What are Common Vulnerabilities & Exposures (CVE)?

In information security, two key terms describe compromises within organizations’ IT systems. In CVE contexts, a vulnerability is a weakness within a software system. This weakness can create an opportunity for a threat actor to exploit, gain access, or otherwise interfere with the system. For example, some common security vulnerabilities include missing data encryption, broken algorithms, bugs, and uploading potentially risky file types.  Exposure, on the other hand, is a step above vulnerability. Exposure occurs when a threat actor takes advantage of a vulnerability and performs unauthorized actions within a system. Essentially, an exposure is the logical outcome of a vulnerability.

For an issue to qualify for the CVE list, it must meet all of the following criteria.

1. Vendor acknowledgment. The vendor managing the hardware or software must determine that the flaw negatively impacts network security or creates a potential cybersecurity threat.

2. Poses a risk. The vendor must be able to provide evidence that the flaw interferes with their security policies.

3. Acts independently of other issues. There must be a way to resolve the flaw independently of any other bugs or issues within a system.

Affects one codebase. The flaw must only affect one product. If more than one vulnerability or exposure affects a codebase, each of those issues receives a separate CVE identifier. The exception is if a shared protocol or standard cannot operate without being vulnerable. In this case, the flaw is assigned a single CVE identifier.

As of Dec. 16, 2022, there are a total of 202,178 CVEs listed in the National Vulnerability Database. Also as of this date, the NVD has received 23,972 new CVEs so far in 2022. Below are some databases that list CVEs.

National Vulnerability Database

The National Vulnerability Database (NVD) is the most comprehensive database of security vulnerabilities and information about them. Each of the vulnerabilities on the CVE list is included in the National Vulnerability Database. This database covers additional information about risks that the CVE does not contain. The NVD is fully synchronized with the CVE list, so any changes or additions are included in the larger database. It’s important to note CVSS scores are not included in the CVE list and are instead posted in the NVD.

The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing a vulnerability’s severity. The vulnerability will receive a numerical score based on the extent of its severity. The National Infrastructure Advisory Council launched the framework in 2005, and the coding system ranges from zero to 10. The below CVSS numbers mean the following.

• 0.1 to 3.9: Low threat

• 4.0 to 6.9: Medium threat

• 7.0 to 8.9: High threat

• 9.0 to 10.0: Critical threat

If a flaw qualifies as a CVE, it receives a CVE identifier. These labels follow the general format CVE-YEAR-NUMBER. 

• The first number in the CVE string represents the year the vulnerability was first identified. 

• Following identification, CVE Numbering Authorities (CNAs) assign a unique number to each CVE.

• A CVE identified in 2006 that a CNA assigned the number 0794 would be labeled as CVE-2006-0794.

Currently 262 entities from 35 countries are certified to assign CVE IDs. These partners include IT developers, MITRE representatives, and security organizations. CNAs issue thousands of CVE IDs each year and typically handle CVEs in blocks to manage the large quantity. While only certified entities can issue CVE IDs, just about anyone can generate a CVE report. In fact, some organizations offer “bug bounties” to motivate people to find software vulnerabilities and report them to bug-tracking communities. These consumer-reported issues are often vulnerabilities in web applications rather than database vulnerabilities.

The CVE Details database pairs information from the NVD with vulnerability data gathered from other sources, such as vendor statements and the Exploit Database. The result is a list of CVEs that vendors can browse and sort by vendor, product, product version, type of vulnerability, and date. While this database lists CVEs, it also includes vulnerabilities other sources have received and validated. The CVE Details database also shows a CVE’s CVSS score.

The Vulnerability Database (VULDB) is a database that community efforts power. It lists best practices for managing vulnerabilities, responding to issues and risks, and preventing future vulnerabilities. A significant benefit of VULDB is the analytics it provides about vulnerability trends. Developers and IT and cybersecurity specialists can use these analyses to predict potential issues and create protocols for mitigating and resolving them.