Expanding Database Coverage: 11 New Products Now Supported
Expanding Database Coverage: 11 New Products Now Supported#
Attestd's first major Q2 expansion is live. 11 new database engines are now supported via the /v1/check endpoint, covering the data layer of most production infrastructure stacks.
New products: MySQL, MariaDB, MongoDB, Elasticsearch, SQLite, CouchDB, Apache Cassandra, Microsoft SQL Server, Oracle Database, Couchbase Server, Apache Derby.
Four additional candidates - RocksDB, etcd, InfluxDB, and Neo4j - were evaluated and cut on data quality grounds. RocksDB has no standalone NVD CPE records at all. etcd, InfluxDB, and Neo4j each had fewer than 10 usable CVE records after filtering out unfiled version ranges -- not enough data for reliable synthesis. Attestd only ships products where the underlying NVD data is sufficient to produce trustworthy risk states. These four will be re-evaluated as NVD coverage improves.
What the data shows#
Across representative vulnerable versions of the 11 new databases:
| Risk State | Products | % |
|---|---|---|
| Critical | 2 | 18.2% |
| High | 6 | 54.5% |
| Elevated | 3 | 27.3% |
No product returned low or none on the tested versions. The database tier carries real exposure.
Critical#
MongoDB 6.0.3 - 25 CVEs including MongoBleed (CVE-2025-14847), an actively exploited memory disclosure. Versions before 8.0 carry significant risk in production.
CouchDB 3.2.1 - Only 2 CVEs on record, but both are critical unauthenticated RCE. Low CVE count does not mean low risk - it means sparse NVD coverage for a product with a serious historical vulnerability profile.
High#
MariaDB 10.6.5 - 49 CVEs spanning DoS, injection, and privilege escalation. Broad attack surface with patches available.
Elasticsearch 7.13.3 - 23 CVEs with RCE potential. Legacy 7.x versions from 2020-2021 are the primary risk.
Oracle Database 19.3.0 - 20 CVEs. Complex version string handling required - NVD stores numeric versions (19.x) not release names (19c).
Couchbase 7.0.4 - 15 CVEs including authenticated RCE.
Elevated#
MySQL 8.0.32 - 115 records in NVD. Large cumulative exposure even though individual CVEs require authentication. The most comprehensively documented database in this batch.
Cassandra 3.11.10 - Network exposure exists but exploitation requires authentication in most cases.
Microsoft SQL Server 15.0.4123.1 - Year-based version naming (SQL Server 2019) maps to build numbers at the NVD level. The API handles this translation automatically.
Checking your databases#
All 11 products are available via the standard /v1/check endpoint.
MongoDB 6.0.3#
curl -s "https://api.attestd.io/v1/check?product=mongodb&version=6.0.3" \
-H "Authorization: Bearer YOUR_API_KEY" | jq .
{
"product": "mongodb",
"version": "6.0.3",
"supported": true,
"risk_state": "critical",
"actively_exploited": true,
"remote_exploitable": true,
"patch_available": true,
"fixed_version": "6.0.27",
"cve_ids": ["CVE-2023-1409", "CVE-2024-10921"],
"confidence": 0.92,
"last_updated": "2026-04-04T12:00:00Z"
}
MariaDB 10.6.5#
curl -s "https://api.attestd.io/v1/check?product=mariadb&version=10.6.5" \
-H "Authorization: Bearer YOUR_API_KEY" | jq .
Elasticsearch 7.13.3#
curl -s "https://api.attestd.io/v1/check?product=elasticsearch&version=7.13.3" \
-H "Authorization: Bearer YOUR_API_KEY" | jq .
Oracle Database 19.3.0.0#
curl -s "https://api.attestd.io/v1/check?product=oracle_db&version=19.3.0.0" \
-H "Authorization: Bearer YOUR_API_KEY" | jq .
MySQL 8.0.32#
curl -s "https://api.attestd.io/v1/check?product=mysql&version=8.0.32" \
-H "Authorization: Bearer YOUR_API_KEY" | jq .
Cassandra 3.11.10#
curl -s "https://api.attestd.io/v1/check?product=cassandra&version=3.11.10" \
-H "Authorization: Bearer YOUR_API_KEY" | jq .
CouchDB 3.2.1#
curl -s "https://api.attestd.io/v1/check?product=couchdb&version=3.2.1" \
-H "Authorization: Bearer YOUR_API_KEY" | jq .
