Vulnerability Object
A Vulnerability is any weakness in the computational logic found in products or devices that could be exploited by a threat source NISTIR 7298.
Semantics
A vulnerability affects a set of originating products and is described by a set of distinct exploitation scenarios. An originating product may be or contain the vulnerable product.
Each scenario is related to a set of affected products, which may be a subset of the originating products or may represent a product that depends on the originating product.
Properties
A vulnerability has the following properties.
Sector Of Interest
Name
hasSectorOfInterest
Cardinality zero or many
Description Supplemental information identifying potential sectors or use cases where the vulnerability could have an impact.
The value of hasSectorOfInterest
MUST be a value from the sector of interest value list.
Relationships
A vulnerability has the following relationships.
Known Chain
Name
hasKnownChain
Cardinality zero or many
Description Identifies other known vulnerabilities that can be used in conjunction with the vulnerability in question to achieve a different and likely greater impact.
The object value of the hasKnownChain
relationship MUST be a vulnerability identifier object.
Identity
Name
hasIdentity
Cardinality one or many
Description Indicates an alternate string used to identify the vulnerability.
The object value of the hasIdentity
relationship MUST be a vulnerability identifier object.
Scenario
Name
hasScenario
Cardinality one or many
Description Lists the scenarios associated with the vulnerability.
The object value of the hasScenario
relationship MUST be a scenario object.
Originating Product
Name
hasOriginatingProduct
Cardinality one or many
Description Product shall be associated with Vulnerability
The object value of the hasOriginatingProduct
relationship MUST be a product object.
Example
{
"Vulnerability": {
"hasIdentity": [
{
"scheme": "http://cve.mitre.org",
"value": "CVE-2050-1234"
}
],
"hasSectorOfInterest": [
"Industrial Control System",
"Health Care"
],
"hasOriginatingProduct": {
"hasEnumeration": [
{
"scheme": "https://csrc.nist.gov/ns/cpe/2.3",
"values": [
"cpe:2.3:a:fake:fakeproductX:1.0.0",
"cpe:2.3:a:fake:fakeproductY:1.0.0"
]
},
{
"scheme": "https://nist.gov/cpe/2.2",
"values": ["cpe:/a:fake"]
}
],
},
"hasScenario": [
]
}
}