Published 14 March 2024 12:00 AM
2 min. read

On NVD Service Degradation

Impact on Vulners Service, Workarounds, and Mitigation Efforts

Since mid-February 2024, the National Vulnerability Database (NVD) has been experienced significant delays in tagging new CVEs with CPE, CWE, and CVSS.
Several features of Vulners rely on the availability of this information.

Read about affected Vulners features, potential workarounds, and the measures we are taking to mitigate the situation.

Background of the Situation

The National Vulnerability Database has been displaying a notification about delays in CVE analysis since mid-February 2024.

In the absence of further official updates from NVD, numerous security researchers have expressed concerns about the growing backlog in enriching CVEs with critical details such as references, CWE, and particularly CPE of affected configurations.

A search in the Vulners database reveals the current state of this problem — over 2700 CVEs lack information on affected versions.

The duration of this issue remains uncertain. It is crucial for our users to understand the impact on Vulners' service, identify potential workarounds, and learn about our efforts to provide the most reliable vulnerability intelligence possible.

Affected Features & Available Workarounds

Searches on the Vulners website and through our API that depend on fields such as affectedSoftware, affectedConfiguration, and cpeConfiguration being filled will not return records from our CVE collection (type:cve) when the CPE configuration is missing from NVD.

Nevertheless, searches using the affectedSoftware field remain viable for OSV (type:osv) and GHSA (type:github) collections on the Vulners website and via the API. Bulletins within these collections that reference a CVE ID will include it in the cvelist field, allowing users to access the CVE's description and other available information.

Many CVEs, submitted by CNAs, come with an assigned CVSS score, including the vector string and base score. In the Vulners database, this CNA-provided CVSS score, in the absence of an NVD-assigned score, is incorporated into the cvss3 structure and displayed in the user interface.

Enhancements to Our Service

We are currently exploring the integration of CVEProject CVEListV5 data into the Vulners database to enhance our coverage of affected component versions for CVE.

This initiative is in its early stages, and we will keep you informed on our progress.

Looking Ahead

The workarounds we suggested and new features we are implementing may require adjustments to how you interact with the Vulners API and data. We leave it up to you to evaluate the potential duration of the NVD's return to normalcy and the extent to which you wish to modify your affected workflows.

We are committed to making all reasonable efforts to maintain these features, contingent upon the continued functionality of the underlying data sources.