CVE Vulnerabilities: All You Ever Wanted to Know About

CVE Vulnerabilities - Logo

What is the CVE?

The Common Vulnerabilities and Exposures glossary (CVE)  is a security project focused on publicly released software, funded by the US Division of Homeland Security and maintained by the MITRE Corporation. The CVE glossary uses Security Content Automation Protocol (SCAP) to collect information about security vulnerabilities and exposures, cataloging them according to various identifiers and providing them with unique IDs.

Once documented, MITRE provides each vulnerability with a unique ID. Several days after publication in the Mitre vulnerability database, the National Vulnerability Database (NVD) publishes the CVE with a corresponding security analysis.

The CVE list is defined by MITRE as a glossary or dictionary of publicly available vulnerabilities and exposures, rather than a database, and as such is intended to serve as an industry baseline for communicating and dialoguing around a given vulnerability. According the MITRE’s vision, CVE documentation is the industry standard by which disparate security advisories, bug trackers and databases can obtain a uniform baseline with which to “speak” to each other, communicating and deliberating about the same vulnerability in a “common language”.  

CVE Identifiers

Every new CVE entry receives a unique ID following this formula:

How do CVE vulnerabilities get their number?

CVE numbers are given to each new CVE issue by MITRE. However, it is worthwhile noting that MITRE is not the only one. CVEs may receive their numeric ID from commercial numbering authorities (non-governmental) who will number vulnerabilities and exposures found in their own products. As of December 2018, 93 commercial entities are authorized to act as CVE Numbering Authorities (CNA), including Adobe, Apple, Cisco, Linux,Google, HP, IBM, Microsoft, Mozilla, Oracle, and Red Hat.The third and final numbering authority is the emergency response team known as CERT Coordination Center which is also certified to assign CVE numbers.

Beyond their unique ID, each CVE receives an entry date (Read more...)

*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Anat Richter. Read the original post at: