News

What is a CVE?

Giulio Saggin
Giulio Saggin
Tuesday 28 November 2023

What does CVE stand for?

CVE is an acronym for Common Vulnerabilities and Exposures. It serves as a classification system for vulnerabilities. This system assesses vulnerabilities and employs the Common Vulnerability Scoring System (CVSS) to gauge threat levels. The resulting CVE score frequently guides prioritization efforts in addressing security vulnerabilities.

What's the difference between a vulnerability and an exposure?

A vulnerability represents a system weakness exploitable for unauthorized access or actions within a computer system. Exploiting vulnerabilities enables attackers to directly infiltrate systems, execute code, implant malware, and breach internal networks to pilfer, corrupt, or manipulate sensitive data. Left undetected, such vulnerabilities could empower attackers to assume super-user or system administrator roles, granting full access privileges.

An exposure denotes a system or network flaw inadvertently providing attackers access. These exposures facilitate unauthorized entry, potentially compromising personally identifiable information (PII) for exfiltration. Remarkably, some of the most significant data breaches stemmed from inadvertent exposure rather than intricate cyber assaults.

What is the Common Vulnerability Scoring System (CVSS)?

The CVSS, commonly referred to as the CVE score, is among the various methods used to gauge the impact of vulnerabilities. It operates as an open set of standards designed to evaluate vulnerabilities and allocate severity levels on a scale ranging from 0 to 10. The latest iteration, CVSS v3.1, delineates the scale as follows:

Severity

Base Score

None

0

Low

0.1-3.9

Medium

4.0-6.9

High

7.0-8.9

Critical

9.0-10.0

Which vulnerabilities qualify for a CVE?

CVE IDs are allocated to vulnerabilities meeting distinct criteria: They must require individual fixes, be acknowledged by the vendor as posing a security threat, and exclusively affect a single codebase. Vulnerabilities influencing multiple products warrant separate CVE designations.

Open CVE Databases

Several databases serve as repositories or streams of CVE information, facilitating vulnerability alerts.

  1. National Vulnerability Database (NVD): Established in 2005, NVD acts as a primary CVE repository for numerous organizations. It offers comprehensive details on vulnerabilities, encompassing affected systems and potential remedies. Additionally, it applies CVSS standards to score vulnerabilities. While MITRE provides CVE information to NVD, these entities, though both supported by the US Department of Homeland Security (DHS), function independently.

  2. Vulnerability Database (VULDB): VULDB operates as a community-driven platform dedicated to vulnerability management, incident response, and threat intelligence. Specializing in vulnerability trend analysis, VULDB equips security teams with insights to anticipate and brace for forthcoming threats.

  3. SecAlerts (Vulnerability Alerts): SecAlerts provides real-time alerts of CVEs, Zero-Days and vulnerability news matched to your software stack using the above sources as well as crawlers to advisories and open source components.

What are CVE Identifiers?

When vulnerabilities are confirmed, a CVE Numbering Authority (CNA) allocates a unique number following the format — CVE-{year}-{ID}. As of August, 2023, there are 312 certified CNAs spread across 37 countries, encompassing research organizations, security firms, and IT vendors. These CNAs derive their authority from MITRE, which also possesses the capability to directly assign CVE numbers.

Vulnerability details reach CNAs through various channels: researchers, vendors, or users. Bug bounty programs often unveil vulnerabilities, rewarding users who privately disclose these issues to the vendor. Subsequently, vendors can relay vulnerability information, including patches if available, to a CNA.

Upon receiving a vulnerability report, the CNA designates it a unique CVE identifier from its allocated block and forwards this, along with details, to MITRE. Typically, there's a waiting period before MITRE publicizes reported vulnerabilities, allowing vendors to create patches and reducing the risk of exploitation once the flaw is known.

When a CVE vulnerability becomes public, it is cataloged with its ID, a concise problem description, and any associated references or supplementary reports. Additional findings or references that surface later are appended to the entry over time.

Who Reports CVEs?

Anyone holds the ability to report a CVE to a CNA. Typically, it's researchers, white hat hackers, and vendors who discover and submit CVE reports to CNAs. Numerous vendors actively advocate for vulnerability hunting as a cost-effective means to fortify their product's security. Some even institute bug bounties, contests, and prizes, fostering community engagement in testing and identifying security weaknesses.

The roster of CNAs features prominent names like MITRE, Adobe, Apple, CERT, Cisco, Dell, Facebook, Google, IBM, Intel, and several other household brands.

How do I monitor CVE releases?

The easiest way to monitor CVE releases is by using SecAlerts to match CVE's to your software stack and get alerts sent to your teams.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203