnerability is found in a piece of software or hardware, it gets a unique number, like “CVE-2019-9956”. Having a single ID for that issue then gives the entire security industry a common way of talking about it. We can then use it to describe findings in security scans and pentests, or describe fixes in new software releases.

   

Where does the data come from?

All CVE information is provided by the awesome NIST National Vulnerability Database. They publish data feeds on CVE’s that are grouped by year. I just split them up per CVE and put them here.

   

What if this doesn’t solve my problem?

Let me know, please! I can’t think of all the use cases for this data on my own, so please share whatever I can do that makes this more useful to you.

   

Is there a Premium tier?

Not yet. I'd love to provide one though, and make this API into a fully supported service. So if you want priority support, an LTS version, custom responses and/or something else, please contact me and tell me all about it.

   

Who built this and how can I reach out?

This API is built and maintained by Dieter Van der Stock.
If you want to get in touch with me, feel free to e-mail me at cveapi@dietervds.be.

formatted by Markdeep 1.093