added
Vulnerability Management and Web App Scanning: New Export Filters and Scoring Data (VPRv2, CVSSv4, EPSS)
6 days ago by Lance Duvall
Tenable has enhanced the Vulnerability Management vulnerabilities export and Web App Scanning findings export APIs with new filters and additional response data. These updates provide greater flexibility for querying and analyzing vulnerabilities, adding new filters and returning expanded scoring metrics in export responses.
New Filters
Use the following new filters to refine your vulnerability and findings exports:
vpr_v2_score— Filter vulnerabilities by their Vulnerability Priority Rating (VPR) version 2 score, labeled VPR (Beta) in the user interface. To learn about the enhancements introduced in VPR v2, refer to the whitepaper Enhancements to Tenable Vulnerability Priority Rating (VPR). For details about VPR, see Vulnerability Priority Rating in the Tenable Vulnerability Management User Guide.cvss4_base_score— Filter vulnerabilities by their CVSS version 4 (CVSSv4) base score. For more details about CVSSv4, see the CVSS v4.0 Specification.epss_score— Filter vulnerabilities by their Exploit Prediction Scoring System (EPSS) score, expressed as a percentage from 0 to 100. For more information, see FIRST's Exploit Prediction Scoring System (EPSS). Note that this filter is currently only available for Vulnerability Management exports. It will be added to Web App Scanning findings exports soon.initiative_id— Filter vulnerabilities by the unique identifier (UUID) of an Exposure Response initiative, enabling you to scope results to a specific initiative. For more information, see Exposure Response in the Tenable Vulnerability Management User Guide. Note that this filter is only applicable to Vulnerability Management exports.
Example: Using the vpr_v2_score filter:
vpr_v2_score filter:For example, to export vulnerabilities with VPR scores between 9.0 and 9.9, you could use the following request:
{
"num_assets": 5000,
"filters": {
"vpr_v2_score": {
"gte": 9,
"lte": 9.9
}
}
}
Example: Using the cvss4_base_score filter:
cvss4_base_score filter:For example, to export vulnerabilities with a CVSSv4 base score of 8.2, you could use the following request:
{
"num_assets": 5000,
"filters": {
"cvss4_base_score": {
"eq": [
8.2
]
}
}
}
Example: Using the epss_score filter:
epss_score filter:For example, to export vulnerabilities with an EPSS score greater than or equal to 90, you could use the following request:
{
"num_assets": 5000,
"filters": {
"epss_score": {
"gte": 90
}
}
}
New Export Response Data
The Vulnerability Management Download vulnerabilities chunk endpoint and the Web App Scanning Download findings export chunk now return expanded scoring data in their responses. This includes VPRv2, CVSSv4, and EPSS metrics, enabling more detailed analysis of each vulnerability.
The new VPRv2 data is returned in the plugin.vpr_v2 object. The following table describes the new VPRv2 properties provided in the response.
| Property | Data Type | Description |
|---|---|---|
vpr_v2 | object | Details about the Vulnerability Priority Rating (VPR) version 2 for the vulnerability. This enhanced version is labeled VPR (Beta) in the user interface. |
vpr_v2.score | number (float) | The Vulnerability Priority Rating (VPR) version 2 score assigned to the vulnerability. This enhanced version is labeled VPR (Beta) in the user interface. If a plugin detects multiple vulnerabilities, this score reflects the highest VPR among them. |
vpr_v2.vpr_percentile | number (float) | The percentile ranking of the Vulnerability Priority Rating (VPR) v2 score, indicating how the vulnerability compares in severity to all other scored vulnerabilities. |
vpr_v2.vpr_severity | string | The severity level associated with the Vulnerability Priority Rating (VPR) v2 score. This label reflects the relative risk of the vulnerability based on its VPR score. |
vpr_v2.exploit_probability | number (float) | The likelihood (as a decimal value between 0 and 1) that this vulnerability will be exploited in the wild, as determined by the VPR v2 model. This value contributes to the overall VPR score and reflects real-world exploit potential based on threat intelligence and predictive analytics. |
vpr_v2.cve_id | string | The Common Vulnerability and Exposure (CVE) identifier associated with the vulnerability that the Vulnerability Priority Rating (VPR) V2 score is based on. This standardized identifier allows for consistent reference across security tools and databases. |
exploit_code_maturity | string | The maturity level of publicly available exploit code for the vulnerability, as factored into the Vulnerability Priority Rating (VPR) V2. This metric helps assess how likely it is for the vulnerability to be actively exploited. |
vpr_v2.on_cisa_kev | boolean | Indicates whether the vulnerability is listed in the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog. Presence on the KEV list highlights critical vulnerabilities that are actively exploited and prioritized for remediation. |
vpr_v2.exploit_chain | array of strings | A list of Common Vulnerability and Exposure (CVE) identifiers representing vulnerabilities that are part of an exploit chain involving this vulnerability. |
vpr_v2.in_the_news_intensity_last30 | string | Indicates the frequency and prominence of news coverage related to this vulnerability over the past 30 days. This metric reflects the level of public and media attention, which can correlate with increased exploitability and urgency for remediation. |
vpr_v2.in_the_news_recency | string | Indicates how recently this vulnerability has appeared in news coverage or public discussions. A more recent mention suggests increased current attention and potential exploitation risk. |
vpr_v2.in_the_news_sources_last30 | array of strings | A list of source categories from trending vulnerability data where this CVE has been mentioned in the past 30 days. |
vpr_v2.malware_observations_intensity_last30 | string | The intensity level of malware observations related to this vulnerability in the past 30 days. This metric reflects how actively malware exploiting this vulnerability has been detected during that period. |
vpr_v2.malware_observations_recency | string | Indicates how recently malware exploiting this vulnerability has been observed. This value reflects the freshness of malware activity related to the vulnerability. |
vpr_v2.targeted_industries | array of strings | A list of industries that have been targeted for exploitation via this CVE. |
vpr_v2.targeted_regions | array of strings | A list of geographic regions where this CVE has been targeted for exploitation. |
vpr_v2.threat_summary | object | Summary information about the threat posed by the vulnerability, including relevant details that contribute to its Vulnerability Priority Rating (VPR) v2 score. |
vpr_v2.remediation | object | Information and recommended actions for mitigating or resolving the vulnerability. This may include patches, configuration changes, or other remediation guidance. |
The new CVSSv4 data is returned in the plugin.cvss4_vector and plugin.cvss4_threat_vector objects. Additionally, the CVSSv4 base score is returned in the plugin.cvss4_base_score property. The following table describes the new CVSSv4 properties provided in the response.
