Common Vulnerability Exposure (CVE)

Common Vulnerabilities and Exposures (CVE) are a listing of security threats categorized within a standardized reference system.  The CVE program was launched in 1999 by MITRE to identify and catalog vulnerabilities in software into a freely accessible set of data so that commercial and government organizations can improve their overall security. MITRE Corporation is a nonprofit organization that runs federal government-sponsored research and development centers. CVE is not a vulnerability database. Instead, CVE is designed to allow vulnerability databases to be linked together so that defenders can more easily compare security tools and services. CVE does not contain information on risk, overall impact, or mitigations. 

Each CVE entry is concise and does not include technical data, impact data, or anything about resolving the problems. The CVE dictionary standardizes the way the listed vulnerabilities or exposures are identified. CVE contains the standard identifier number with a status indicator, a brief description, and references to related vulnerability reports and advisories.

Organizations can use CVE to track security issues across a varying mix of software, systems, and networks to gain a complete view of their cybersecurity risks. 

Standard IDs are an essential part of the CVE. These allow security administrators to access technical information about any specific threat in any CVE-compatible information source. 

CVE vulnerability and exposure

It is important to note that CVE defines vulnerabilities as an error within software code that enables a threat actor to gain direct unauthorized access to computer systems and networks and then further compromise these assets. Threat actors typically gain access as system admins or superusers and have full access to sensitive system resources. If undetected, vulnerabilities allow attackers to escalate privileges to system administrators, enabling these threat actors to run code, install malware, and access, modify, steal or destroy sensitive information.

CVE further defines exposure as software code or configuration errors that enable a threat actor to gain indirect access to system and network assets. Exposure helps threat actors maintain a stealthy presence within computer networks and collect sensitive data, user credentials, and other proprietary information. Accidental exposure is the most frequent cause of data breaches.

CVE benefits

CVE can help organizations improve their security defenses and, by doing so, ultimately reduce risk. For example, CVE makes it much easier to share information about vulnerabilities across and between organizations. In addition, organizations that acquire CVE-compatible products and services can improve their organizations’ overall security posture. The key benefits of CVE include:

1. Understanding if compatible products have been reviewed for specific security issues.
2. Trusted and interoperable products and services that can help protect the organization.
3. Set a baseline for understanding what each tool covers and how appropriate they are for the organization.
4. Security advisories can use CVE information to search for attack signatures to identify specific vulnerability exploits.
5. Discover security tools with CVE compatibility to reduce overall cybersecurity risk posture.
6. Software vendors can provide alerts to validate the installation of updates and patches.
7. Easily compare the coverage of security controls and services using CVE names.

Threat actors continuously look for new ways to use CVE as entry points into systems, networks, and software assets. Therefore, organizations need to constantly monitor CVE’s and apply updates and patches to reduce or eliminate the risks arising from these vulnerabilities. Additionally, once a vendor is aware of a vulnerability, they rapidly release security patches to prevent cybercriminals from exploiting the CVE.

CVE system operations

CVE is a program managed by The MITRE Corporation and supported by the Cybersecurity and Infrastructure Security Agency funding. CVE entries are brief. They don’t include technical data or information about risks, impacts, and mitigations. Those details appear in others, such as the U.S. National Vulnerability Database (NVD), the CERT/CC Vulnerability Notes Database, and other databases. 

CVE IDs support a single dictionary of truth for users. This dictionary provides a more reliable way to tell one unique security flaw from another. In addition, the dictionary offers a standard way to identify known security vulnerabilities and exposures. CVE is also designed to allow security researchers to compare security tools and services. 

Criteria for CVE

Security researchers assign CVE IDs to issues that meet a specific set of requirements:

• The problem can be fixed independently of any other issues or bugs.
• The impacted vendor acknowledges the problem, or it is documented by other parties (reporter) through a shared vulnerability report that clearly describes the negative impact of the issue and shows that it violates the security policy of the impacted system.
• It is generally affecting one and only one codebase.

Separate CVEs should be assigned to flaws that impact more than one product. For example, in shared libraries, the fault should be given a single CVE only if there’s no way to use the code without vulnerability. Otherwise, each impacted product or codebase should be assigned a unique CVE.

CVE identifiers

CVEs are assigned by a CVE Numbering Authority (CNA). There are three primary types of CVE number process assignments:

• The Mitre Corporation functions as Editor and Primary CVE Numbering Authority (CNA).
• Different CNAs assign CVE numbers for their products.
• The CERT Coordination Center, and other third-party coordinators, may assign CVE numbers for products that other CNAs do not cover.

At this time, there are 114 certified CNAs across 22 countries. CNAs are granted their authority by MITRE, which can also assign CVE numbers directly.

When a vulnerability is reported, the CNA assigns it a number from the block of CVE identifiers it holds. This block is unique to the CNA. Then CNA reports the vulnerability using the given number to MITRE. Frequently, reported vulnerabilities are not immediately made public by MITRE so that suppliers can develop patches. This delay reduces the chance that a threat actor immediately exploits flaws once they are reported.

When a CVE vulnerability is made public, it has an assigned ID, a description of the issue, and any references to additional information. New information may be added to the entry later.

The CVE ID includes the year the ID was assigned or perhaps when the vulnerability was released. However, the vulnerability could have been discovered earlier than the date without being made public in many cases. Therefore, the year only stipulates when the exposure was added to the dictionary.

The CVE description helps users find the CVE entry. In addition, CVE descriptions include information such as impacted product and vendor, the type of vulnerability and what it does, the kind of access threat actors need to exploit the vulnerability, and other information.

Open CVE Databases

Many databases include CVE information. Examples of three commonly used databases include:

National Vulnerability Database (NVD). NVD was started in 2005. It provides information about vulnerabilities and scores vulnerabilities using CVSS standards. 

The Community Driven Vulnerability Database. VULDB is a community vulnerability database. VULDB provides information on vulnerability management, threat intelligence, incident response, and analysis of vulnerability trends. 

CVE Details. CVE Details is a database that combines NVD data with other databases such as the Exploit Database. CVE Details enables discovery by vendor, type, product, and more.