Application Vulnerability fields

  • 릴리스 버전: Australia
  • 업데이트 날짜 2026년 03월 12일
  • 소요 시간: 15분

    • Vulnerabilities are created automatically when records are downloaded from the National Vulnerability Database (NVD), Common Weakness Enumeration (CWE) or third-party integrations. NVD and CWE are stored under Libraries in Vulnerability Response or under Vulnerabilities in Application Vulnerability Response.

    CWE vulnerability entry fields

    The fields in this table are read-only.

    Field Description
    CWE-ID Identifier for this vulnerability entry. This identifier is used for both Categories and Weaknesses, and is unique between the two datasets.
    Name Descriptive name assigned to this CWE-ID.
    Likelihood of exploit How likely the weakness is to be exploited, on a qualitative scale. One of:
    • Low
    • Medium
    • High
    OWASP Top 10 Position This vulnerability's numerical position in the OWASP top 10 list.
    SANS To 25 Position This vulnerability's numerical position in the SAN top 25 list.
    Class Type of weakness
    Status One of:
    • Incomplete
    • Draft
    • Stable
    • Deprecated
    • Obsolete
    • Unstable
    Abstraction One of:
    • Variant
    • Class
    • Base
    • Compound
    Updated Last time the record was updated in the instance.
    Functional areas List of functional areas affected. For example, File Processing. Only populated for 24/862 weaknesses.
    Affected Resources List of affected resources. For example, File or Directory. Only populated for 51/863 weaknesses.
    URL Knowledge base article associated with this vulnerability.
    Description Description of the vulnerability.
    Integration run The integration run this CWE was imported in.
    Sections
    Additional details Software concept descriptions that further explain the weakness. Includes:
    • Extended description
    • Background details
    • Notes
    Detection methods Details on how you might detect this weakness in an application.
    Modes of introduction The phases in which the weakness is introduced, for example, Implementation, Architecture and Design, and so on.
    Demonstrative examples Code examples of the weakness with accompanying descriptions.
    Potential mitigations Details on how to prevent the weakness, including which phase of the application life cycle it occurs in, and the effectiveness of the mitigation.
    Related Lists
    Relationships CWEs associated to this vulnerability. Lists relationships between this CWE and others. Can include parent/child, follows/precedes, requiredby/requires (for composite weaknesses), CanAlsoBe, PeerOf, MemberOf .
    Observed Examples Some CVEs that are representative of this weakness.
    Common Consequences

    Consequences of a successful exploit, in terms of scope and impact. For example:

    Scope: Confidentiality

    Impact: Read Application Data
    Memberships CWE memberships with this vulnerability.
    Applicable Platforms Platforms associated with this vulnerability.
    Application Vulnerability Entries Other application vulnerability entries associated with one.
    External References Information about the vulnerability from external sources.

    Application vulnerability entry fields

    The fields in this table are read-only.
    Field Description
    ID Identifier for this vulnerability entry.
    Source Origin of the vulnerability — whether a scanner or physical test.
    Severity Normalized degree of severity of this vulnerability. Severity maps are provided for NVD and with ServiceNow third-party integrations. For more information on creating or adjusting severity maps, see Map the severity of an application vulnerable item automatically.

    Version 13.0: Primary CWE

    Version 12.1: CWE entry

    Reference to the Common Weakness Enumeration element that this vulnerability best fits into.

    If there is more than one CWE associated to the vulnerability, the primary CWE is determined as follows:
    • Is the CWE mapped to the OWASP Top 10. If so, use this CWE. If not, continue.
    • Is the CWE mapped to the SANs Top 25? If so, use this CWE. If not, continue.
    • Does the CWE have the highest severity? If so use this CWE. If not, continue.
    • Select the latest of all the CWEs. The latest CWE is the one with the latest Updated field value in the CWE record.
    Category name Classification provided by the third-party integration. Aids in assignment.
    Vulnerability Details
    Threat Description of the threat from this vulnerability.
    Mitigation description Description of the steps that could be taken to mitigate the vulnerability.
    Related List
    Version 13.0:

    CWEs

    		 List of the CWEs associated with this vulnerability. Non-applicable for the Veracode Vulnerability Integration.

