CVE Validation Skill

This skill validates CVE identifiers and checks remediation availability in Red Hat Lightspeed, ensuring CVEs are valid and remediable before investing effort in remediation planning.

Integration with Remediation Skill: The /remediation skill orchestrates this skill as part of its Step 2 (Validate CVE) workflow. For standalone CVE validation, you can invoke this skill directly.

Invocation Note (Host-Specific)

When invoked by another skill (e.g. remediation), use the Skill tool—do NOT use "Task Output" with the skill name as task ID. That causes "No task found with ID: cve-validation". See skill-invocation.md.

Prerequisites

Required MCP Servers: lightspeed-mcp (setup guide)

Required MCP Tools:

• get_cve (from lightspeed-mcp) - Get CVE metadata and validation

Required Environment Variables:

• LIGHTSPEED_CLIENT_ID

• Red Hat Lightspeed service account client ID

• LIGHTSPEED_CLIENT_SECRET

• Red Hat Lightspeed service account secret

Prerequisite Validation

CRITICAL: Before executing any operations, execute the /mcp-lightspeed-validator skill to verify MCP server availability.

Validation freshness: Can skip if already validated in this session. See Validation Freshness Policy.

How to invoke: Execute the /mcp-lightspeed-validator skill

Handle validation result:

• If validation PASSED: Continue with CVE validation

• If validation PARTIAL: Warn user and ask to proceed

• If validation FAILED: Stop execution, provide setup instructions

When to Use This Skill

Use this skill directly when you need:

• Quick validation of CVE identifier format and existence (standalone query)

• Check if automated remediation is available

• Verify CVE metadata before analysis

• Validate CVE lists for batch operations

DO NOT use this skill when - use /remediation skill instead:

• User says "create a remediation playbook" or "remediate CVE-X" or "patch CVE-X"

• User says "create playbook and execute it" - agent orchestrates full workflow

• Any request that implies playbook generation or execution

Use the /remediation skill when you need:

• Full remediation workflow (validation + analysis + playbook + execution)

• Integrated CVE validation as part of remediation planning

How they work together: The /remediation skill invokes this skill early in the workflow to fail fast if a CVE is invalid or has no automated remediation, saving time and effort.

When invoked by remediation: Return remediatable status prominently so the orchestrator can gate. Include remediation_status.automated_remediation_available (boolean) and validation_status ("valid" | "not_remediable" | "invalid" | "not_found") in the output.

Workflow

Step 0: Validate Lightspeed MCP Prerequisites

Action: Execute the /mcp-lightspeed-validator skill

Note: Can skip if validation was performed earlier in this session and succeeded. See Validation Freshness Policy.

How to invoke: Execute the /mcp-lightspeed-validator skill

Handle validation result:

• If validation PASSED: Continue to Step 1

• If validation PARTIAL: Warn user and ask to proceed

• If validation FAILED: Stop execution, user must set up MCP server

Step 1: CVE Format Validation

Validate CVE identifier format before calling MCP tools. Format only—do NOT reject based on year or sequence magnitude.

CVE Format: CVE-YYYY-NNNNN Where:

• YYYY = 4-digit year (1999-2030; current and recent years are valid)
• NNNNN = 4-7 digit sequence number (e.g. 1234, 24882, 1234567)

Valid Examples:

• CVE-2024-1234
• CVE-2026-24882 # 2026 CVEs exist; 24882 is 5 digits (valid)
• CVE-2023-12345
• CVE-2021-1234567

Invalid Examples (format only):

• CVE-24-1234 (year must be 4 digits)
• CVE-2024-ABC (sequence must be numeric)
• 2024-1234 (missing CVE- prefix)
• CVE-2024-123 (sequence must be 4-7 digits)

Quick Regex Check:

Pattern: ^CVE-\d{4}-\d{4,7}$

If invalid format: → Return error immediately → Suggest format correction → Do not proceed to MCP tool calls

CRITICAL - Do NOT add extra checks: If the format matches the regex, you MUST call get_cve . Do NOT reject based on:

• "Future" or "current year" assumptions (e.g. "2026 CVE might not exist yet")

• Sequence number magnitude (e.g. "24882 seems high")—5 digits is valid

• Your training data about typical CVE ranges

Let the API determine existence. A 404 from get_cve means "not found"; format validation only catches malformed IDs.

