Common vulnerabilities and exposures - Amazon Inspector Classic

This is the user guide for Amazon Inspector Classic. For information about the new Amazon Inspector, see the Amazon Inspector User Guide. To access the Amazon Inspector Classic console, open the Amazon Inspector console at, and then choose Amazon Inspector Classic in the navigation pane.

Common vulnerabilities and exposures


Inspector Classic will be retired on December 18, 2024. To delete all vulnerability and network reachability assessments in Inspector Classic, and then move to the new version of Inspector, see Moving to the new Amazon Inspector. To learn more about the new Amazon Inspector, see Amazon Inspector.

The rules in this package help verify whether the EC2 instances in your assessment targets are exposed to common vulnerabilities and exposures (CVEs). Attacks can exploit unpatched vulnerabilities to compromise the confidentiality, integrity, or availability of your service or data. The CVE system provides a reference method for publicly known information security vulnerabilities and exposures. For more information, see

If a particular CVE appears in a finding that is produced by an Amazon Inspector Classic assessment, you can search for the ID of the CVE (for example, CVE-2009-0021). The search results can provide detailed information about this CVE, its severity, and how to mitigate it.

For the Common Vulnerabilities & Exploits (CVE) rules package, Amazon Inspector has mapped the provided CVSS Base Scoring and ALAS Severity levels provided:

Amazon Inspector Severity CVSS Base Score ALAS Severity (if CVSS not scored)
High >= 5 Critical or Important
Medium < 5 and >= 2.1 Medium
Low < 2.1 and >= 0.8 Low
Informational < 0.8 N/A

The rules included in this package help you assess whether your EC2 instances are exposed to the CVEs in the following regional lists:

The CVE rules package is updated regularly; this list includes the CVEs that are included in assessments runs that occur at the same time that this list is retrieved.

For more information, see Amazon Inspector Classic rules packages for supported operating systems.