What is CVE? Common Vulnerabilities and Exposures Explained

Last updated by Abi Tyas Tunggal on November 20, 2019

scroll down

Common Vulnerabilities and Exposures (CVE) is a list of publicly disclosed information security vulnerabilities and exposures.

CVE was launched in 1999 by the MITRE corporation to identify and categorize vulnerabilities in software and firmware. CVE provides a free dictionary for organizations to improve their cyber security. MITRE is a nonprofit that operates federally funded research and development centers in the United States.

Table of contents

  1. What is a vulnerability?
  2. What is an exposure?
  3. What is the goal of CVE?
  4. What are the benefits of CVE?
  5. Who manages CVE?
  6. Who sponsors CVE?
  7. Can anyone use CVE?
  8. What is a CVE entry?
  9. Is CVE a vulnerability database?
  10. Can hackers use CVE to attack my organization?
  11. What is the CVE Board?
  12. What are CNAs?
  13. Who are CNAs?
  14. What is a root CNA?
  15. Where is the latest version of the CVE list?
  16. How is a vulnerability or exposure added to CVE?
  17. Does CVE list all known vulnerabilities and exposures?
  18. What is the Common Vulnerability Scoring System (CVSS)?
  19. Where to learn more about CVE
  20. How UpGuard can help protect your organization from vulnerabilities

1. What is a vulnerability?

A vulnerability is a weakness which can be exploited in a cyber attack to gain unauthorized access to or perform unauthorized actions on a computer system. Vulnerabilities can allow attackers to run code, access system memory, install different types of malware and steal, destroy or modify sensitive data

2. What is an exposure?

An exposure is a mistake that gives an attacker access to a system or network. Exposures can lead to data breaches, data leaks and personally identifiable information (PII) being sold on the dark web. In fact, some of the biggest data breaches were caused by accidental exposure rather than sophisticated cyber attacks.

3. What is the goal of CVE?

The goal of CVE is to make it easier to share information about known vulnerabilities across organizations. 

CVE does this by creating a standardized identifier for a given vulnerability or exposure. CVE identifiers or CVE names allow security professionals to access information about specific cyber threats across multiple information sources using the same common name.

For example, UpGuard is a CVE compatible product and its reports reference CVE IDs. This allows you to find fix information on any CVE compatible vulnerability database.

4. What are the benefits of CVE?

CVE allows organizations to set a baseline for evaluating the coverage of their security tools. CVE's common identifiers allow organizations to see what each tool covers and how appropriate they are for your organization. 

CVE means security advisories that can for vulnerabilities and check for threats can use CVE information to search for known attack signatures to identify particular vulnerability exploits as part of any digital forensics process. 

Look for security tools with CVE compatibility rather than proprietary vulnerability assessments, it's a great way to reduce your organization's cybersecurity risk.

5. Who manages CVE?

MITRE maintains the CVE dictionary and CVE website, as well as the CVE Compatibility Program. The CVE Compatibility Program promotes the use of standard CVE identifiers issued by authorized CVE numbering authorities (CNAs).

6. Who sponsors CVE?

CVE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and US-CERT.

7. Can anyone use CVE?

Yes, CVE is free to use and publicly accessible. CVE is designed to allow anyone to correlate data between different vulnerabilities, security tools, repositories and services. 

Anyone can search, download, copy, redistribute, reference and analyze CVE as long as they don't modify any information.

8. What is a CVE entry?

A CVE entry describes a known vulnerability or exposure.

Each CVE entry contains a standard identifier number with status indicator (i.e. "CVE-1999-0067", "CVE-2014-12345", "CVE-2016-7654321"), a brief description and references related vulnerability reports and advisories. 

Each CVE ID is formatted as CVE-YYYY-NNNNN. The YYYY portion is the year the CVE ID was assigned or the year the vulnerability was made public. 

Unlike vulnerability databases, CVE entries do not include risk, impact fix or other technical information.

9. Is CVE a vulnerability database?

CVE isn't a vulnerability database. CVE is designed to allow vulnerability databases and other tools to be linked together. It also facilitates comparisons between security tools and services. 

Check out the US National Vulnerability Database (NVD) that uses the CVE list identifiers and includes fix information, scoring and other information.

10. Can hackers use CVE to attack my organization?

The short answer is yes but many cybersecurity professionals believe the benefits of CVE outweigh the risks:

  • CVE is restricted to publicly known vulnerabilities and exposures.
  • It improves the shareability of vulnerabilities and exposures within the cybersecurity community.
  • Organizations need to protect themselves and their networks by fixing all potential vulnerabilities and exposures while an attacker only needs to find a single vulnerability and exploit it to gain unauthorized access. This is why a list of known vulnerabilities is so valuable and an important part of network security.
  • The growing agreement for the cybersecurity community to share information is reducing the attack vector of many cyber attacks. This is reflected in widespread acceptance that the CVE Board and CVE Numbering Authorities (CNAs) are key organizations in cybersecurity.

