CVE Vulnerability

What is the Common Vulnerabilities and Exposures (CVE) Glossary

CVE stands for Common Vulnerabilities and Exposures. CVE is a glossary that classifies vulnerabilities. The glossary analyzes vulnerabilities and then uses the Common Vulnerability Scoring System (CVSS) to evaluate the threat level of a vulnerability. A CVE score is often used for prioritizing the security of vulnerabilities.

The CVE glossary is a project dedicated to tracking and cataloging vulnerabilities in consumer software and hardware. It is maintained by the MITRE Corporation with funding from the US Division of Homeland Security. Vulnerabilities are collected and cataloged using the Security Content Automation Protocol (SCAP). SCAP evaluates vulnerability information and assigns each vulnerability a unique identifier.

Once evaluated and identified, vulnerabilities are listed in the publicly available MITRE glossary. After listing, vulnerabilities are analyzed by the National Institute of Standards and Technology (NIST). All vulnerability and analysis information is then listed in NIST’s National Vulnerability Database (NVD).

The CVE glossary was created as a baseline of communication and source of dialogue for the security and tech industries. CVE identifiers serve to standardize vulnerability information and unify communication amongst security professionals. Security advisories, vulnerability databases, and bug trackers all employ this standard.

Which Vulnerabilities Qualify for a CVE

To be categorized as a CVE vulnerability, vulnerabilities must meet a certain set of criteria. These criteria includes:

What is the Common Vulnerability Scoring System (CVSS)

The CVSS is one of several ways to measure the impact of vulnerabilities, which is commonly known as the CVE score. The CVSS is an open set of standards used to assess a vulnerability and assign a severity along a scale of 0-10. The current version of CVSS is v3.1, which breaks down the scale is as follows:

The CVSS standard is used by many reputable organizations, including NVD, IBM, and Oracle. If you want to see how CVSS is calculated, or convert the scores assigned by organizations that do not use CVSS, you can use the NVD calculator.

Severity of top CVE vulnerabilities

CVE Identifiers

When vulnerabilities are verified, a CVE Numbering Authority (CNA) assigns a number. A CVE identifier follows the format of — CVE-{year}-{ID}. There are currently 114 organizations, across 22 countries, that are certified as CNAs. These organizations include research organizations, and security and IT vendors. CNAs are granted their authority by MITRE, which can also assign CVE numbers directly.

Vulnerability information is provided to CNAs via researchers, vendors, or users. Many vulnerabilities are also discovered as part of bug bounty programs. These programs are set up by vendors and provide a reward to users who report vulnerabilities directly to the vendor, as opposed to making the information public. Vendors can then report the vulnerability to a CNA along with patch information, if available.

Once a vulnerability is reported, the CNA assigns it a number from the block of unique CVE identifiers it holds. The CNA then reports the vulnerability with the assigned number to MITRE. Frequently, reported vulnerabilities have a waiting period before being made public by MITRE. This allows vendors to develop patches and reduces the chance that flaws are exploited once known.

When a CVE vulnerability is made public, it is listed with its ID, a brief description of the issue, and any references containing additional information or reports. As new references or findings arise, this information is added to the entry.

Open CVE Databases

There are many databases that include CVE information and serve as resources or feeds for vulnerability notification. Below are three of the most commonly used databases.