This is a follow up to this post:
On the Configurations tab I can see the various configurations for a CVE, but where is the CPE logic shown on this page recorded? Put another way, can I pull this information from the API?
Hey @dtp1900!
This info is recorded in the Indicator STIX object for the CVE.
If you go to the objects tab and filter by type=indicator you will find it.
Here is the one for CVE-2021-41773
{
"created": "2021-10-05T09:15:07.593Z",
"created_by_ref": "identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5",
"description": "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.",
"extensions": {
"extension-definition--ad995824-2901-5f6e-890b-561130a239d4": {
"extension_type": "toplevel-property-extension"
}
},
"external_references": [
{
"source_name": "cve",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41773",
"external_id": "CVE-2021-41773"
}
],
"id": "indicator--035df082-e755-565d-9ee6-d2585fdd255f",
"indicator_types": [
"compromised"
],
"modified": "2025-10-27T17:36:57.287Z",
"name": "CVE-2021-41773",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--562918ee-d5da-5579-b6a1-fae50cc6bad3"
],
"pattern": "([software:cpe='cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*']) OR ([software:cpe='cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*']) OR ([software:cpe='cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*']) OR ([software:cpe='cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*'])",
"pattern_type": "stix",
"pattern_version": "2.1",
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2021-10-05T09:15:07.593Z",
"x_cpes": {
"not_vulnerable": [],
"vulnerable": [
{
"criteria": "cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*",
"matchCriteriaId": "B201CFB2-F626-4DD0-9F6A-DFE8F64203E2"
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835"
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA"
},
{
"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*",
"matchCriteriaId": "82EA4BA7-C38B-4AF3-8914-9E3D089EBDD4"
},
{
"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B9C9BC66-FA5F-4774-9BDA-7AB88E2839C4"
},
{
"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7F69B9A5-F21B-4904-9F27-95C0F7A628E3"
},
{
"criteria": "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*",
"matchCriteriaId": "5C2089EE-5D7F-47EC-8EA5-0F69790564C4"
}
]
}
}
You can see the logic described in the pattern property.
If you’re new to STIX patterns, this post will give you everything you need:
Ok, but…
I see Indicator objects that look like this
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--f217749b-dded-56f3-b2be-9ad6ea3f9e47",
"created_by_ref": "identity--562918ee-d5da-5579-b6a1-fae50cc6bad3",
"created": "2017-12-11T17:29:00.270Z",
"modified": "2022-01-24T16:46:02.897Z",
"name": "CVE-2015-8470",
"description": "The console in Puppet Enterprise 3.7.x, 3.8.x, and 2015.2.x does not set the secure flag for the JSESSIONID cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.",
"indicator_types": [
"compromised"
],
"pattern": "([software:cpe='cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*' OR software:cpe='cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*'])",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2017-12-11T17:29:00.27Z",
"external_references": [
{
"source_name": "cve",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8470",
"external_id": "CVE-2015-8470"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--562918ee-d5da-5579-b6a1-fae50cc6bad3"
],
"extensions": {
"extension-definition--ad995824-2901-5f6e-890b-561130a239d4": {
"extension_type": "toplevel-property-extension"
}
},
"x_cpes": {
"not_vulnerable": [],
"vulnerable": [
{
"criteria": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E3C0546D-3FF4-461A-B6C4-3C1586DFA79E"
},
{
"criteria": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6F08C767-D814-4026-9895-36EF1E4B2F78"
},
{
"criteria": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4E6676D2-5545-456E-A10D-7AE7B75B6A63"
}
]
}
},
So I interpret the above pattern as:
cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:* OR cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:* OR cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*
All of which are vulnerable.
But all the CPEs listed here are the same. so what is going on here?
In short, Indicator patterns only contain the top CPE of the Grouping object (which might contain many CPEs in object_refs)
This is similar to the way NVD do it, using Match Criteria IDs.
To explain, in the indicator object you see
"vulnerable": [
{
"criteria": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E3C0546D-3FF4-461A-B6C4-3C1586DFA79E"
},
{
"criteria": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6F08C767-D814-4026-9895-36EF1E4B2F78"
},
{
"criteria": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4E6676D2-5545-456E-A10D-7AE7B75B6A63"
}
]
For each entry, a Grouping object will exist.
e.g. for CVE-2015-8470 you have 3 Grouping objects (you have 3 CPEs in the pattern)
Here is the STIX Grouping object for E3C0546D-3FF4-461A-B6C4-3C1586DFA79E
{
"context": "unspecified",
"created": "2022-01-24T16:44:41.490Z",
"created_by_ref": "identity--9779a2db-f98c-5f4b-8d08-8ee04e02dbb5",
"external_references": [
{
"source_name": "matchCriteriaId",
"external_id": "E3C0546D-3FF4-461A-B6C4-3C1586DFA79E"
},
{
"source_name": "matchstring",
"external_id": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*"
},
{
"source_name": "versionStartIncluding",
"external_id": "3.7.0"
},
{
"source_name": "versionEndIncluding",
"external_id": "3.7.2"
}
],
"id": "grouping--610dede3-fff2-5fa7-b802-3575f9ea4b05",
"modified": "2022-01-24T16:44:41.490Z",
"name": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--152ecfe1-5015-522b-97e4-86b60c57036d"
],
"object_refs": [
"software--9a088350-804c-5116-b67b-0907e56ff073",
"software--cf0ed0f1-6f96-57a1-a823-253cd015d548",
"software--62bea4d6-a169-5fa1-8064-66800aee04b7"
],
"spec_version": "2.1",
"type": "grouping"
}
You can see 3 software objects (CPEs) exist here (in object_refs). So for that single CPE in the pattern, 3 CPEs are actually represented.
You can see these in the object lists for the CVE
and also on the Configurations tab where CPEs are nested under their Groupings