As a concrete example, many believe the ransomware WannaCry, which spread through the EternalBlue vulnerability, would have had less impact if the vulnerability was publicly shared.

11. What is the CVE Board?

The CVE Board is comprised of cybersecurity organizations including security tool vendors, academia, research institutions, government departments and agencies,  security experts and end-users of vulnerability information. 

The CVE Board provides critical input regarding data sources, product coverage, coverage goals, operating structure and strategic direction of the CVE program. 

All CVE Board discussions can be found via their email discussion archives and meeting archives. The CVE Board Character is also publicly accessible. 

12. What are CNAs?

CVE Numbering Authorities (CNAs) are organizations that identify and distribute CVE id numbers to researchers and vendors for inclusion in public announcements of new vulnerabilities. CNAs include software vendors, open source projects, coordination centers, bug bounty service providers and research groups.

CNAs are a federated systems that helps identify vulnerabilities and assigns them an ID without directly involving MITRE which is the primary CNA.

13. Who are CNAs?

There are currently 104 CNAs in 18 countries including many household names like Microsoft, Adobe, Apple, Cisco, Google, Hewlett Packard Enterprise, Huawei, IBM, Intel, Mozilla, Oracle, Red Hat, Siemens, Symantec, VMWare, Atlassian, Autodesk, Cloudflare, Elastic, GitHub, Kubernetes, Netflix and Salesforce. You can see the full list of CVE numbering authorities here.

14. What is a root CNA?

MITRE serves as the primary CNA while root CNAs cover a certain area or niche.

In many cases, a root CNA is a major company like Apple who posts vulnerabilities about its own products. In other cases, the root CNA may be focused on open source vulnerabilities. 

15. Where is the latest version of the CVE list?

The latest version of the CVE list can always be found on cve.mitre.org. While the CVE list is free, it can be hard to know which vulnerabilities affect your organization without additional tools. This is why many organizations now use tools that monitor for changes in the CVE list that affect them. 

New CVE identifiers are added daily. Look for sophisticated tools that automatically monitor you and your vendors for vulnerabilities. Managing third-party risks and fourth-party risks is a fundamental part of information risk management and your information security policy. Make vulnerability management part of your vendor risk management, third-party risk management framework and cyber security risk assessment processes.

16. How is a vulnerability or exposure added to CVE?

CVEs are added when a researcher finds a flaw or design oversight in software or firmware. The vendor does not have to see it as a vulnerability for it to be listed as a CVE. That said, the researcher may be required to provide evidence of how it could be used as part of an exploit.

The stronger the claim, the more likely it will be added to CVE and the more likely it will have a high Common Vulnerability Scoring System score in vulnerability databases.  

Potential CVEs reported by established vendors or other trusted parties will generally be added to the CVE list quickly.

17. Does CVE list all known vulnerabilities and exposures?

CVE does not list all known vulnerabilities and exposures. The goal of CVE is to be comprehensive and it is. Given the scale of vulnerabilities and exposures, it's likely an impossible task for one system to contain everything. 

18. What is the Common Vulnerability Scoring System (CVSS)?

The Common Vulnerability Scoring System (CVSS) is a set of open standards for assigning a number to a vulnerability to assess its severity. CVSS scores are used by the NVD, CERT, UpGuard and others to assess the impact of a vulnerability.

CVSS scores range from 0.0 to 10.0. The higher the number the higher degree of severity.

19. Where to learn more about CVE

For an exhaustive list of answers to your CVE related questions, we recommend reading the CVE's Frequently Asked Questions

20. How UpGuard can help protect your organization from vulnerabilities

UpGuard helps companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA protect their data and prevent data breaches.

Our data breach research has been featured in the New York Times, Bloomberg, Washington Post, Forbes and Techcrunch.

UpGuard can monitor your organization's and its vendor's websites for issues relating to DNSSEC, SSL, email spoofing, typosquatting, man-in-the-middle attacks and vulnerabilities.

UpGuard BreachSight can help combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection. 

We can also help you continuously monitor, rate and send security questionnaires to your vendors to control third-party risk and fourth-party risk and improve your security posture, as well as automatically create an inventory, enforce policies, and detect unexpected changes to your IT infrastructure. Helping you scale your vendor risk management, third-party risk management and cyber security risk assessment processes.

Cybersecurity is becoming more important than ever before.

Book a demo today.


Related posts

Learn more about the latest issues in cybersecurity