What Is the Common Vulnerabilities and Exposures Glossary (CVE)?
4 Minute Read
The Common Vulnerabilities and Exposures (CVE) glossary is a software security project maintained by the MITRE Corporation and funded by the US Division of Homeland Security.
MITRE does not define the CVE project as a database. Rather, the CVE serves as a dictionary or glossary of publicly available vulnerabilities and exposures, providing an industry baseline to facilitate clear communication around each vulnerability. The goal is to provide security advisories, databases, and bug trackers a common language for communicating about the same vulnerability.
The project collects information about security vulnerabilities and exposures using SCAP (the Security Content Automation Protocol) and catalogs them using identifiers and unique IDs. The NVD (National Vulnerability Database) publishes a CVE with a corresponding security analysis a few days after it is published to the MITRE vulnerability database.
In this article:
- How the CVE Glossary Works
- How is a Vulnerability or Exposure Added to CVE?
- CVE and CVSS
- CVE Security Benefits and Limitations
How the CVE Glossary Works
The CVE glossary contains a list of entries, each including a unique ID number, public reference, and description. Each CVE refers to a specific exposure or vulnerability, defined as follows:
- A security vulnerability —an error in software code that provides threat actors with direct access to a network or system. Direct access enables actors to act as superusers or system administrators with full privileges.
- An exposure —a flaw that provides a threat actor with indirect access to a system or network. Indirect access enables actors to collect information.
The CVE project provides a system for identifying and managing exposures and vulnerabilities. Here is how a CVE listing is created:
- A developer, organization, or code author identifies an exposure or vulnerability.
- The CVE Numbering Authority (CNA) species the CVE ID number for the exposure or vulnerability.
- The CNA writes a brief description of the specific issue and includes references. The description
- The final CVE entry is added to the CVE glossary and posted on the CVE website.
Note that CVE descriptions don’t include technical information, details about fixes, or data about specific effects of the flaw. This information is offered by databases such as the US NVD (National Vulnerability Database) and the CERT/CC Vulnerability Notes Database. The NVD provides CVSS-Based scores, information on fixes, and other details required for mitigation.
How Is a Vulnerability or Exposure Added to CVE?
The CVE project receives reports from many sources, including researchers, vendors, and users, and sends this information to a CNA. Vendors usually keep identified flaws secret until fixes are developed or tested to minimize the probability of exploitations.
The project works with around 100 CNAs representing security and IT vendors and research entities. CNAs are responsible for assigning a CVE ID, writing a brief description with references, and posting the entry on the CVE website. The MITRE Corporation can also issue a CVE identifier.
CNAs assign CVE identifiers according to a set of criteria that each flaw much meet:
- Independently fixable —it is possible to fix the flow independently of other bugs.
- Acknowledged by the vendor OR documented —the affected vendor has acknowledged the flaw and admits it negatively impacts security. Or, the reporter shared a vulnerability report detailing the negative impact of the flaw AND shows it violates the security policy of the affected network or system.
- Affecting one codebase —a flaw impacting more than one product gets a separate CVE ID. A flaw affecting shared libraries, standards, or protocols, gets a single CVE only if the shared code cannot be used without making the software vulnerable. Otherwise, each affected product or codebase gets a unique CVE.
CVE and CVSS
The CVE promotes integration with other services and products, making the CVE glossary available in several human- and machine-readable formats. The CVSS (Common Vulnerability Scoring System) leverages the CVE glossary to add value to vulnerability management programs.
The CVSS is a standard that produces a numerical score to reflect a vulnerability’s severity using the CVE glossary and other sources. Organizations leverage the CVSS to prioritize vulnerabilities and assess vulnerability management programs.
CVE Security Benefits and Limitations
Here are the main benefits of the CVE project:
- Assessments —organizations, software vendors, and security entities use the CVE glossary as a baseline for evaluating security tools. CVE identifiers help organizations learn each tool’s scope of coverage and determine whether it is appropriate for their use case.
- Communication —CVE IDs enable organizations to quickly obtain accurate information about a specific exposure or vulnerability from several data sources and effectively coordinate all efforts to prioritize and handle the issue.
- Identification —security advisories use CVE IDs and details when monitoring for known attack signatures. It enables these tools to accurately and rapidly identify known vulnerabilities and exploits.
Here are the main limitations of the CVE project:
- Very little information —by design, the CVE is intended to serve as a vulnerability database. It provides only an ID, a brief description, and references for more information. It does not include all information required to run a complete vulnerability management program.
- Relevant to unpatched software —the CVE lists vulnerabilities found in unpatched software. A modern, risk-based approach to vulnerability management recognizes that other types of vulnerabilities can introduce risks that don’t meet the definition of a CVE and are not listed in the CVE glossary.