    NVD entry fields

    The imported fields in this table are read-only.
    주:

    NVD data is not used in Application Vulnerability Response and entries represent Vulnerability Response data only.

    CWEs, which are used in Application Vulnerability Response, can point to NVD entries, as examples of a weakness, and are provided here for informational purposes only.

    Field Description
    ID Identifier for this vulnerability entry.
    Risk rating

    (Hidden when no Vulnerability Response vulnerable items (VIs) are associated with the vulnerability)

    Quantified Risk Score separating VIs into Critical, High, Medium, Low, and None.
    Risk score

    (Hidden when no VIs are associated with the vulnerability)

    Calculated amount of risk the vulnerable item poses to your environment.
    Severity Normalized degree of severity of this vulnerability in Vulnerability Response. Severity maps are provided for NVD and with ServiceNow third-party integrations. Application Vulnerability Response Severity is derived from imported Source severity and not NVD. For information on Application Vulnerability Response severity mapping, see Map the severity of an application vulnerable item automatically.
    Exploit exists Yes, if at least one exploit is associated with this vulnerability.
    Exploit skill level Lowest skill level required to exploit this vulnerability.
    Exploit attack vector

    Most vulnerable attack vector of the exploits for this vulnerability.
    Active VIs

    (Hidden when no VIs are associated with the vulnerability)

    Number of vulnerable items associated with this vulnerability, not in the Closed state. If there are no active AVIs for this vulnerability, Risk Rating and Risk Score are not displayed.
    CWE entry Reference to the Common Weakness Enumeration element that this vulnerability best fits into according to the NVD.
    Date published Date the vulnerability was published.
    Last modified Date the vulnerability was last modified.
    Summary Description of the vulnerability.
    Vulnerability Details
    CVSS v2 Imported CVSS v2 data
    CVSS v3 Imported CVSS v3 data, not available prior to 2015.
    Preferred solution

    (Hidden when no VIs are associated with the vulnerability)

    Solution of the highest-supersedence in the chain, derived from the solutions referenced in the vulnerability. If more than one highest-supersedence exists in the chain, no value is set. Any value set manually can be overwritten on subsequent imports. Setting this value manually should be done on the vulnerable item.
    Remediation Status

    (Hidden when no VIs are associated with the vulnerability)
    Excludes Deferred
    Vulnerable items Number of active application vulnerable items with this vulnerability. This count excludes deferred vulnerable items.
    Total VIs Total number of vulnerable items with this vulnerability. This count excludes deferred vulnerable items.
    %VIs remediated Percent complete for remediation of vulnerable items with this vulnerability. This count excludes deferred vulnerable items.
    Includes Deferred
    Vulnerable items Number of active vulnerable items with this vulnerability.
    Total VIs Total number of vulnerable items with this vulnerability.
    %VIs remediated Percent complete for remediation of vulnerable items with this vulnerability.
    Related Links
    Prior to v13.0: Force software vulnerability import
    주:
    Removed in v13.0
    		 (Deprecated) Re-calculates product mapping with ITSM Software Asset Management based on information from NVD. Updates the Vulnerable Software library.
    Update status

    Displays date and time of the last update.

    Updates the following:
    • Remediation task state
    • Risk score and rating
    • Metrics such as Active VIs, Total VIs from the Remediation Status section
    Related Lists
    Vulnerable Items

    (Hidden when no VIs are associated with the vulnerability)

    Vulnerable items associated with this vulnerability.
    Vulnerability References Information about the vulnerability from external sources, cited by NVD.
    Exploits Exploits associated with this vulnerability.
    Solutions

    (Hidden when no VIs are associated with the vulnerability)

    All Vulnerability Solution Management integration solutions associated with this vulnerability.
    Version 13.0:

    Weaknesses

    		 Imported CWE Weakness data associated to a Common Vulnerabilities and Exposures (CVE).
    Version 13.0:

    Vulnerable Software

    (Hidden when no VIs are associated with the vulnerability)

    Imported Common Platform Enumeration (CPE) data associated with the vulnerability.