What is CVE (Common Vulnerabilities and Exposures)?

The CVE catalog is more like a dictionary than a CVE database. It provides one name and one description for each vulnerability or exposure. In doing so, it enables communication between disparate tools and databases and helps improve interoperability and security coverage. CVE is free or public download and use. The CVE list feeds the US National Vulnerability Database (NVD).

CVE, the organization, is “an international, community-based effort that maintains a community-driven open data registry of publicly known cybersecurity vulnerabilities, known as the CVE list.”¹

One of the fundamental challenges in cybersecurity is identifying and mitigating vulnerabilities that hackers can exploit to compromise applications, systems and data. CVE helps address this challenge by providing a standardized framework for cataloging and tracking cybersecurity vulnerabilities that organizations can use to improve vulnerability management processes.

The CVE system uses unique identifiers, known as CVE IDs (sometimes called CVE numbers), to label each reported vulnerability. This facilitates effective communication, collaboration and management of security flaws.

The MITRE Corporation created CVE in 1999 as a reference catalog for categorizing security vulnerabilities in software and firmware. The CVE system helps organizations discuss and share information regarding cybersecurity vulnerabilities, assess the severity of vulnerabilities and make computer systems more secure.

The CVE Editorial Board oversees the CVE program. The board includes members from cybersecurity-related organizations, members from academia, research institutions, government agencies and other prominent security experts. Among other tasks, the board approves data sources, product coverage, coverage goals for CVE List entries and manages the ongoing assignment of new entries.¹

US-CERT in the office of Cybersecurity and Communications at the US Department of Homeland Security (DHS) sponsors the CVE program.¹

The CVE program defines a vulnerability as “a weakness in the computational logic found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity or availability.” So a vulnerability refers to a weakness, such as a coding error, that can be used by attackers to gain unauthorized access to networks and systems, install malware, run code and steal or destroy sensitive data. An exposure enables that access.

Think of a house: A vulnerability is a window with a lock that is easy for a burglar to pick. An exposure is a window that someone forgot to lock.

To qualify as a CVE, and be assigned a CVE identifier (CVE ID), security flaws must meet the certain criteria:

• Fixable independent of other flaws: The flaw must be fixable separately from other vulnerabilities.
  
  
• Acknowledged by the vendor or documented in a vulnerability report: The vendor must acknowledge that the bug exists and negatively impacts security. Or there must be a vulnerability report that demonstrates the bug’s negative impact on security and its violation of the affected system’s security policy.
  
  
• Affecting one codebase: The bug must affect only one codebase (one product). Flaws that affect more than one product are assigned separate CVEs for each product.
  

CVE numbering authorities (CNAs) assign CVE IDs and publish CVE records within specific coverage scopes. The MITRE corporation functions as editor and primary CNA. Other CNAs include major operating system (OS) and IT vendors (including IBM, Microsoft and Oracle), security researchers and other authorized entities. CNAs operate on a voluntary basis. There are currently 389 CNAs from 40 different countries.²

Roots are organizations that are authorized to recruit, train and govern CNAs or other roots within a specified scope.

Top-level roots are the highest-level roots and are responsible for “the governance and administration of a specified hierarchy, including roots and CNAs within that hierarchy.”³ There are currently two top-level roots in the CVE program: The MITRE Corporation and the Cybersecurity and Infrastructure Security Agency (CISA).

Additional information on the structure of the CVE organization can be found here.

Anyone can submit a CVE report. Vulnerabilities are often discovered by cybersecurity researchers, security professionals, software vendors, members of the open source community and product users through various means, such as independent research, security assessments, vulnerability scanning, incident response activities or simply using a product. Many companies offer a bug bounty—a reward for finding and responsibly reporting vulnerabilities found in software.

Once a new vulnerability is identified and reported, it is submitted to a CNA for evaluation. A new CVE is then reserved for the vulnerability. This is the initial state of a CVE record.

