The CVE database explained

What is CVE?

CVE stands for Common Vulnerabilities and Exposures. This is a publicly available glossary of known computer security vulnerabilities and system flaws that can be used to hack devices, systems or programs. Each entry includes CVE details — a unique serial ID number, a brief description, and at least one public reference. They can be accessed through the CVE website.

CVE Numbering Authorities (CNA) are organizations that assign CVE IDs to vulnerabilities. There are about 100 CNAs that include IT corporations, research institutions, security organizations, etc. The whole process is overseen by a non-profit CNA called Mitre Corporation, which manages government-funded research and development centres. Mitre is sponsored by the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA).

Any entity can identify a CVE vulnerability, but it must report it to a CNA as only the latter can assign it a CVE identifier. After receiving a vulnerability report, a CNA evaluates it, assigns an ID number and lists it as a CVE. The list only includes solved security issues to prevent hackers from using it to find new loopholes to exploit.

After being listed, the National Vulnerability Database evaluates each CVE’s severity and assigns it a severity index — a CVE Severity Analysis or CVSS score. This indicates how severe a CVE is on a scale from 0 to 10. The evaluation considers the complexity of the attack, the solution difficulty, the systems affected, etc. You can access the list on the NVD’s website.

CVE entries can have different statuses:

• Reserved means that the entry is being in use by a CNA, but its details are not yet in the system;
• Disputed means that there is a dispute between the interested parties (for example a CNA and MITRE or within a CNA) as to whether an entry qualifies as a CVE;
• Reject indicates that an entry was rejected or withdrawn. The reasons might be incorrect assignment or administrative issues. You should ignore such entries.

CNDs constantly update the CVE list as new vulnerabilities emerge daily. Even then, there probably still are unreported risks or ones that are included in other lists.

Why do we need CVE?

• Organizations can identify relevant listed security flaws, learn about them, and strengthen their security systems accordingly;
• It makes communication easier as you can simply refer to a problem by its ID number. It is also useful for other databases as they can use the same standardized terminology;
• CVE IDs are widely used by companies, security organizations and databases when referring to cybersecurity-related products and services. By using a CVE identifier, you can find information about a certain vulnerability quicker and easier.