Note
The
cvss4_threat_vectorobject is currently only available for Vulnerability Management exports. It will be added to Web App Scanning findings exports soon.
| Property | Data Type | Description |
|---|---|---|
| cvss4_base_score | number (float) | The CVSS version 4 (CVSSv4) base score, representing the intrinsic and fundamental characteristics of a vulnerability that remain constant over time and across different user environments. The score ranges from 0 to 10, with higher values indicating greater severity. |
cvss4_vector | object | An object representing the full set of CVSS v4.0 base metrics for the vulnerability. These metrics define the intrinsic characteristics of the vulnerability, including how it can be exploited (e.g., attack vector, privileges required) and the potential impacts to both the vulnerable system and subsequent systems (e.g., confidentiality, integrity, availability). |
cvss4_vector.attack_vector | string | The CVSSv4 Attack Vector (AV) metric, which describes the context by which the vulnerability can be exploited. |
cvss4_vector.attack_complexity | string | The CVSSv4 Attack Complexity (AC) metric, which indicates the conditions beyond the attacker's control that must exist to exploit the vulnerability. |
cvss4_vector.attack_requirements | string | The CVSSv4 Attack Requirements (AR) metric specifies prerequisite conditions of the vulnerable component that must be met for an attack to succeed. |
cvss4_vector.privileges_required | string | The CVSSv4 Privileges Required (PR) metric indicates the level of privileges an attacker must have to successfully exploit the vulnerability. |
cvss4_vector.user_interaction | string | The CVSSv4 User Interaction (UI) metric describes the level of user interaction required for an attack to succeed. |
cvss4_vector.vulnerable_system_confidentiality | string | The CVSSv4 Vulnerable System Confidentiality (VC) metric measures the impact on the confidentiality of information on the vulnerable system. |
cvss4_vector.vulnerable_system_integrity | string | The CVSSv4 Vulnerable System Integrity (VI) metric measures the impact on the integrity of information on the vulnerable system. |
cvss4_vector.vulnerable_system_availability | string | The CVSSv4 Vulnerable System Availability (VA) metric measures the impact on the availability of the vulnerable system. |
cvss4_vector.subsequent_system_confidentiality | string | The CVSSv4 Subsequent System Confidentiality (SC) metric measures the impact on the confidentiality of information on systems subsequent to the vulnerable component. |
cvss4_vector.subsequent_system_integrity | string | The CVSSv4 Subsequent System Integrity (SI) metric measures the impact on the integrity of information on systems subsequent to the vulnerable component. |
cvss4_vector.subsequent_system_availability | string | The CVSSv4 Subsequent System Availability (SA) metric measures the impact on the availability of systems subsequent to the vulnerable component. |
cvss4_vector.raw | string | The complete CVSSv4 Base vector string representing all metric values in a compact, standardized format. This includes metrics such as Attack Vector, Attack Complexity, Privileges Required, and others. For example, AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H. |
cvss4_threat_vector | object | An object representing the CVSS v4.0 Threat metrics for the vulnerability. These metrics provide context on current, observed threat activity in the wild, such as evidence of exploitation or the presence of available exploit code. Threat metrics can help refine the severity and prioritization of vulnerabilities beyond their intrinsic characteristics. |
cvss4_threat_vector.threat_score | number (float) | The CVSS v4.0 threat score (CVSS-T), which adjusts the base score by incorporating real-world threat intelligence, such as the presence of active exploitation, exploit code availability, or observed malware activity. This score reflects the current threat landscape for the vulnerability. |
cvss4_threat_vector.exploit_maturity | string | The CVSS v4.0 Exploit Maturity (E) metric, indicating the current development status of exploit techniques or code for the vulnerability. |
cvss4_threat_vector.raw | string | The complete cvss4_threat_vector metrics and their result values for the vulnerability, expressed as a concise, coded string. This threat vector is typically appended to the CVSSv4 Base vector. For example, CVSS:4.0/E:U. |
The new EPSS data is returned in the plugin object as epss_score.
Note
The
epss_scoreproperty is currently only available for Vulnerability Management exports. It will be added to Web App Scanning findings exports soon.
| Property | Data Type | Description |
|---|---|---|
epss_score | number (float) | The Exploit Prediction Scoring System (EPSS) score estimates the likelihood (as a percentage) that a software vulnerability will be exploited in the wild within the next 30 days. The score ranges from 0 to 100, with higher values indicating a greater probability of exploitation. |