Common Vulnerabilities and Exposures (CVE) was launched in 1999 by the MITRE corporation to identify and categorize vulnerabilities in software and firmware. CVE provides a free dictionary for organizations to improve their cyber security. MITRE is a nonprofit that operates federally funded research and development centers in the United States.
A vulnerability is a weakness that can be exploited in a cyberattack to gain unauthorized access to or perform unauthorized actions on a computer system. Vulnerabilities can allow attackers to run code, access system memory, install different types of malware and steal, destroy or modify sensitive data.
An Exposure is a mistake that gives an attacker access to a system or network. Exposures can lead to data breaches, data leaks, and personally identifiable information (PII) being sold on the dark web.
In fact, some of the biggest data breaches were caused by accidental exposures rather than sophisticated cyber attacks.
The goal of CVE is to make it easier to share information about known vulnerabilities so that cybersecurity strategies can be updated with the latest security flaws and security issue
CVE does this by creating a standardized identifier for a given vulnerability or exposure. CVE identifiers (also called CVE names or CVE numbers) allow security professionals to access information about specific cyber threats across multiple information sources using the same common name.
The Common Vulnerability Scoring System (CVSS) is a set of open standards for assigning a number to a vulnerability to assess its severity. CVSS scores are used by the NVD, CERT and others to assess the impact of a vulnerability.
A CVSS score ranges from 0.0 to 10.0. The higher the number the higher degree of security severity.
MITRE maintains the CVE dictionary and CVE website, as well as the CVE Compatibility Program. The CVE Compatibility Program promotes the use of standard CVE identifiers issued by authorized CVE numbering authorities (CNAs).
CVE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and US-CERT.
The CVE database allows organizations to set a baseline for evaluating the coverage of their security tools. CVE’s common identifiers allow organizations to see what each tool covers and how appropriate they are for your organization.
Security advisories can reference CVE vulnerability information to search for known attack signatures and remediate critical exploits as part of any digital forensics process.
Look for security tools with CVE compatibility rather than proprietary vulnerability assessments, it’s a great way to reduce your organization’s cybersecurity risk.
CVE isn’t a vulnerability database. CVE is designed to allow vulnerability databases and other tools to be linked together. It also facilitates comparisons between security tools and services.
Check out the US National Vulnerability Database (NVD) that uses the CVE list identifiers and includes fix information, scoring and other information.
CVE does not list all known vulnerabilities and exposures. The goal of CVE is to be comprehensive and it is. Given the scale of vulnerabilities and exposures, it’s likely an impossible task for one system to contain everything.
Yes, CVE is free to use and publicly accessible. CVE is designed to allow anyone to correlate data between different vulnerabilities, security tools, repositories and services.
Anyone can search, download, copy, redistribute, reference and analyze CVE as long as they don’t modify any information.
A CVE entry describes a known vulnerability or exposure.
Each CVE entry contains a standard identifier number with status indicator (i.e. “CVE-1999-0067”, “CVE-2014-12345”, “CVE-2016-7654321”), a brief description and references related vulnerability reports and advisories.
Each CVE ID is formatted as CVE-YYYY-NNNNN. The YYYY portion is the year the CVE ID was assigned or the year the vulnerability was made public.
Unlike vulnerability databases, CVE entries do not include risk, impact fix or other technical information.
The short answer is yes but many cybersecurity professionals believe the benefits of CVE outweigh the risks:
As a concrete example, many believe the ransomware WannaCry, which spread through the EternalBlue vulnerability, would have had less impact if the vulnerability was publicly shared.
The CVE Board is comprised of cybersecurity organizations including security tool vendors, academia, research institutions, government departments and agencies, security experts and end-users of vulnerability information.
The CVE Board provides critical input regarding data sources, product coverage, coverage goals, operating structure and strategic direction of the CVE program.
All CVE Board discussions can be found via their email discussion archives and meeting archives. The CVE Board Character is also publicly accessible.
CVE Numbering Authorities (CNAs) are organizations that identify and distribute CVE id numbers to researchers and vendors for inclusion in public announcements of new vulnerabilities. CNAs include software vendors, open source projects, coordination centers, bug bounty service providers and research groups.
CNAs are a federated systems that helps identify vulnerabilities and assigns them an ID without directly involving MITRE which is the primary CNA.
There are currently 104 CNAs in 18 countries including many household names like Microsoft, Adobe, Apple, Cisco, Google, Hewlett Packard Enterprise, Huawei, IBM, Intel, Mozilla, Oracle, Red Hat, Siemens, Symantec, VMWare, Atlassian, Autodesk, Cloudflare, Elastic, GitHub, Kubernetes, Netflix and Salesforce. You can see the full list of CVE numbering authorities here.
MITRE serves as the primary CNA while root CNAs cover a certain area or niche.
In many cases, a root CNA is when a major company – like Apple – posts vulnerabilities about its own products. In other cases, the root CNA may be focused on open source vulnerabilities.
The latest version of the CVE list can always be found on cve.mitre.org. While the CVE list is free, it can be hard to know which vulnerabilities affect your organization without additional tools. This is why many organizations now use tools that monitor for changes in the CVE list that affect them.
New CVE identifiers are added daily. Look for sophisticated tools that automatically monitor you and your vendors for vulnerabilities. Managing third-party risks and fourth-party risks is a fundamental part of information risk management and your information security policy. Make vulnerability management part of your vendor risk management, third-party risk management framework and cyber security risk assessment processes.
CVEs are added when a researcher finds a flaw or design oversight in software or firmware. The vendor does not have to see it as a vulnerability for it to be listed as a CVE. That said, the researcher may be required to provide evidence of how it could be used as part of an exploit.
The stronger the claim, the more likely it will be added to CVE and the more likely it will have a high Common Vulnerability Scoring System score in vulnerability databases.
Potential CVEs reported by established vendors or other trusted parties will generally be added to the CVE list quickly.