What is a CVE?

CVEs provide a basis for assessing and managing the risks associated with vulnerabilities in a system, making it easier to identify, track, and remediate.

What does CVE mean?

CVE is an acronym for Common Vulnerabilities and Exposures. It is a list of standardized names and codes for naming information security vulnerabilities and exposures to make them publicly known. Each vulnerability has a unique identification number, providing a way to share data and information about these vulnerabilities publicly.

A CVE is thus a standard identifier for information security vulnerabilities. In addition to the unique number, a CVE also assigns a brief description to each known vulnerability to make it easier to find, analyze, and manage.

CVEs aim to provide a common and unified reference for vulnerabilities so that they can be easily shared and compared between different sources of information, tools, and services. CVEs also help to improve awareness and transparency about information security threats and foster cooperation and coordination between the different actors involved in the prevention, detection, and response.

Before delving into how the CVE system works, it is worth clarifying what a vulnerability and an exposure are.

Differences between a vulnerability and an exposure

As indicated by INCIBE, a vulnerability is a technical flaw or deficiency in a program that can allow an illegitimate user to access information or perform unauthorized operations remotely.

An exposure is the public disclosure of a vulnerability so that an attacker can easily exploit it. Exposure is not a weakness in itself but rather the measure of visibility, and therefore accessibility and risk, that vulnerabilities have. Exposures can lead to data breaches, leaks, and personally identifiable information (PII) sold on the Dark Web.

An example of data exposure could be accidentally publishing code to a GitHub repository.

How does the CVE system work?

CVE is a security project born in 1999 focused on publicly released software funded by the U.S. Division of Homeland Security

CVEs are issued by the CVE Program. This Program is an international initiative that coordinates and maintains a free, public database of vulnerabilities reported by researchers, organizations, and companies worldwide. The CVE Program is managed by the Software Engineering Institute of the MITRE Corporation, a nonprofit organization that collaborates with the U.S. government and other partners.

CVEs can be viewed on the official CVE Program website, which can be searched by number, keyword, product, vendor, or date. They can also be found in other secondary sources that collect and analyze CVEs, such as the U.S. National Vulnerability Database (NVD), which provides additional information on each vulnerability’s impact, severity, and remedies.

The cooperative, community-based project

The CVE glossary uses the Security Content Automation Protocol (SCAP) to collect information about security vulnerabilities and exposures, catalog them according to various identifiers, and provide them with unique identifiers.

The program is a cooperative, community-based project that helps uncover new vulnerabilities. These are discovered, assigned, and published on lists so that they are public knowledge. It does not include technical data or information on risks, impacts, and remediation. In this way, the CVE consists of a brief description of the bug and the affected version or component. It also tells you where to find out how to fix the vulnerability or exposure.

CVEs are published once the bug has been fixed. This, by pure logic, is done so as not to expose affected users to a risk without being able to fix it This is one of the criteria that CVEs follow: the vulnerability can be set independently of other bugs or vulnerabilities.

Recognition by the software or hardware vendor is also important. Or, the whistleblower must have shared a vulnerability report demonstrating the negative impact of the bug and that it violates the security policy of the affected system.

Identification of a CVE

As mentioned above, the identification of CVEs is unique. This nomenclature consists of an ID and a date indicating when it was created by MITRE, followed by an individual description field and a reference field.

Suppose MITRE did not report the vulnerability directly, but an advisory or bug-tracking advisory group first assigned it. In that case, the reference field will include URL links to the advisory group or bug tracker that first submitted the vulnerability. Other links that may appear in this field are to product pages affected by the CVE.

CVEs are an essential tool for information security professionals, allowing them to identify, prioritize, and remediate vulnerabilities affecting their systems and networks. CVEs are also helpful for end users, helping them stay informed about the potential risks they face and take steps to protect themselves, such as updating their applications or avoiding the use of compromised products or services.