Here are the notes I kept when researching this topic. The short answer is there are three types of configurations…
In many cases product will only be vulnerable if it is being run in a certain way, or with other products. For example, Google Chrome 103.0.5060.114 might be vulnerable running on Apple MacOS 12.0.0 but not Apple MacOS 11.0.0 or any Windows OS.
Each CPE nodes in the CVE configuration has either an OR or an AND operator value (and in rare cases a negate boolean) to convey the logical relationship of the CPEs within the cpeMatch. For example, if the vulnerability exists only when both CPE products are present, the operator is AND. If the vulnerability exists if either CPE is present, then the operator is OR (as in the CVE-2019-1010218 example). Though the use of nodes and operators can create more complex relationships.
NVD describe three different types of configurations;
- Basic: A single node containing one or more sets of match criteria. This configuration type communicates that each CPE URI that matches the match criteria is considered vulnerable.
- Running On/With: A combination of nodes containing both vulnerable and non-vulnerable match criteria. This configuration type communicates that CPE URIs that match the match criteria from both nodes must be present before a vulnerability applies.
- Advanced: A complex combination of nodes with many enumerations based on the CPE 2.3 specification. Advanced configurations are displayed with the actual nodes and node values on the vulnerability detail page instead of in a simplified form such as the Basic and Running On/With configuration types.
Let me illustrate with some real examples.
1. Basic configurations
As the name would suggest, these are fairly simple.
CVE-2022-29098 offers a good example: NVD - CVE-2022-29098 (see Known Affected Software Configurations on that page)
Querying via the API;
GET https://services.nvd.nist.gov/rest/json/cves/2.0/?cveId=CVE-2022-29098
Here is what the API returns (note the full response has been cut for brevity shown using ...);
{
"resultsPerPage": 1,
"startIndex": 0,
"totalResults": 1,
"format": "NVD_CVE",
"version": "2.0",
"timestamp": "2023-01-09T19:40:03.140",
"vulnerabilities": [
{
"cve": {
"id": "CVE-2022-29098",
"sourceIdentifier": "security_alert@emc.com",
"published": "2022-06-01T15:15:09.010",
"lastModified": "2022-06-08T19:14:09.453",
"vulnStatus": "Analyzed",
...
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:dell:powerscale_onefs:9.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "30687628-5C7F-4BB5-B990-93703294FDF0"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:dell:powerscale_onefs:9.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "68291D44-DBE1-4923-A848-04E64288DC23"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:dell:powerscale_onefs:9.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DCC55FA4-AD91-4DA6-B60E-A4E34DDAE95A"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:dell:powerscale_onefs:9.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B948CD53-3D17-4230-9B77-FCE8E0E548B9"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:dell:powerscale_onefs:9.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5AB99A1A-8DD3-4DDE-B70C-0E91D1D3B682"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:a:dell:powerscale_onefs:9.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "61F14753-D64C-4E8B-AA94-07E014848B4D"
}
]
}
]
}
],
...
}
}
]
}
There is only one nodes. The operator for the entire node is OR.
Therefore each cpeMatch object in is considered with the OR statement.
Basic configurations only consider individual products (and not combinations) so all CPEs are "vulnerable": true (meaning the product itself is always vulnerable).
In this case, the 6 configurations variations that lead to matches (note, the third, forth, and fifth nodes are omitted in the snippet above);
- Dell PowerScale OneFS version 9.0.0 (
"matchCriteriaId": "30687628-5C7F-4BB5-B990-93703294FDF0") OR,
- Dell PowerScale OneFS version 9.1.0 (
"matchCriteriaId": "68291D44-DBE1-4923-A848-04E64288DC23") OR,
- Dell PowerScale OneFS version 9.1.1 (
"matchCriteriaId": "DCC55FA4-AD91-4DA6-B60E-A4E34DDAE95A") OR,
- Dell PowerScale OneFS (version 9.2.0) (
"matchCriteriaId": "B948CD53-3D17-4230-9B77-FCE8E0E548B9") OR,
- Dell PowerScale OneFS (version 9.2.1) (
"matchCriteriaId": "5AB99A1A-8DD3-4DDE-B70C-0E91D1D3B682") OR,
- Dell PowerScale OneFS (version 9.3.0) (
"matchCriteriaId": "61F14753-D64C-4E8B-AA94-07E014848B4D")
In this example, each matchCriteriaId returns the same CPE URI as shown in the CVE, e.g.
GET https://services.nvd.nist.gov/rest/json/cvehistory/2.0/?matchCriteriaId=30687628-5C7F-4BB5-B990-93703294FDF0
"matches": [
{
"cpeName": "cpe:2.3:a:dell:powerscale_onefs:9.0.0:*:*:*:*:*:*:*",
"cpeNameId": "2B8F2852-98F4-44E1-BBF2-6597C2481DB1"
}
]
However, keep in mind as I move on that this is not always the case (more CPEs might be returned by a matchCriteriaId).
