Search Knowledge Base by Keyword
Common Vulnerabilities and Exposures (CVE)
What Are Common Vulnerabilities and Exposures (CVEs)?
What Should I Know About CVEs?
- Publicly accessible catalog: CVEs are maintained by the MITRE Corporation and are available to the public.
- Standardized IDs: Each vulnerability gets a unique CVE ID (e.g., CVE-2024-12345).
- Information hub: CVEs provide a brief description of the vulnerability, references to related reports and advisories, and information about the affected software or hardware.
- Focus on vulnerability details: CVEs focus on the vulnerability itself, not the severity, impact, or fixes.
Vulnerability Assessments
A great way to discover some of the unique vulnerabilities that small and medium-sized businesses (SMBs) face is to get a vulnerability scan. These are fast, easy and affordable, and can easily be ordered.
Why are CVEs important?
- Facilitates communication: CVE IDs provide a common language for security professionals to discuss and share information about vulnerabilities.
- Prioritizes fixes: CVEs help organizations understand which vulnerabilities are most important to fix based on severity and impact.
- Enables vulnerability management: CVEs are used by security tools and services to scan for vulnerabilities, generate alerts, and manage patches.
How do CVEs work?
- CVE Numbering Authorities (CNAs): CNAs are organizations authorized to assign CVE IDs.
- Bug bounty programs: Many companies offer rewards for reporting vulnerabilities, which can lead to CVE assignment.
- Reporting and submission: When a new vulnerability is identified, it’s submitted to a CNA for review and evaluation.
- CVE record creation: The CNA then creates a CVE record, which includes details about the vulnerability, affected products, and references.
- Public release: The CVE record is then made publicly available on the CVE list.
Definitions:
A dictionary of common names for publicly known information system vulnerabilities.
SOURCE: SP 800-51; CNSSI-4009
An SCAP specification that provides unique, common names for publicly known information system vulnerabilities.
SOURCE: SP 800-128