Microsoft SQL Server 15.0.4123.1#
curl -s "https://api.attestd.io/v1/check?product=mssql&version=15.0.4123.1" \
-H "Authorization: Bearer YOUR_API_KEY" | jq .
Couchbase 7.0.4#
curl -s "https://api.attestd.io/v1/check?product=couchbase&version=7.0.4" \
-H "Authorization: Bearer YOUR_API_KEY" | jq .
SQLite 3.39.1#
curl -s "https://api.attestd.io/v1/check?product=sqlite&version=3.39.1" \
-H "Authorization: Bearer YOUR_API_KEY" | jq .
Apache Derby 10.11.1.1#
curl -s "https://api.attestd.io/v1/check?product=apache_derby&version=10.11.1.1" \
-H "Authorization: Bearer YOUR_API_KEY" | jq .
Using this in an agent or pipeline#
The Python SDK works the same way for all new products.
from attestd import Client
client = Client(api_key="your_api_key")
db_versions = {
"mongodb": "6.0.3",
"elasticsearch": "7.13.3",
"postgresql": "14.0"
}
for product, version in db_versions.items():
result = client.check(product, version)
if result.risk_state in ("critical", "high"):
print(f"Alert: {product} {version} - {result.risk_state}")
print(f" Fixed in: {result.fixed_version}")
print(f" CVEs: {result.cve_ids[:3]}")
Async pattern for production pipelines#
If your agent or pipeline runs async, use AsyncClient to check multiple databases in parallel:
import asyncio
import attestd
from attestd import AttestdUnsupportedProductError
async def audit_database_stack(stack: dict[str, str]) -> list[dict]:
results = []
async with attestd.AsyncClient(api_key="your_api_key") as client:
checks = await asyncio.gather(
*[client.check(product, version) for product, version in stack.items()],
return_exceptions=True
)
for (product, version), result in zip(stack.items(), checks):
if isinstance(result, AttestdUnsupportedProductError):
results.append({"product": product, "status": "outside_coverage"})
elif isinstance(result, Exception):
results.append({"product": product, "status": "check_failed"})
else:
results.append({
"product": product,
"version": version,
"risk_state": result.risk_state,
"fixed_version": result.fixed_version,
})
return results
stack = {
"mongodb": "6.0.3",
"elasticsearch": "7.13.3",
"mysql": "8.0.32",
"postgresql": "14.0",
}
print(asyncio.run(audit_database_stack(stack)))
Checking four databases takes roughly the same time as checking one. The return_exceptions=True pattern means a single failed check doesn't abort the rest.
Testing your integration#
The attestd.testing module lets you test your branching logic without hitting the live API:
import attestd
from attestd.testing import MockTransport, LOG4J_CRITICAL, NGINX_SAFE
def test_pipeline_blocks_on_critical():
transport = MockTransport(200, LOG4J_CRITICAL)
client = attestd.Client(api_key="test", transport=transport)
result = client.check("mongodb", "6.0.3")
assert result.risk_state == "critical"
# verify your pipeline actually blocks here
def test_pipeline_allows_safe_version():
transport = MockTransport(200, NGINX_SAFE)
client = attestd.Client(api_key="test", transport=transport)
result = client.check("mongodb", "6.0.27")
assert result.risk_state == "none"
Full SDK reference at attestd.io/docs/sdk-reference.
How the data is sourced#
All risk assessments are derived from NVD version range matching, CISA KEV active exploitation flags, and LLM-powered synthesis collapsing overlapping version ranges into a single authoritative risk record per version band. Every response includes a confidence score and an X-Attestd-Knowledge-Age header showing data freshness. The synthesis pipeline re-runs every 6 hours.
SQLite (4 CVEs), Apache Derby (2 CVEs), and CouchDB (2 CVEs) have lower NVD record counts than the other products in this batch. This reflects NVD coverage patterns, not an assessment that these products are inherently safer. Use the confidence score as a guide - lower confidence rows have less underlying data.
What's next#
Batch 2 covers container and orchestration infrastructure: Docker Engine, containerd, Kubernetes components, Helm, and Podman. The LangChain integration guide publishes alongside that expansion.
Get an API key at api.attestd.io/portal/login. Free tier, 1,000 calls a month, no credit card required.