Step 2: CVE Metadata Retrieval

CRITICAL: Document consultation MUST happen BEFORE tool invocation.

Document Consultation (REQUIRED - Execute FIRST):

• Action: Read vulnerability-logic.md using the Read tool to understand CVE validation criteria

• Action: Read references/01-remediation-indicators.md to interpret get_cve response—CRITICAL to avoid misinterpreting remediation availability

• Output to user: "I consulted vulnerability-logic.md and 01-remediation-indicators.md for CVE validation and remediation indicator interpretation."

MCP Tool: get_cve or vulnerability__get_cve (from lightspeed-mcp)

Do NOT use vulnerability__explain_cves for validation. That tool requires system_uuid from inventory; at validation you may not have it. get_cve provides remediation availability. Never pass system_uuid: "undefined" or placeholders.

Parameters:

• cve : Exact CVE identifier from user query (format: "CVE-YYYY-NNNNN" )

• Example: "CVE-2024-1234"

• advisory_available : "true" (retrieve CVE with advisory/remediation info)

Expected Output: CVE metadata including CVSS score, severity, affected packages, remediation availability

Retrieve CVE metadata from Red Hat Lightspeed:

{ "cve_id": "CVE-2024-1234", "cvss_score": 7.5, "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "severity": "Important", # Red Hat severity rating "description": "A vulnerability in Apache HTTPD...", "published_date": "2024-01-15", "modified_date": "2024-01-20",

"affected_packages": [ { "name": "httpd", "version": "2.4.37-1.el8", "fixed_version": "2.4.37-2.el8" } ],

"references": [ "https://access.redhat.com/errata/RHSA-2024:1234", "https://nvd.nist.gov/vuln/detail/CVE-2024-1234" ],

"cwe": "CWE-400: Uncontrolled Resource Consumption",

"exploitability": "Proof of concept available", "remediation_available": true, # KEY FIELD "reboot_required": false }

Step 3: Validation Checks

CRITICAL: Document consultation MUST happen BEFORE validation logic.

Document Consultation (REQUIRED - Execute FIRST):

• Action: Read cvss-scoring.md using the Read tool to understand Red Hat severity classification and CVSS score ranges

• Output to user: "I consulted cvss-scoring.md to understand Red Hat severity classification and CVSS score ranges."

Perform comprehensive validation:

A. Existence Check:

✓ CVE exists in Red Hat CVE database ✗ CVE not found → Return error with suggestions

B. Red Hat Relevance Check:

✓ CVE affects RHEL systems ✗ CVE is Windows/macOS specific → Not applicable to RHEL

C. Severity Classification:

Red Hat Severity Levels:

• Critical (CVSS 9.0-10.0): Immediate action required
• Important (CVSS 7.0-8.9): Urgent remediation needed
• Moderate (CVSS 4.0-6.9): Plan remediation
• Low (CVSS 0.1-3.9): Low priority

D. Remediation Availability Check (READ references/01-remediation-indicators.md):

Key Question: Can Red Hat Lightspeed generate an automated playbook?

✅ USE these fields:

• advisory_available === true → Remediation available
• remediation === 2 → Automated remediation available
• advisories_list non-empty → RHSA exists, remediation available

❌ DO NOT use rules[] for remediation decision:

• rules: [] (empty) does NOT mean "no remediation"
• Advisor rules are separate from vulnerability remediation
• Remediation comes from Security Advisories (RHSA), not Advisor rules

✓ If advisory_available=true OR remediation=2 OR advisories_list has entries → Proceed with automated remediation → Use create_vulnerability_playbook tool

✗ If advisory_available=false AND (remediation=0 or advisories_list empty) → Manual remediation required → Provide manual steps based on affected packages

E. Package Information Validation:

Check affected_packages array: ✓ Packages identified: httpd-2.4.37-1.el8 ✓ Fixed version available: httpd-2.4.37-2.el8 ✓ Package exists in RHEL repositories

This information will be used by playbook-generator skill.

