A Vulnerability ID is a unique number to identify vulnerability information. An ID referred to as "JVN#12345678" is assigned to vulnerability information reported in Japan. IDs referred to as "JVNTA99-123A" "JVNVU#98765432" are assigned to US-CERT Technical Cyber Security Alerts and CERT-CC Vulnerability Notes respectively. An ID such as "CPNI-123456" is assigned to vulnerability information provided by CPNI. An ID such as "JVNTA#98765432" is assigned to a Technical Alert that is published by JPCERT/CC.
Vulnerability ID System
|Information provider||Vulnerability ID used by the information provider||Vulnerability ID used on the JVN website|
The Title describes which type of vulnerability exists in which system/product that is vulnerable.
Vulnerability information that is marked as "Critical" indicates that JPCERT/CC strongly recommends users to apply a patch or workarounds to the affected system/product immediately, as it is suspected that an impact on an affected system/product or anything related to it such as environment may be quite severe.
The word "Critical" is also displayed at the end of the title line in the list of 15 Recent Vulnerability Notes on the JVN top page.
Please note that "Critical" mark is just a reference, thus actual severity may differ depending on an environment where the system/product is used, or importance/reliance of business on the system/product. Therefore, it is crucial for each organization to decide whether to take immediate actions or not by reading the details of the vulnerability report.
This section provides an overview of the vulnerability. This is an executive summary that helps readers to decide if they need to read a vulnerability note further to obtain details or not.
This section lists a product name and its version number that contains the vulnerability.
This section provides detailed description of the vulnerability.
This section provides a possible impact when the vulnerability is exploited.
This section provides solutions to the vulnerability.
There are two types of solutions. One is to update or upgrade the product to resolve the vulnerability.
The other is to apply workarounds to mitigate impacts of the vulnerability.
1. What is Vendor Status?
Vendor Status provides information the vendor (product developer) publicizes in regards to the vulnerability. The information from the registered vendors participating in "Information Security Early Warning Partnership" are shown as follows:
|Vendor||Status||Last Update||Vendor Notes|
|XXX Corporation||Vulnerable||2000/01/01||XXX Corporation website|
Alternatively, links to the publicized information from vendors will be listed as follows.
|XXX Corporation||Security Patch for YYYY|
There are five types of vendar status shown as follows.
|Vulnerable||There is a system/product affected by the vulnerability.|
|Vulnerable, investigating||The vendor has found an affected product, but is still under the investigation.|
|Not Vulnerable||There is no system/product affected by the vulnerability.|
|Not Vulnerable, investigating||The vendor has not yet found affected system/product, but is still under the investigation.|
|Unknown||JPCERT/CC has not received a vendor statement yet.|
3. Vendor Notes
Vendor Notes provides a link to the advisory or a security related page, etc. on the vendor's website in regards to the vulnerability.
This section provides links to the documents released by other CSIRT organizations or security vendors.
This section provides additional information from JPCERT/CC.
1. What is Vulnerability Analysis by JPCERT/CC?
This section provides an analysis conducted by JPCERT/CC on the severity of the vulnerability.
On JVN, the Base Score for both CVSS v3 and CVSS v2 are used to assess vulnerabilities.
For more information, refer to the "A Complete Guide to the Common Vulnerability Scoring System Version 2.0" for CVSS v2, "Common Vulnerability Scoring System v3.0: Specification Document" and "Common Vulnerability Scoring System v3.0: User Guide" for CVSS v3.
Vulnerability Analysis by JPCERT/CC
|Attack Vector(AV)||Physical (P)||Local (L)||Adjacent (A)||Network (N)|
|Attack Complexity(AC)||High (H)||Low (L)|
|Privileges Required(PR)||High (H)||Low (L)||None (N)|
|User Interaction(UI)||Required (R)||None (N)|
|Scope(S)||Unchanged (U)||Changed (C)|
|Confidentiality Impact(C)||None (N)||Low (L)||High (H)|
|Integrity Impact(I)||None (N)||Low (L)||High (H)|
|Availability Impact(A)||None (N)||Low (L)||High (H)|
|Access Vector(AV)||Local (L)||Adjacent Network (A)||Network (N)|
|Access Complexity(AC)||High (H)||Medium (M)||Low (L)|
|Authentication(Au)||Multiple (M)||Single (S)||None (N)|
|Confidentiality Impact(C)||None (N)||Partial (P)||Complete (C)|
|Integrity Impact(I)||None (N)||Partial (P)||Complete (C)|
|Availability Impact(A)||None (N)||Partial (P)||Complete (C)|
If there are any comments on the analysis, it will be listed here.
Individuals or organizations who identified and reported the vulnerability is listed here unless they do not wish to be credited.
This section lists related alert and advisory links, such as JPCERT Alert, JPCERT REPORT, CERT Advisory, CPNI Advisory, TRnotes, CVE, and JVN iPedia.
On April 25, 2007, the JVN design was renewed to include the sections of "Description", "Solution", "JPCERT/CC addendum", and "Vulnerability Analysis by JPCERT/CC". Therefore, vulnerability notes released prior to this date may not have the information listed above.