Published: 22 July 2024
Contributors: Tasmiha Khan, Michael Goodwin
Common Vulnerabilities and Exposures (CVE) generally refers to the CVE list, a publicly disclosed catalog of information security vulnerabilities established and maintained by the MITRE Corporation.
The CVE catalog is more like a dictionary than a CVE database. It provides one name and one description for each vulnerability or exposure. In doing so, it enables communication between disparate tools and databases and helps improve interoperability and security coverage. CVE is free or public download and use. The CVE list feeds the US National Vulnerability Database (NVD).
CVE, the organization, is “an international, community-based effort that maintains a community-driven open data registry of publicly known cybersecurity vulnerabilities, known as the CVE list.”1
One of the fundamental challenges in cybersecurity is identifying and mitigating vulnerabilities that hackers can exploit to compromise applications, systems and data. CVE helps address this challenge by providing a standardized framework for cataloging and tracking cybersecurity vulnerabilities that organizations can use to improve vulnerability management processes.
The CVE system uses unique identifiers, known as CVE IDs (sometimes called CVE numbers), to label each reported vulnerability. This facilitates effective communication, collaboration and management of security flaws.
The MITRE Corporation created CVE in 1999 as a reference catalog for categorizing security vulnerabilities in software and firmware. The CVE system helps organizations discuss and share information regarding cybersecurity vulnerabilities, assess the severity of vulnerabilities and make computer systems more secure.
The CVE Editorial Board oversees the CVE program. The board includes members from cybersecurity-related organizations, members from academia, research institutions, government agencies and other prominent security experts. Among other tasks, the board approves data sources, product coverage, coverage goals for CVE List entries and manages the ongoing assignment of new entries.2
US-CERT in the office of Cybersecurity and Communications at the US Department of Homeland Security (DHS) sponsors the CVE program.3
IBM® Concert® empowers application owners and SREs to proactively prioritize, mitigate, and trace application vulnerabilities to ensure resilient operations.
IBM X-Force® Threat Intelligence Index 2024
The CVE program defines a vulnerability as “a weakness in the computational logic found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity or availability.” So a vulnerability refers to a weakness, such as a coding error, that can be used by attackers to gain unauthorized access to networks and systems, install malware, run code and steal or destroy sensitive data. An exposure enables that access.
Think of a house: A vulnerability is a window with a lock that is easy for a burglar to pick. An exposure is a window that someone forgot to lock.
To qualify as a CVE, and be assigned a CVE identifier (CVE ID), security flaws must meet the certain criteria:
- Fixable independent of other flaws: The flaw must be fixable separately from other vulnerabilities.
- Acknowledged by the vendor or documented in a vulnerability report: The vendor must acknowledge that the bug exists and negatively impacts security. Or there must be a vulnerability report that demonstrates the bug’s negative impact on security and its violation of the affected system’s security policy.
- Affecting one codebase: The bug must affect only one codebase (one product). Flaws that affect more than one product are assigned separate CVEs for each product.
CVE numbering authorities (CNAs) assign CVE IDs and publish CVE records within specific coverage scopes. The MITRE corporation functions as editor and primary CNA. Other CNAs include major operating system (OS) and IT vendors (including IBM, Microsoft and Oracle), security researchers and other authorized entities. CNAs operate on a voluntary basis. There are currently 389 CNAs from 40 different countries.4
Roots are organizations that are authorized to recruit, train and govern CNAs or other roots within a specified scope.
Top-level roots are the highest-level roots and are responsible for “the governance and administration of a specified hierarchy, including roots and CNAs within that hierarchy.”5 There are currently two top-level roots in the CVE program: The MITRE Corporation and the Cybersecurity and Infrastructure Security Agency (CISA).
Additional information on the structure of the CVE organization can be found here (link resides outside ibm.com).
Anyone can submit a CVE report. Vulnerabilities are often discovered by cybersecurity researchers, security professionals, software vendors, members of the open source community and product users through various means, such as independent research, security assessments, vulnerability scanning, incident response activities or simply using a product. Many companies offer a bug bounty—a reward for finding and responsibly reporting vulnerabilities found in software.
Once a new vulnerability is identified and reported, it is submitted to a CNA for evaluation. A new CVE is then reserved for the vulnerability. This is the initial state of a CVE record.
After examining the vulnerability in question, the CNA submits details including which products it affects, any updated or fixed product versions, the type of vulnerability, its root cause and impact and at least one public reference. When these data elements have been added to the CVE record, the CNA publishes the record to the CVE list, making it publicly available.
The CVE entry then becomes part of the official CVE list, where it is accessible to cybersecurity professionals, researchers, vendors and users worldwide. Organizations can use CVE IDs to track and prioritize vulnerabilities within their environments, assess their exposure to specific threats and implement appropriate risk mitigation measures.
CVE entries include a CVE ID, a brief description of the security vulnerability and references, including vulnerability reports and advisories. CVE IDs have a three-part construction:
- A CVE ID start with the prefix “CVE”
- The second section is the year of the assignment
- The last section of the CVE ID is a sequential identifier
The full ID looks like this: CVE-2024-12345. This standardized ID helps ensure consistency and interoperability across different platforms and repositories, enabling stakeholders to reference and share information about specific vulnerabilities using a “common language.”