After examining the vulnerability in question, the CNA submits details including which products it affects, any updated or fixed product versions, the type of vulnerability, its root cause and impact and at least one public reference. When these data elements have been added to the CVE record, the CNA publishes the record to the CVE list, making it publicly available.

The CVE entry then becomes part of the official CVE list, where it is accessible to cybersecurity professionals, researchers, vendors and users worldwide. Organizations can use CVE IDs to track and prioritize vulnerabilities within their environments, assess their exposure to specific threats and implement appropriate risk mitigation measures.

CVE entries include a CVE ID, a brief description of the security vulnerability and references, including vulnerability reports and advisories. CVE IDs have a three-part construction:

1. A CVE ID start with the prefix “CVE”
   
   
2. The second section is the year of the assignment
   
   
3. The last section of the CVE ID is a sequential identifier

The full ID looks like this: CVE-2024-12345. This standardized ID helps ensure consistency and interoperability across different platforms and repositories, enabling stakeholders to reference and share information about specific vulnerabilities using a “common language.”

CVE records are associated with one of three states:

• Reserved: This is the initial state assigned to a CVE before it is publicly disclosed (when a CNA is examining the vulnerability).
  
  
• Published: This is when a CNA has gathered and input the data associated with the CVE ID and published the record.
  
  
• Rejected: In this stage, the CVE ID and record should not be used. However, the rejected record remains on the CVE list to inform users that the ID and record are invalid.
  

One way that organizations can assess the severity of vulnerabilities is by using the Common Vulnerability Scoring System (CVSS). The CVSS, operated by the Forum of Incident Response and Security Teams (FIRST), is a standardized method used by the National Vulnerability Database (NVD), Cybersecurity Emergency Response Teams (CERTs) and others to assess the severity and impact of reported vulnerabilities. It is separate from the CVE system but used alongside CVE: CVE record formats enable CNAs to add a CVSS score to CVE records when publishing records to the CVE list.²

The CVSS assigns a numerical score to vulnerabilities, ranging from 0.0 to 10, based on exploitability, impact scope and other metrics. The higher the score, the more severe the issue. This score helps organizations gauge the urgency of addressing a particular vulnerability and allocate resources accordingly. It is not uncommon for organizations to also use their own vulnerability scoring system.

CVSS scores are calculated based on scores from three metric groups—base, temporal and environmental—that incorporate different characteristics of a vulnerability.

Enterprises rely on base metric scores most, and public severity rankings such as those provided in the National Institute of Standards and Technology (NIST) National Vulnerability Database, use the base metric score exclusively. This base metrics score does not consider vulnerability characteristics that change over time (temporal metrics), real-world factors such as user environment or measures that an enterprise has taken to prevent the exploitation of a bug.

Base metrics are further broken down between exploitability metrics and impact metrics:

• Exploitability metrics include factors such as attack vector, attack complexity and privileges required.
  
  
• Impact metrics include confidentiality impact, integrity impact and availability impact.⁴
  

Temporal metrics measure a vulnerability in its current state and are used to reflect the severity of an impact as it changes over time. They also incorporate any remediations such as available patches. Exploit code maturity, remediation level and report confidence are all components of the temporal metric score.

Environmental metrics enable an organization to adjust the base score according to its own environment and security requirements. This score helps put a vulnerability in clearer context as it relates to the organization and includes a confidentiality requirement score, an integrity requirement score and an availability requirement score. These metrics are calculated along with modified base metrics that measure the specific environment (such as modified attack vector and modified attack complexity) to reach an environmental metrics score.

The CVE program represents a collaborative and systematic approach to identifying, cataloging and addressing cybersecurity vulnerabilities and exposures. By offering a standardized system for identifying and referencing vulnerabilities, CVE helps organizations improve vulnerability management in several ways:

CVE is a catalog of known cybersecurity vulnerabilities, where one CVE ID is specific to one software flaw. The Common Weaknesses Enumeration (CWE) is an IT community project that lists different types, or categories, of hardware and software weaknesses, such as buffer errors, authentication errors or CPU issues. These weaknesses might lead to a vulnerability.