European Union Vulnerability Database

European Union Vulnerability Database (EUVD) by European Union Agency for Cybersecurity (ENISA) 1. Contrary to other vulnerability databases, the EUVD comes with a holistic approach and aims for ensuring a high level of interconnection of information sources. It does so by leveraging the open-source software Vulnerability-Lookup which enables a quick correlation of vulnerabilities from multiple known sources. The EUVD team embraces a multi-stakeholder approach by collecting publicly available vulnerability information from multiple sources, including advisories provided by vendors and CSIRTs (such as the members of the EU CSIRTs network), as well as other relevant stakeholders.Providing aggregated, reliable, and actionable information related to vulnerabilities (e.g. mitigation measures and exploitation status) contributes to making the EUVD a trusted source for enhanced situational awareness. Utilising the Common Security Advisory Framework (CSAF), a standardised format for vulnerability advisories, the EUVD supports automation in the processing, consumption, and distribution of security advisories. 2. What is the main objective and target audience of the EUVD? Timely and detailed information on vulnerabilities allow users to take appropriate mitigating measures and apply patches as early as possible. As such the EUVD was designed as a publicly accessible database displaying details about disclosed vulnerabilities impacting IT products and services. With a focus on suppliers of network and information systems and entities using their services, information documented in the EUVD is of particular interest to competent authorities such as CSIRTs, as well as private companies and researchers, with the objective to limit exposure to threat, ultimately contributing to a collective cybersecurity approach, by contributing to an enhanced EU vulnerability disclosure and vulnerability information sharing landscape. 3. Why does the EUVD homepage display three different dashboards? The homepage initially displays three dashboards, each providing a specific view on the latest processed vulnerability data. More specifically, the “Critical Vulnerabilities” dashboard provides information filtered by criticality according to the Common Vulnerability Scoring System (CVSS) (i.e. CVSS score of 9 or above), the “Exploited Vulnerability” dashboard highlights vulnerabilities reported being actively exploitated, and the “EU Coordinated Vulnerabilities” dashboard listing vulnerabilities coordinated by European CSIRTs such as the members of the EU CSIRTs network. 4. Which data and services are used to feed the EUVD? Information displayed in the EUVD is collected from different sources and made available through different views. In addition to advisories and bulletins published by vendors and CSIRTs the primary source of data is the CVE program database. The EUVD service retrieves its data by querying the Vulnerability-Lookup collection, enriches the data, and assigns a unique EUVD identifier (on top of existing identifiers such as CVE) to each vulnerability record.The database builds upon the OASIS Common Security Advisory Framework (CSAF) to support automation in the processing, production and distribution of security advisories. 5. Why is an EUVD identifier assigned? Vulnerability identifiers serve the purpose of a reference point. Nevertheless, different sources of vulnerability data may utilize individual identifiers for the vulnerability data in scope of their activity. The EUVD service builds upon the CVE system and vulnerabilities in the scope of the CVE numbering service receive a CVE. In addition, the EUVD data aggregates and enriches the vulnerability information and lists an EUVD ID on top of the CVE when new vulnerability entries are created. To allow further cross referencing, the CVE identifier and additional vulnerability identifiers are listed when available. 6. How does the EUVD enrich the existing vulnerability information? The EUVD collects and references vulnerability information collected from existing databases (such as MITRE’s CVE DB, GitHub’s Advisory Database, JVN iPedia, GSD-Database), adds additional information via references to advisories and alerts issued by national CSIRTs, mitigation and patching guidelines published by vendors, and enriches it with exploited vulnerability markings (such as CISA KEV) and FIRST’s Exploit Prediction scores (EPSS)..”