Convert a Common Platform Enumeration (CPE) name between the legacy 2.2 URI binding (cpe:/a:apache:log4j:2.14.1) and the modern 2.3 formatted-string binding (cpe:2.3:a:apache:log4j:2.14.1:*:*:*:*:*:*:*), in either direction, with each of the eleven components parsed out.
Common Platform Enumeration (CPE) is a standardized naming scheme for hardware, operating systems, and applications, used by the NVD to describe the products a CVE affects.
What is the difference between CPE 2.2 and 2.3?
CPE 2.2 is the legacy URI binding (cpe:/a:apache:log4j:2.14.1); CPE 2.3 is the modern formatted-string binding (cpe:2.3:a:apache:log4j:2.14.1:*:*:*:*:*:*:*) with eleven well-defined components.
Can I find the CVEs that affect a CPE?
Yes. Once you have a CPE 2.3 string, the CPE lookup tool at /cve/cpe lists every CVE whose configuration applies, with full version-range matching.