The Common Vulnerabilities and Exposures (CVE) is the collective list of security flaws with unique identifiers given to the publicly known security vulnerabilities and exposures. Each flaw carries an identification number, called CVE ID, a description, and references for the known vulnerabilities.
It was officially launched in 1999 and maintained by The Mitre Corporation, a non-profit organization of United States National Cybersecurity FFRDC.
Before CVE was started, each vendor maintained their own database, with their own unique identifier which was very difficult to share data across different databases and tools. Then, CVE is implemented which helps to maintain common data for the vulnerabilities and ensures that every tool can also interchange data with other tools.
CVE Numbering Authority (CNA):
These CVE identification numbers are allocated by the CVE Numbering Authority (CNA), which are more than 150 of them from 30 countries representing IT vendors, security companies, organizations, researchers, vulnerability discoverers, and reporters (Source: here).
Anyone can report the flaws and bring them to the attention of the CVE organization. Then, the information about the threat makes its way to CNA and assigns a CVE ID to the information, providing a brief description with the supporting references.
Once the fix is developed or tested for the security flaw, CNA will post the new entry for the public on the CVE website. Until then they will keep the flaw confidential, to reduce the chances to exploit the unpatched flaws.
Criteria for CVE:
CVE IDs are designated to the security flaws which meet a certain specific set of criteria:
- Independently Fixable – The security flaw should be fixed independently of any other bug.
- Acknowledged by a Concerned Vendor and Documented – The concerned vendor acknowledges the bug and that has a negative impact on the security, or the reporter must have shared exploitable documents that illustrate the negative impact of the bug which is violating the security policy of the affected system.
- Affecting One Codebase – Security flaws that affect more than one product get different CVE.
Syntax format of CVE:
The standard syntax format of the CVE ID is variable length and includes-
CVE Prefix + Year + Sequential Digits
The component of CVE ID consists of three parts. The prefix is identical for each unique ID and starts with ‘CVE’, This is followed by four digits year which is not a year of finding but a year of public reporting of the vulnerability. The sequential digits of a CVE ID consist of 4-7 numbers.
For example, CVE-2017-0148 represents one of the vulnerabilities from Microsoft. More details can be found here: CVE – CVE-2017-0148.
Every year, thousands of new CVEs have been issued, averaging about 10,000-15,000 annually. Big organizations and companies with many products and services reported large portions of CVEs.
Image Source: here.
For example, tech giants Microsoft and Oracle each reported more than 7000 CVEs across their many product lines. As a matter of fact, the top 50 software companies represent more than half of the CVEs issues (Source: here).
Found this article interesting? Follow DefenseLead on Twitter and Facebook to read more exclusive content we post.