Step 4: Return Validation Result

Return structured validation result. When invoked by remediation skill: Ensure validation_status and remediation_status.automated_remediation_available are explicit—the orchestrator gates on these.

{ "validation_status": "valid", # or "invalid", "not_found", "not_remediable"

"cve_metadata": { "cve_id": "CVE-2024-1234", "cvss_score": 7.5, "severity": "Important", "description": "Brief description...", "published_date": "2024-01-15" },

"remediation_status": { "automated_remediation_available": true, "reboot_required": false, "affected_packages": [ { "name": "httpd", "current_version": "2.4.37-1.el8", "fixed_version": "2.4.37-2.el8" } ] },

"recommendations": [ "Automated remediation available via Red Hat Lightspeed", "No reboot required for this CVE", "Severity: Important - Urgent remediation recommended", "Test in staging environment before production deployment" ],

"next_steps": [ "Analyze CVE impact (use cve-impact skill)", "Gather system context (use system-context skill)", "Generate remediation playbook (use playbook-generator skill)" ] }

Output, Examples, Error Handling

Read references/03-output-template.md for report format. Read references/04-examples.md for validation examples. Read references/05-error-handling.md for format, not-found, no-remediation, and API errors.

Best Practices

Validate format first; if regex matches, ALWAYS call get_cve (do not reject on year/sequence). Check remediation availability; fail fast if none. Provide clear next steps and manual guidance when automated unavailable. Link to NVD and Red Hat Security. Cache results to avoid redundant calls.

Dependencies

Required MCP Servers

• lightspeed-mcp
• Red Hat Lightspeed platform access

Required MCP Tools

• get_cve (from lightspeed-mcp) - Get CVE metadata and validation

• Parameters: cve_id (string, format CVE-YYYY-NNNNN), include_details (boolean), validate_format (boolean)

• Returns: CVE metadata with CVSS score, severity, affected packages, remediation availability

Related Skills

mcp-lightspeed-validator

• PREREQUISITE - Validates Lightspeed MCP server before operations

• Use before: ALL cve-validation operations (Step 0 in workflow)

• Purpose: Ensures MCP server is available before attempting tool calls

cve-impact

• Analyze CVE impact after validation

• Use after: Step 4 when CVE is validated and user wants impact analysis

• Purpose: Assess risk and affected systems for validated CVE

system-context

• Get system details after validating CVE affects systems

• Use after: Validation confirms CVE has affected systems

• Purpose: Understand deployment context before remediation

playbook-generator

• Generate remediation playbooks for validated CVEs

• Use after: Validation confirms remediation_available = true

• Purpose: Create automated remediation for valid, remediable CVEs

Reference Documentation

• vulnerability-logic.md - CVE validation criteria

• references/01-remediation-indicators.md - REQUIRED - Correct interpretation of get_cve response (advisory_available, remediation, advisories_list). Do NOT use rules[] for remediation decision.

• cvss-scoring.md - Red Hat severity classification and CVSS score ranges

• cve-remediation-templates.md - Manual remediation templates for CVEs without automated playbooks

Tools Reference

This skill uses:

• get_cve (vulnerability toolset) - Get CVE metadata and remediation availability from Red Hat Lightspeed

Do NOT use vulnerability__explain_cves in this skill—it requires system_uuid which may not be available at validation time. Use get_cve only.

All tools are provided by the lightspeed-mcp MCP server configured in .mcp.json .

Integration with Other Skills

cve-impact, playbook-generator, system-context, remediation-verifier all depend on validation first. The /remediation skill invokes cve-validation as Step 2. Validate → proceed if valid; stop and return error if invalid.