2. Running On/With
This type of configuration is defined using a combination of products that have a relationship (Running On/With) that makes at least one of these products vulnerable.
In this example, nodes can now contain both vulnerable and non-vulnerable products.
To explain this I will use CVE-2022-27948 as a an example: NVD - CVE-2022-27948 (see Known Affected Software Configurations on that page)
Querying via the API;
GET https://services.nvd.nist.gov/rest/json/cves/2.0/?cveId=CVE-2022-27948
Here is what the API returns (note 3 nodes have been cut for brevity shown using ...);
{
"resultsPerPage": 1,
"startIndex": 0,
"totalResults": 1,
"format": "NVD_CVE",
"version": "2.0",
"timestamp": "2023-01-10T07:37:08.677",
"vulnerabilities": [
{
"cve": {
"id": "CVE-2022-27948",
"sourceIdentifier": "cve@mitre.org",
"published": "2022-03-27T13:15:13.573",
"lastModified": "2022-04-06T03:39:12.913",
"vulnStatus": "Analyzed",
...
"configurations": [
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:tesla:model_3_firmware:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2022-03-26",
"matchCriteriaId": "86619D7A-ACB6-489C-9C29-37C6018E5B4B"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:tesla:model_s_firmware:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2022-03-26",
"matchCriteriaId": "FD68704D-C711-491F-B278-B02C6866738C"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:tesla:model_x_firmware:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2022-03-26",
"matchCriteriaId": "C3517683-8493-4D0D-9792-5C9034B1F0B3"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:h:tesla:model_3:-:*:*:*:*:*:*:*",
"matchCriteriaId": "825A79FD-C872-4564-9782-83BEEADDF5D9"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:tesla:model_s:-:*:*:*:*:*:*:*",
"matchCriteriaId": "8D28E699-B843-4641-9BA6-406D88231E7C"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:tesla:model_x:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C550FF8A-58ED-4265-B33F-10AFDEA95519"
}
]
}
]
}
],
...
}
}
]
}
Note in this response, the top nodes object has an operator property (in the previous response, this was only at the cpeMatch level).
"operator": "AND",
"nodes": [
This allows for more complex Running On/With combinations where each cpeMatch within a node can be considered using this addition operator.
The top level operator in this example is AND. In total there are two cpeMatches in this nodes
Each cpeMatch itself has an OR operator, and each of these cpeMatch has three CPE URI’s within it. The first contains only Tesla operating system (o) CPEs. The second contains only Tesla hardware (h) CPEs.
Logically, it is saying any entry from the first cpeMatch AND any entry from the second cpeMatch nested in the nodes will create a match.
It’s also important to point out here that each matchCriteriaId returns more versions of the product. For example,
{
"vulnerable": true,
"criteria": "cpe:2.3:o:tesla:model_3_firmware:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2022-03-26",
"matchCriteriaId": "86619D7A-ACB6-489C-9C29-37C6018E5B4B"
},
GET https://services.nvd.nist.gov/rest/json/cvehistory/2.0/?matchCriteriaId=86619D7A-ACB6-489C-9C29-37C6018E5B4B
"matches": [
{
"cpeName": "cpe:2.3:o:tesla:model_3_firmware:-:*:*:*:*:*:*:*",
"cpeNameId": "979F9EB6-C9F6-49EE-9FED-2ED17E400E86"
},
{
"cpeName": "cpe:2.3:o:tesla:model_3_firmware:11.0:*:*:*:*:*:*:*",
"cpeNameId": "62DCA7AD-A796-486F-8FB6-DEACC078D402"
},
{
"cpeName": "cpe:2.3:o:tesla:model_3_firmware:2022-03-26:*:*:*:*:*:*:*",
"cpeNameId": "F010C8B7-83E9-45FB-A5D4-26EDF34EC312"
}
]
Here I can see this CPE URI in the node actually covers 3 CPE URI’s.
Looking at all six matchCriteriaIds;
86619D7A-ACB6-489C-9C29-37C6018E5B4B: 3 CPE URIs (shown above)FD68704D-C711-491F-B278-B02C6866738C: 2 CPE URIsC3517683-8493-4D0D-9792-5C9034B1F0B3: 3 CPE URIs825A79FD-C872-4564-9782-83BEEADDF5D9: 1 CPE URI8D28E699-B843-4641-9BA6-406D88231E7C: 1 CPE URIC550FF8A-58ED-4265-B33F-10AFDEA95519: 1 CPE URI
In this example you also need to consider the value of the vulnerable property. You’ll see in the first node, but for all entries this is true. In the second, they’re all false.
This is essentially describing the combinations of products, and which of them are actually affected by a vulnerability when running in this way.
