Operationally Necessary Cookies
Common Vulnerabilities and Exposures (CVE) are a listing of security threats categorized within a standardized reference system. The CVE program was launched in 1999 by MITRE to identify and catalog vulnerabilities in software into a freely accessible set of data so that commercial and government organizations can improve their overall security. MITRE Corporation is a nonprofit organization that runs federal government-sponsored research and development centers. CVE is not a vulnerability database. Instead, CVE is designed to allow vulnerability databases to be linked together so that defenders can more easily compare security tools and services. CVE does not contain information on risk, overall impact, or mitigations.
Each CVE entry is concise and does not include technical data, impact data, or anything about resolving the problems. The CVE dictionary standardizes the way the listed vulnerabilities or exposures are identified. CVE contains the standard identifier number with a status indicator, a brief description, and references to related vulnerability reports and advisories.
Organizations can use CVE to track security issues across a varying mix of software, systems, and networks to gain a complete view of their cybersecurity risks.
Standard IDs are an essential part of the CVE. These allow security administrators to access technical information about any specific threat in any CVE-compatible information source.
It is important to note that CVE defines vulnerabilities as an error within software code that enables a threat actor to gain direct unauthorized access to computer systems and networks and then further compromise these assets. Threat actors typically gain access as system admins or superusers and have full access to sensitive system resources. If undetected, vulnerabilities allow attackers to escalate privileges to system administrators, enabling these threat actors to run code, install malware, and access, modify, steal or destroy sensitive information.
CVE further defines exposure as software code or configuration errors that enable a threat actor to gain indirect access to system and network assets. Exposure helps threat actors maintain a stealthy presence within computer networks and collect sensitive data, user credentials, and other proprietary information. Accidental exposure is the most frequent cause of data breaches.
CVE can help organizations improve their security defenses and, by doing so, ultimately reduce risk. For example, CVE makes it much easier to share information about vulnerabilities across and between organizations. In addition, organizations that acquire CVE-compatible products and services can improve their organizations’ overall security posture. The key benefits of CVE include:
Threat actors continuously look for new ways to use CVE as entry points into systems, networks, and software assets. Therefore, organizations need to constantly monitor CVE’s and apply updates and patches to reduce or eliminate the risks arising from these vulnerabilities. Additionally, once a vendor is aware of a vulnerability, they rapidly release security patches to prevent cybercriminals from exploiting the CVE.
CVE is a program managed by The MITRE Corporation and supported by the Cybersecurity and Infrastructure Security Agency funding. CVE entries are brief. They don’t include technical data or information about risks, impacts, and mitigations. Those details appear in others, such as the U.S. National Vulnerability Database (NVD), the CERT/CC Vulnerability Notes Database, and other databases.
CVE IDs support a single dictionary of truth for users. This dictionary provides a more reliable way to tell one unique security flaw from another. In addition, the dictionary offers a standard way to identify known security vulnerabilities and exposures. CVE is also designed to allow security researchers to compare security tools and services.
Security researchers assign CVE IDs to issues that meet a specific set of requirements:
Separate CVEs should be assigned to flaws that impact more than one product. For example, in shared libraries, the fault should be given a single CVE only if there’s no way to use the code without vulnerability. Otherwise, each impacted product or codebase should be assigned a unique CVE.
CVEs are assigned by a CVE Numbering Authority (CNA). There are three primary types of CVE number process assignments:
At this time, there are 114 certified CNAs across 22 countries. CNAs are granted their authority by MITRE, which can also assign CVE numbers directly.
When a vulnerability is reported, the CNA assigns it a number from the block of CVE identifiers it holds. This block is unique to the CNA. Then CNA reports the vulnerability using the given number to MITRE. Frequently, reported vulnerabilities are not immediately made public by MITRE so that suppliers can develop patches. This delay reduces the chance that a threat actor immediately exploits flaws once they are reported.
When a CVE vulnerability is made public, it has an assigned ID, a description of the issue, and any references to additional information. New information may be added to the entry later.
The CVE ID includes the year the ID was assigned or perhaps when the vulnerability was released. However, the vulnerability could have been discovered earlier than the date without being made public in many cases. Therefore, the year only stipulates when the exposure was added to the dictionary.
The CVE description helps users find the CVE entry. In addition, CVE descriptions include information such as impacted product and vendor, the type of vulnerability and what it does, the kind of access threat actors need to exploit the vulnerability, and other information.
Many databases include CVE information. Examples of three commonly used databases include:
Stay current with the latest security trends from Bugcrowd