CVE records are associated with one of three states:
- Reserved: This is the initial state, assigned to a CVE before it is publicly disclosed (when a CNA is examining the vulnerability).
- Published: This is when a CNA has gathered and input the data associated with the CVE ID and published the record.
- Rejected: In this stage, the CVE ID and record should not be used. However, the rejected record remains on the CVE list to inform users that the ID and record are invalid.
One way that organizations can assess the severity of vulnerabilities is by using the Common Vulnerability Scoring System (CVSS). The CVSS, operated by the Forum of Incident Response and Security Teams (FIRST), is a standardized method used by the National Vulnerability Database (NVD), Cybersecurity Emergency Response Teams (CERTs) and others to assess the severity and impact of reported vulnerabilities. It is separate from the CVE system but used alongside CVE: CVE record formats enable CNAs to add a CVSS score to CVE records when publishing records to the CVE list.6
The CVSS assigns a numerical score to vulnerabilities, ranging from 0.0 to 10, based on exploitability, impact scope and other metrics. The higher the score, the more severe the issue. This score helps organizations gauge the urgency of addressing a particular vulnerability and allocate resources accordingly. It is not uncommon for organizations to also use their own vulnerability scoring system.
CVSS scores are calculated based on scores from three metric groups—base, temporal and environmental—that incorporate different characteristics of a vulnerability.
Enterprises rely on base metric scores most, and public severity rankings such as those provided in the National Institute of Standards and Technology (NIST) National Vulnerability Database, use the base metric score exclusively. This base metrics score does not consider vulnerability characteristics that change over time (temporal metrics), real-world factors such as user environment or measures that an enterprise has taken to prevent the exploitation of a bug.
Base metrics are further broken down between exploitability metrics and impact metrics:
- Exploitability metrics include factors such as attack vector, attack complexity and privileges required.
- Impact metrics include confidentiality impact, integrity impact and availability impact.7
Temporal metrics measure a vulnerability in its current state and are used to reflect the severity of an impact as it changes over time. They also incorporate any remediations such as available patches. Exploit code maturity, remediation level and report confidence are all components of the temporal metric score.
Environmental metrics enable an organization to adjust the base score according to its own environment and security requirements. This score helps put a vulnerability in clearer context as it relates to the organization and includes a confidentiality requirement score, an integrity requirement score and an availability requirement score. These metrics are calculated along with modified base metrics that measure the specific environment (such as modified attack vector and modified attack complexity) to reach an environmental metrics score.
The CVE program represents a collaborative and systematic approach to identifying, cataloging and addressing cybersecurity vulnerabilities and exposures. By offering a standardized system for identifying and referencing vulnerabilities, CVE helps organizations improve vulnerability management in several ways:
CVE helps organizations discuss and share information regarding a vulnerability using a common identifier. For example, security advisories often publish lists of CVEs, along with CVSS scores, that companies use to inform their risk management strategies and patch planning cycles.
CVE helps organizations effectively manage security risks, enhance threat visibility and threat intelligence and strengthen their overall cybersecurity posture in an increasingly complex and dynamic threat landscape.
CVE IDs facilitate data correlation and enable IT teams to scan multiple sources for information on a particular vulnerability.
The CVE list is used to help determine which security tools are best for an organization's needs and to create risk management strategies that consider known vulnerabilities and the potential impact these security issues might have on enterprise systems and data. With this information, organizations can better determine how certain products fit with their security posture and take steps to minimize their exposure to cyberattacks and data breaches.
CVE is a catalog of known cybersecurity vulnerabilities, where one CVE ID is specific to one software flaw. The Common Weaknesses Enumeration (CWE) is an IT community project that lists different types, or categories, of hardware and software weaknesses, such as buffer errors, authentication errors or CPU issues. These weaknesses might lead to a vulnerability.
IBM Concert empowers application owners and SREs to proactively prioritize, mitigate and trace application vulnerabilities to ensure resilient operations.
IBM Security® works with you to help protect your business with an advanced and integrated portfolio of enterprise cybersecurity solutions and services infused with AI. Our modern approach to security strategy uses zero trust principles to help you thrive in the face of uncertainty and cyberthreats.
Securely build, deploy and iterate applications everywhere by transforming DevOps into DevSecOps including people, processes and tooling.
The IBM X-Force® Threat Intelligence Index 2024 provides essential research insights and recommendations to help you get prepared to respond to attacks with greater speed and effectiveness.
An API, or application programming interface, is a set of rules or protocols that enables software applications to communicate with each other to exchange data, features and functionality.
Automation is the application of technology, programs, robotics or processes to achieve outcomes with minimal human input.
Software development refers to a set of computer science activities that are dedicated to the process of creating, designing, deploying, and supporting software.
Dynamic application security testing (DAST) is a cybersecurity testing method used to identify vulnerabilities and misconfigurations in web applications, APIs and, more recently, mobile apps.
The vulnerability management lifecycle is a continuous process for discovering, prioritizing and addressing vulnerabilities in a company’s IT assets.
Footnotes
1,2,3 “Common Vulnerabilities and Exposures—The Standard for Information Security Vulnerability Names,” cve.mitre.org. February 2016
4,6 cve.mitre.org, 2024
5 CVE glossary, cve.org, 2024
7 Common Vulnerability Scoring System Version 3.1 Calculator, FIRST.org, 2024