It’s easier to explain this by writing it all out, as there are a lot of combinations in this CVE.
- Tesla Model 3 Firmware (
86619D7A-ACB6-489C-9C29-37C6018E5B4B – 3 CPEs) and Tesla Model 3 Hardware (825A79FD-C872-4564-9782-83BEEADDF5D9 – 1 CPE) (ONLY FIRMWARE VULNERABLE) OR,
- Tesla Model 3 Firmware (
86619D7A-ACB6-489C-9C29-37C6018E5B4B – 3 CPEs) and Tesla Model S Hardware (8D28E699-B843-4641-9BA6-406D88231E7C – 1 CPE) (ONLY FIRMWARE VULNERABLE) OR,
- Tesla Model 3 Firmware (
86619D7A-ACB6-489C-9C29-37C6018E5B4B – 3 CPEs) and Tesla Model X Hardware (C550FF8A-58ED-4265-B33F-10AFDEA95519 – 1 CPE) (ONLY FIRMWARE VULNERABLE) OR,
- Tesla Model S Firmware (
FD68704D-C711-491F-B278-B02C6866738C – 2 CPEs) and Tesla Model 3 Hardware (825A79FD-C872-4564-9782-83BEEADDF5D9 – 1 CPE) (ONLY FIRMWARE VULNERABLE) OR,
- Tesla Model S Firmware (
FD68704D-C711-491F-B278-B02C6866738C – 2 CPEs) and Tesla Model S Hardware (8D28E699-B843-4641-9BA6-406D88231E7C – 1 CPE) (ONLY FIRMWARE VULNERABLE) OR,
- Tesla Model S Firmware (
FD68704D-C711-491F-B278-B02C6866738C – 2 CPEs) and Tesla Model X Hardware (C550FF8A-58ED-4265-B33F-10AFDEA95519 – 1 CPE) (ONLY FIRMWARE VULNERABLE) OR,
- Tesla Model X Firmware (
C3517683-8493-4D0D-9792-5C9034B1F0B3 – 3 CPEs) and Tesla Model 3 Hardware (825A79FD-C872-4564-9782-83BEEADDF5D9 – 1 CPE) (ONLY FIRMWARE VULNERABLE) OR,
- Tesla Model X Firmware (
C3517683-8493-4D0D-9792-5C9034B1F0B3 – 3 CPEs) and Tesla Model S Hardware (8D28E699-B843-4641-9BA6-406D88231E7C – 1 CPE) (ONLY FIRMWARE VULNERABLE) OR,
- Tesla Model X Firmware (
C3517683-8493-4D0D-9792-5C9034B1F0B3 – 3 CPEs) and Tesla Model X Hardware (C550FF8A-58ED-4265-B33F-10AFDEA95519 – 1 CPE) (ONLY FIRMWARE VULNERABLE)
In total there are 24 possible product combinations that are vulnerable in this CVE (((3*1)+(3*1)+(3*1))+((2*1)+(2*1)+(2*1))+((3*1)+(3*1)+(3*1))).
Note, this is not the most perfectly written nodes cpeMatch, though this is good to understand that not all CPE matches in a CVE will be as concise as they could be. In the real world, Tesla Model 3 firmware will always, as far as I’m aware, only be running Model 3 firmware. Therefore the matches comparing Model 3 OSs to Model X firmware, etc., are redundant.
3. Advanced
The operators and structure in the previous configuration types are no different in advanced configurations. It is the number of nodes returned in the response that allows them to become more advanced.
To illustrate this, I will use CVE-2019-18939: NVD - CVE-2019-18939 (see Known Affected Software Configurations on that page)
Querying via the API;
GET https://services.nvd.nist.gov/rest/json/cves/2.0/?cveId=CVE-2019-18939
Here is what the API returns (note 3 nodes have been cut for brevity shown using ...);
{
"resultsPerPage": 1,
"startIndex": 0,
"totalResults": 1,
"format": "NVD_CVE",
"version": "2.0",
"timestamp": "2023-01-10T08:23:24.183",
"vulnerabilities": [
{
"cve": {
"id": "CVE-2019-18939",
"sourceIdentifier": "cve@mitre.org",
"published": "2019-11-14T19:15:13.410",
"lastModified": "2021-07-21T11:39:23.747",
"vulnStatus": "Analyzed",
...
