How remote work is changing patch management Automated patch management: 9 best practices for success

Common Vulnerabilities and Exposures (CVE)

What are Common Vulnerabilities and Exposures (CVE)?

Common Vulnerabilities and Exposures (CVE) is a publicly listed catalog of known security threats. The catalog is sponsored by the United States Department of Homeland Security (DHS), and threats are divided into two categories: vulnerabilities and exposures.

Its cumbersome name notwithstanding, the CVE is simply a list of known cybersecurity vulnerabilities. To qualify for addition to the CVE, a vulnerability or flaw must be fixable independently of other flaws, acknowledged by a vendor to have a negative impact on security (currently or sometime in the future) and it must affect only one codebase (i.e., one product).

The list, which is maintained by the MITRE Corporation and supported by DHS's Cybersecurity and Infrastructure Security Agency (CISA), identifies, defines and publicly discloses cybersecurity vulnerabilities. This information can help enterprise security teams to better understand their organization's threat landscape and implement appropriate controls to mitigate known threats.

All publicly known cybersecurity vulnerabilities in the CVE contain an identification number (CVE ID), a description and one or more public references. Hundreds or thousands of CVE IDs are issued every year to account for the number of new vulnerabilities that are discovered each year.

The ID and description are part of the CVE record. Each vulnerability in the CVE catalog has one CVE record. CVE records are provided in multiple human and machine-readable formats.

When an organization reports a vulnerability to the CVE, it requests a CVE ID. The responsible CVE numbering authority (CNA) reserves the CVE ID. But before publicly disclosing the vulnerability, the CNA identifies the minimum required data elements for a CVE record and then confirms the reported vulnerability. It's only after the CNA's confirmation that the record is published to the CVE list.

What is a vulnerability in the CVE?

In the context of the CVE, a vulnerability refers to any flaw in a software, firmware, hardware or service component that can be exploited by a cybercriminal or other threat actors. The exploitation of a vulnerability can happen if an organization knows about it but fails to eliminate it through appropriate security measures. If the vulnerability is exploited, it may negatively impact the confidentiality, integrity or availability of the impacted component, and may hinder an organization's operations or data.

What is the goal of Common Vulnerabilities and Exposures?

The catalog's main purpose is to standardize the way each known vulnerability or exposure is identified. This is important because standard IDs allow security administrators to quickly access technical information about a specific threat across multiple CVE-compatible information sources.

Information technology and cybersecurity specialists can use the CVE and its records to understand, prioritize and address the vulnerabilities that exist in their organizations. They can also use the CVE to engage in useful discussions with colleagues and to coordinate their mitigation efforts.

What is the Common Vulnerability Scoring System (CVSS)?

The CVSS is one of many efforts that are related to but separate from the CVE. It provides a systematic method to understand a known vulnerability and quantify its severity as measured by a numerical score. The U.S. National Vulnerability Database (NVD) provides a CVSS calculator that enables security teams to create severity rating scores and prioritize CVE records.

Security teams can use the CVSS and CVSS calculator to score the severity of software vulnerabilities identified by CVE records. They can then convert the quantitative severity into a qualitative expression, such as low/medium/high/critical in order to prioritize vulnerability remediation activities, and to assess and improve their vulnerability management abilities.

vulnerability scores and categories
In the CVSS framework, higher scores correspond to more severe vulnerabilities.

What is the difference between Common Vulnerabilities and Exposures and Common Weakness Enumeration?

Common Vulnerabilities and Exposures (CWE) is the catalog of known vulnerabilities whereas Common Weakness Enumeration is a list of various types of software and hardware weaknesses. Simply put, the CWE lists weaknesses that may lead to a vulnerability.

Unlike the CVE, the CWE acts as a type of dictionary that enumerates the types of flaws in software/hardware architecture, design, code or implementation. These flaws might result in exploitable security vulnerabilities. Once known, these vulnerabilities make their way into the CVE.

Examples of software weaknesses that might lead to the introduction of vulnerabilities include the following:

Examples of hardware weaknesses that may lead to the introduction of vulnerabilities include the following:

  • Core and compute issues in CPUs or graphics processors.
  • Privilege separation and access control issues.
  • Shared resources.
  • Power and clock concerns.

CVE numbering authority (CNA) and root

A CVE numbering authority or CNA is any entity -- vendor, researcher, bug bounty provider organization, Computer Emergency Response Team, etc. -- that is given a coverage scope and the authority to both assign CVE IDs to vulnerabilities and publish CVE records. Scope refers to the CNA's specific responsibility for vulnerability identification, descriptions, referencing and publishing (on the CVE website) for the blocks of CVEs assigned to them.

A CNA must be authorized by the CVE program to be able to assign IDs and publish records. To be authorized, the CNA must have a public vulnerability disclosure policy and a public source for new vulnerability disclosures (to the CVE list).

In the CVE program, a Root refers to an organization authorized to recruit, train and govern one or more CNAs or other Roots. A Top-Level Root (TL-Root) is a Root that does not report to another Root and is responsible only to the CVE Board.

Explore the top 12 online cybersecurity courses and 10 cybersecurity certifications to boost your career. See how to fix the top five cybersecurity vulnerabilities and how to prevent 12 cybersecurity risks of remote work. Check out how, when and why to use incident response tools and how to build an incident response plan.

This was last updated in November 2023

Continue Reading About Common Vulnerabilities and Exposures (CVE)

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing