What is the Common Vulnerabilities and Exposures Glossary (CVE)?
The Common Vulnerabilities and Exposures (CVE) is a catalog that aims to standardize the identification of known cyber threats. It provides a reference list to help security teams bolster their threat intelligence and vulnerability management efforts.
What is a security vulnerability?
A security vulnerability is a weakness in an application that threat actors can exploit to obtain unauthorized access and launch various cyber attacks. Threat actors can leverage security vulnerabilities to access or modify sensitive data, run malicious code on a target system, or install malware.
What are exposures?
Exposures are security threats that can potentially provide threat actors with access to internal systems and networks. Threat actors rely on exposures in software systems to orchestrate data leaks that can compromise sensitive information.
How the CVE helps
The potential threats listed in the database have CVE identifiers as well as standardized names. The CVE also provides insights to help design a comprehensive security policy and periodic security reports. Cross-functional teams use the CVE as a standard format to share information. It serves as a starting point in implementing security strategies.
The MITRE corporation oversees the CVE program, and the Cybersecurity and Infrastructure Security Agency (CISA), a branch of the U.S. Department of Homeland Security, funds it.
In this article:
- Difference Between a Vulnerability and an Exposure
- Managing Vulnerabilities with CVE
- What Qualifies for a CVE?
- What’s the Difference Between CVE and CVSS?
- The Benefits and Risks of the CVE Database
- Risks Involved in Publishing a New CVE
Difference Between a Vulnerability and an Exposure
Threat actors can exploit a vulnerability to gain unauthorized access to systems or perform unauthorized actions. Vulnerabilities can allow threat actors to gain direct access to a network or system, install malware, run code, and access internal systems to destroy, modify, or steal sensitive data. If a vulnerability goes undetected, it can allow a threat actor to pose as a system administrator with full access privileges or super-user.
Exposures are mistakes that provide threat actors access to a network or system. Exposures allow threat actors to access and exfiltrate personally identifiable information (PII).
Related content: Read our guide to vulnerability examples.
Managing Vulnerabilities with CVE
CVE includes brief entries that do not include technical data or information about impacts, risks, and fixes. You can find these details in other databases, such as the US National Vulnerability Database (NVD), the CERT/CC Vulnerability Notes Database, and commercial lists maintained.
The main goal of CVEs is to standardize each exposure and vulnerability. It categorizes software vulnerabilities, acting as a dictionary to enhance security. Organizations leverage CVEs to identify and detect emerging vulnerabilities.
Using the CVE IDs for vulnerabilities, organizations get CVE-compatible information and access information about specific cyber threats. This accurate information helps plan for remediation after detecting vulnerabilities.
What Qualifies for a CVE?
The CVE list includes only vulnerabilities and exposures that meet the following criteria:
- Verified by the affected vendor or via other documentation as impacting security negatively.
- Fixable independently by the end-user.
- Relevant to a single affected product or codebase. A vulnerability affecting more than one product gets separate CVEs.
CVE Numbering Authorities (CNAs) regularly assign CVE IDs to vulnerabilities and create and publish information about vulnerabilities in their associated CVE records. There are several CNAs, each with specific responsibilities for identifying and publishing vulnerabilities.
In addition to their monitoring activities, CNAs use various channels to learn about potential CVEs, such as end-users, bug bounty programs, and cybersecurity companies. Not all CVEs are published immediately to the public CVE list. Affected vendors can reserve a CVE record until the fix is ready.
What’s the Difference Between CVE and CVSS?
The Common Vulnerability Scoring System (CVSS) standardizes scoring across vulnerability management programs. Since this system indicates the severity of a security vulnerability, many vulnerability scanning tools rely on it for prioritization.
CVSS represents a vulnerability’s overall score, while the CVE list includes all publicly disclosed vulnerabilities and their CVE ID, description, comments, and dates. CVSS scores are not reported in the CVE list. You can find the assigned CVSS scores in the NVD.
The Benefits and Risks of the CVE Database
The CVE list provides many benefits, including:
- Centralized vulnerabilities management—the CVE offers a centralized place to manage and review vulnerabilities, regardless of the point of origin. Organizations using different software products can employ the CVE list to gain insights into vulnerabilities in all products.
- Consistent evaluation—the MITRE Corporation serves as the functional editor of the CVE list, ensuring vulnerabilities are evaluated consistently. There is no need to worry that a vulnerability is skipped over because of poor management or that duplicates and wrong number assignments muddle the list.
- Common formatting and descriptions—in most cases, the CVE list offers the same data fields for all entries. Since the formatting is the same, it makes it easier to review and compare vulnerabilities.
- Encouraged public sharing of knowledge—the CVE list encourages public sharing of information. Once a company discovers a vulnerability using published software, they are incentivized to report it. Many companies have systems to identify, catalog, and communicate information about vulnerabilities. However, the CVE streamlines the process and standardizes the information.
- Research and better security—the CVE provides cybersecurity experts and organizations with information about vulnerabilities and exposures. The CVE list can help research software products, proactively identify possible vulnerabilities, and find solutions and workarounds before it is too late.
Risks Involved in Publishing a New CVE
It may seem risky to publicize information about security vulnerabilities and flaws. Since the list is publicly available, threat actors can also access the information. They could use the list to exploit disclosed vulnerabilities and attack individuals and companies. However, the security community has come to accept that transparency is more important in this case.
The consensus is that the potential benefits of disclosing vulnerabilities and exposures outweigh the risks. Here is why:
- It gives organizations an advantage—it takes far longer for one organization to patch or protect against a vulnerability than it for a threat actor to exploit it. Circulating information about vulnerabilities as early and efficiently as possible becomes vital to ensuring organizations can defend timely.
- It does not provide threat actors much of an advantage—the CVE lists only publicly known security vulnerabilities. It means skilled and resourceful threat actors already know about these vulnerabilities and do not need the CVE list to gain any significant advantage.
Security Testing with Bright Security
Bright Security helps address the shortage of security personnel, enabling AppSec teams to provide governance for security testing, and enabling every developer to run their own security tests.
Bright empowers developers to incorporate an automated Dynamic Application Security Testing (DAST), earlier than ever before, into their unit testing process so they can resolve security concerns as part of their agile development process. Bright’s DAST platform integrates into the SDLC fully and seamlessly:
- Test results are provided to the CISO and the security team, providing complete visibility into vulnerabilities found and remediated
- Tickets are automatically opened for developers in their bug tracking system so they can be fixed quickly
- Every security finding is automatically validated, removing false positives and the need for manual validation
Bright Security can scan any target, whether Web Apps, APIs (REST/SOAP/GraphQL) and Websockets to help enhance DevSecOps and achieve regulatory compliance with our real-time, false positive free actionable reports of vulnerabilities. In addition, our ML-based DAST solution provides an automated solution to identify Business Logic Vulnerabilities.