The average ransomware loss hit $353,000 this year 📈

What are Common Vulnerabilities & Exposures (CVE)?

Two women going through a checklist

Overview

What is a CVE? Common Vulnerabilities and Exposures (CVE) is a free service that publicly lists known computer and network security vulnerabilities. CVE acts as a glossary that allows security and IT professionals within organizations to learn about common security flaws so they can better protect their systems. CVE also allows various security systems and tools to exchange information.  The CVE list is maintained by non-profit MITRE Corporation, although vendors, researchers, developers, and users are also contributors. It’s worth noting the MITRE Corporation also advises federal agencies on scientific research, development, and cybersecurity protocols.  CVE is also a component of the Security Content Automation Protocol (SCAP), a framework of specifications that supports automated security and vulnerability management. The National Institute of Standards and Technology (NIST) oversees the open standards that underlie SCAP and how they should be used. Read on to learn more about CVE, the framework behind this program, and the databases that keep the public informed about these issues.

Exposure vs. vulnerability


In information security, two key terms describe compromises within organizations’ IT systems. In CVE contexts, a vulnerability is a weakness within a software system. This weakness can create an opportunity for a threat actor to exploit, gain access, or otherwise interfere with the system. For example, some common security vulnerabilities include missing data encryption, broken algorithms, bugs, and uploading potentially risky file types.  Exposure, on the other hand, is a step above vulnerability. Exposure occurs when a threat actor takes advantage of a vulnerability and performs unauthorized actions within a system. Essentially, an exposure is the logical outcome of a vulnerability.

CVE criteria


For an issue to qualify for the CVE list, it must meet all of the following criteria.

  1. Vendor acknowledgment. The vendor managing the hardware or software must determine that the flaw negatively impacts network security or creates a potential cybersecurity threat.

  2. Poses a risk. The vendor must be able to provide evidence that the flaw interferes with their security policies.

  3. Acts independently of other issues. There must be a way to resolve the flaw independently of any other bugs or issues within a system.

Affects one codebase. The flaw must only affect one product. If more than one vulnerability or exposure affects a codebase, each of those issues receives a separate CVE identifier. The exception is if a shared protocol or standard cannot operate without being vulnerable. In this case, the flaw is assigned a single CVE identifier.

CVE databases


As of Dec. 16, 2022, there are a total of 202,178 CVEs listed in the National Vulnerability Database. Also as of this date, the NVD has received 23,972 new CVEs so far in 2022. Below are some databases that list CVEs.

National Vulnerability Database

The National Vulnerability Database (NVD) is the most comprehensive database of security vulnerabilities and information about them. Each of the vulnerabilities on the CVE list is included in the National Vulnerability Database. This database covers additional information about risks that the CVE does not contain. The NVD is fully synchronized with the CVE list, so any changes or additions are included in the larger database. It’s important to note CVSS scores are not included in the CVE list and are instead posted in the NVD.

Common Vulnerability Scoring System


The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing a vulnerability’s severity. The vulnerability will receive a numerical score based on the extent of its severity. The National Infrastructure Advisory Council launched the framework in 2005, and the coding system ranges from zero to 10. The below CVSS numbers mean the following.

  • 0.1 to 3.9: Low threat

  • 4.0 to 6.9: Medium threat

  • 7.0 to 8.9: High threat

  • 9.0 to 10.0: Critical threat

CVE identifiers


If a flaw qualifies as a CVE, it receives a CVE identifier. These labels follow the general format CVE-YEAR-NUMBER. 

  • The first number in the CVE string represents the year the vulnerability was first identified. 

  • Following identification, CVE Numbering Authorities (CNAs) assign a unique number to each CVE.

  • A CVE identified in 2006 that a CNA assigned the number 0794 would be labeled as CVE-2006-0794.

Currently 262 entities from 35 countries are certified to assign CVE IDs. These partners include IT developers, MITRE representatives, and security organizations. CNAs issue thousands of CVE IDs each year and typically handle CVEs in blocks to manage the large quantity. While only certified entities can issue CVE IDs, just about anyone can generate a CVE report. In fact, some organizations offer “bug bounties” to motivate people to find software vulnerabilities and report them to bug-tracking communities. These consumer-reported issues are often vulnerabilities in web applications rather than database vulnerabilities.

CVE Details


The CVE Details database pairs information from the NVD with vulnerability data gathered from other sources, such as vendor statements and the Exploit Database. The result is a list of CVEs that vendors can browse and sort by vendor, product, product version, type of vulnerability, and date. While this database lists CVEs, it also includes vulnerabilities other sources have received and validated. The CVE Details database also shows a CVE’s CVSS score.

Vulnerability Database


The Vulnerability Database (VULDB) is a database that community efforts power. It lists best practices for managing vulnerabilities, responding to issues and risks, and preventing future vulnerabilities. A significant benefit of VULDB is the analytics it provides about vulnerability trends. Developers and IT and cybersecurity specialists can use these analyses to predict potential issues and create protocols for mitigating and resolving them.

[Background] Cyber Savvy Hero: Black Color

CVE management with Coalition

CVEs give vendors important information about issues that could pose significant vulnerabilities within their web applications or an organization’s network. Vendors in all industries must defend themselves and their customers against cybersecurity vulnerabilities and exposures.  Coalition helps simplify this process. To keep our policyholders safe, we're constantly scanning and monitoring their digital assets, sending personalized alerts for critical issues, such as new CVEs. All of this information is available in Coalition Control, our risk management platform. Coalition Control contains active monitoring software and personalized recommendations to improve a policyholder's security. In 2022, we sent 43,000 notifications to policyholders, alerting them to critical CVEs via Control. Between our Active Insurance monitoring, alerting via Control, and response, our policyholders can easily create systems fortified against these critical vulnerabilities.