A Guide to Common Vulnerabilities and Exposures (CVEs)

What are Common Vulnerabilities and Exposures (CVEs)?

Common Vulnerabilities and Exposures (CVE for short) is a list of information security vulnerabilities or flaws in software or hardware that have been disclosed to the public. CVE’s are intended to standardize vulnerability identification, giving common language to IT professionals. The CVE program is currently run by the MITRE Corporation with funding from the Cybersecurity and Infrastructure Security Agency (CISA).

How it Works

The CVE number, identifier, or sometimes called ID, is the publicly referenced identifier assigned to a vulnerability and looks something like this: CVE-2022-12345. Let’s break down what it means.

1. All CVE’s begin with the “CVE” prefix denoting that it’s a vulnerability and part of the CVE database.

2. The second section contains the year that the CVE was assigned.

3. The third section includes four or more digits and gives each CVE a unique value for a given year.

Together the three parts comprise a unique identifier for a vulnerability. In this case, CVE-2022-38005 tells us: 1) this is a vulnerability that is part of the CVE database, 2) it was added to the database in 2022, 3) it has a unique identifying signature.

The CVE ID is assigned by an authorized party, called a CVE Number Authority (CNA). CNAs are partner organizations authorized by the CVE program to issue CVE IDs and publish a CVE record within a specific scope of coverage. These organizations can be things like research groups, software vendors, bug bounty service providers, and hosting providers, just to name a few. The scope of coverage can vary from vulnerabilities pertaining to specific software all the way to particular technologies. For example, Adobe Systems is a CNA whose scope is specific to Adobe products. Dragos Inc. on the other hand is a CNA with a wider scope on operational technology (OT)/industrial control systems (ICS) rather than any specific products. For a full list of CNAs, see here.

The Process

When a CVE is discovered it is reported to a CNA. The CNA requests and reserves a CVE ID for the vulnerability. Once the proper information has been received and the vulnerability is ready for public disclosure, the CVE is published by the responsible CNA. 

MITRE contains a listing for each CVE in its database with basic information such as a description, references, and the date the CVE record was created. The CVE ID, provides a reference point to additional information such as The National Vulnerability Database (NVD), vendor documentation, and open-source reporting. Being able to reference a universal CVE ID gives the community a precise and straightforward way to discuss a specific vulnerability.

What's Next?

Now that you know more about CVEs, see this blog post which details the benefits of adopting Risk-Based Vulnerability Management (RBVM) - a better way to add context to your vulnerability management program. An RBVM approach acknowledges that organizations will face evolving threats, but that not all of them are equal. By prioritizing CVEs on the risk they pose — is the vulnerability already being exploited in the wild, could it provide an attacker access to your internal systems? —  IT and Security teams more effectively prioritize where they spend their time patching vulnerabilities.

Resources:

• Process | CVE

• National Institute of Standards and Technology (NVD)

• Known Exploited Vulnerabilities Catalog | CISA