"configurations": [
{
"nodes": [
{
"operator": "AND",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:hm-print_project:hm-print:1.2a:*:*:*:*:*:*:*",
"matchCriteriaId": "286DA904-5631-4AAF-86DE-97C23982D2C5"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:eq-3:homematic_ccu2:-:*:*:*:*:*:*:*",
"matchCriteriaId": "9C2CF19C-7EDE-4E3C-A736-E6736FF03FDC"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:eq-3:homematic_ccu2_firmware:2.47.20:*:*:*:*:*:*:*",
"matchCriteriaId": "38BE17DA-7C5E-427E-B824-151EB27CFF26"
}
]
}
]
},
{
"nodes": [
{
"operator": "AND",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:hm-print_project:hm-print:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F5D8290F-3541-4452-99CB-0766CDC59073"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:eq-3:homematic_ccu3:-:*:*:*:*:*:*:*",
"matchCriteriaId": "33113AD0-F378-49B2-BCFC-C57B52FD3A04"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:eq-3:homematic_ccu3_firmware:3.47.18:*:*:*:*:*:*:*",
"matchCriteriaId": "285F4E29-E299-4F83-9F7E-BB19933AD654"
}
]
}
]
},
{
"nodes": [
{
"operator": "AND",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:hm-print_project:hm-print:1.2a:*:*:*:*:*:*:*",
"matchCriteriaId": "286DA904-5631-4AAF-86DE-97C23982D2C5"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:eq-3:homematic_ccu3:-:*:*:*:*:*:*:*",
"matchCriteriaId": "33113AD0-F378-49B2-BCFC-C57B52FD3A04"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:eq-3:homematic_ccu3_firmware:3.47.18:*:*:*:*:*:*:*",
"matchCriteriaId": "285F4E29-E299-4F83-9F7E-BB19933AD654"
}
]
}
]
},
{
"nodes": [
{
"operator": "AND",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:hm-print_project:hm-print:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F5D8290F-3541-4452-99CB-0766CDC59073"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:h:eq-3:homematic_ccu2:-:*:*:*:*:*:*:*",
"matchCriteriaId": "9C2CF19C-7EDE-4E3C-A736-E6736FF03FDC"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:eq-3:homematic_ccu2_firmware:2.47.20:*:*:*:*:*:*:*",
"matchCriteriaId": "38BE17DA-7C5E-427E-B824-151EB27CFF26"
}
]
}
]
}
],
...
}
}
]
}
The key difference here being there are now multiple nodes objects (four nodes in this example). In the two previous examples, there was one nodes, with multiple cpeMatches nested.
As such, combinations of CPEs can be written in more ways (though they’re not necessarily more “advanced”).
The response above has four separate nodes. Each is considered in isolation.
Each element inside a cpeMatch node is considered with an AND statement, as defined in the its operator field values.
Looking at the CPEs inside each matchCriteriaId returns a single CPE URI:
- Node 1
286DA904-5631-4AAF-86DE-97C23982D2C5: 1 CPE9C2CF19C-7EDE-4E3C-A736-E6736FF03FDC: 1 CPE38BE17DA-7C5E-427E-B824-151EB27CFF26: 1 CPE
- Node 2
F5D8290F-3541-4452-99CB-0766CDC59073: 1 CPE33113AD0-F378-49B2-BCFC-C57B52FD3A04: 1 CPE285F4E29-E299-4F83-9F7E-BB19933AD654: 1 CPE
- Node 3
286DA904-5631-4AAF-86DE-97C23982D2C5: 1 CPE33113AD0-F378-49B2-BCFC-C57B52FD3A04: 1 CPE285F4E29-E299-4F83-9F7E-BB19933AD654: 1 CPE
- Node 4
F5D8290F-3541-4452-99CB-0766CDC59073: 1 CPE9C2CF19C-7EDE-4E3C-A736-E6736FF03FDC: 1 CPE38BE17DA-7C5E-427E-B824-151EB27CFF26: 1 CPE
Note, the same CPEs appear in multiple nodes, hence there are only six unique matchCriteriaIds above.
With this information, I know there are exactly 4 CPE combinations that lead to a match (one for each nodes);
- eQ-3 Homematic CCU2 (hardware) (version unspecified
-) AND EQ-3 HomeMatic CCU2 version 2.47.20 (firmware) AND HM Print Project HM Print version 1.2a (application) (FIRMWARE AND APPLICATION VULNERABLE), OR,
- eQ-3 Homematic CCU3 (hardware) (version unspecified
-) AND EQ-3 HomeMatic CCU3 version 3.47.18 (firmware) AND HM Print Project HM Print version 1.2 (application) (FIRMWARE AND APPLICATION VULNERABLE), OR,
- eQ-3 Homematic CCU3 (hardware) (version unspecified
-) AND EQ-3 HomeMatic CCU3 version 3.47.18 (firmware) AND HM Print Project HM Print version 1.2a (application) (FIRMWARE AND APPLICATION VULNERABLE), OR,
- eQ-3 Homematic CCU2 (hardware) (version unspecified
-) AND EQ-3 HomeMatic CCU2 version 2.47.20 (firmware) AND HM Print Project HM Print version 1.2 (application) (FIRMWARE AND APPLICATION VULNERABLE)