Common Vulnerabilities and Exposure (CVE)

Common Vulnerabilities and Exposures (CVE) is a database of publicly disclosed information security issues. A CVE number uniquely identifies one vulnerability from the list. CVE provides a convenient, reliable way for vendors, enterprises, academics, and all other interested parties to exchange information about cyber security issues.

Enterprises typically use CVE, and corresponding Common Vulnerability Scoring System|CVSS scores, for planning and prioritization in their vulnerability management programs.

As defined by CVE, a vulnerability is a “...flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components.”

A vulnerability, therefore, provides an attacker with direct unauthorized access to a system or network, often with full privileges to execute commands or access restricted information. An exposure is a code or configuration error through which an attacker can gain indirect and often hard-to-discover access to application data such as customer information.

Each CVE Record is associated with a unique alphanumeric ID and references a single specific vulnerability. The CVE Record includes a brief description of the vulnerability or exposure and at least one public reference.

Authorized Data Publishers (ADPs) can then enrich a CVE Record with additional information such as risk scores or lists of affected products. CVE Records are added by CVE Numbering Authorities (CNAs)—organizations that are permitted to assign CVE IDs to vulnerabilities.

The primary CNA is MITRE but there are currently 149 CNAs in 25 countries, all acting within a kind of federated system.

Each CNA has a defined scope of responsibility for identifying and publishing vulnerabilities, often related to their own products. A CNA is issued a block of CVE IDs to attach to new issues as they arise.

The list of CNAs includes the likes of Adobe Systems, Advanced Micro Devices (AMD), McAfee, Check Point, Red Hat, Microsoft, and Google, to name but a few. Root CNAs have the authority to recruit, train, and govern other CNAs or ADPs.