CVE (Common Vulnerabilities and Exposures) is a list of publicly known cybersecurity vulnerabilities and exposures that was created in 1999 by MITRE to help organizations share vulnerability information. CVE provides standardized identifiers for vulnerabilities to help security teams access information about threats from different sources. The goal of CVE is to improve cybersecurity by allowing for easier correlation of vulnerability data across organizations.

1. Common Vulnerabilities and
Exposures (CVE)
7/28/2021 (C) Dr. Jyoti Lakhani

2. Common Vulnerabilities and Exposures (CVE)
A list of publicly disclosed information security vulnerabilities
and exposures
CVE was launched in 1999 by the MITRE corporation to identify
and categorize vulnerabilities in software and firmware.
CVE provides a free dictionary for organizations to improve
their cyber security.
MITRE is a nonprofit that operates federally funded research and
development centers in the United States.
7/28/2021 (C) Dr. Jyoti Lakhani

3. Vulnerability
A vulnerability is a weakness which can be exploited in a cyber
attack to gain unauthorized access to or perform unauthorized
actions on a computer system. Vulnerabilities can allow attackers
to run code, access system memory, install different types of
malware and steal, destroy or modify sensitive data.
7/28/2021 (C) Dr. Jyoti Lakhani

4. Exposure
An exposure is a mistake that gives an attacker access to a system
or network. Exposures can lead to data breaches, data
leaks and personally identifiable information (PII) being sold on
the dark web. In fact, some of the biggest data breaches were
caused by accidental exposure rather than sophisticated cyber
attacks.
7/28/2021 (C) Dr. Jyoti Lakhani

5. Goal of CVE
The goal of CVE is to make it easier to share information about
known vulnerabilities across organizations.
CVE does this by creating a standardized identifier for a given
vulnerability or exposure. CVE identifiers or CVE names allow
security professionals to access information about
specific cyber threats across multiple information sources using
the same common name.
7/28/2021 (C) Dr. Jyoti Lakhani

6. Benefits of CVE
CVE allows organizations to set a baseline for evaluating the
coverage of their security tools. CVE's common identifiers allow
organizations to see what each tool covers and how appropriate
they are for your organization.
CVE means security advisories that can for vulnerabilities and
check for threats can use CVE information to search for known
attack signatures to identify particular vulnerability exploits as
part of any digital forensics process.
Look for security tools with CVE compatibility rather than
proprietary vulnerability assessments, it's a great way to reduce
your organization's cyber security risk.
7/28/2021 (C) Dr. Jyoti Lakhani

7. Who manages CVE?
MITRE maintains the CVE dictionary and CVE website, as well as
the CVE Compatibility Program. The CVE Compatibility Program
promotes the use of standard CVE identifiers issued by
authorized CVE numbering authorities (CNAs).
Who sponsors CVE?
CVE is sponsored by the U.S. Department of Homeland Security
(DHS) Cybersecurity and Infrastructure Security Agency (CISA)
and US-CERT.
7/28/2021 (C) Dr. Jyoti Lakhani

8. Can anyone use CVE?
Yes, CVE is free to use and publicly accessible. CVE is designed to
allow anyone to correlate data between different vulnerabilities,
security tools, repositories and services.
Anyone can search, download, copy, redistribute, reference and
analyze CVE as long as they don't modify any information.
7/28/2021 (C) Dr. Jyoti Lakhani

9. What is a CVE entry?
A CVE entry describes a known vulnerability or exposure.
Each CVE entry contains a standard identifier number with status
indicator (i.e. "CVE-1999-0067", "CVE-2014-12345", "CVE-2016-
7654321"), a brief description and references related vulnerability
reports and advisories.
Each CVE ID is formatted as CVE-YYYY-NNNNN. The YYYY portion
is the year the CVE ID was assigned or the year the vulnerability
was made public.
Unlike vulnerability databases, CVE entries do not include risk,
impact fix or other technical information.
7/28/2021 (C) Dr. Jyoti Lakhani

10. Is CVE a vulnerability database?
CVE isn't a vulnerability database. CVE is designed to allow
vulnerability databases and other tools to be linked together. It
also facilitates comparisons between security tools and services.
Check out the US National Vulnerability Database (NVD) that uses
the CVE list identifiers and includes fix information, scoring and
other information.
7/28/2021 (C) Dr. Jyoti Lakhani

11. Can hackers use CVE to attack my organization?
The short answer is yes but many cybersecurity professionals believe the
benefits of CVE outweigh the risks:
CVE is restricted to publicly known vulnerabilities and exposures.
It improves the shareability of vulnerabilities and exposures within the
cybersecurity community.
Organizations need to protect themselves and their networks by fixing all
potential vulnerabilities and exposures while an attacker only needs to find a
single vulnerability and exploit it to gain unauthorized access. This is why a list of
known vulnerabilities is so valuable and an important part of network security.
The growing agreement for the cybersecurity community to share information is
reducing the attack vector of many cyber attacks. This is reflected in widespread
acceptance that the CVE Board and CVE Numbering Authorities (CNAs) are key
organizations in cybersecurity.
As a concrete example, many believe the ransom ware WannaCry, which spread
through the EternalBlue vulnerability, would have had less impact if the
vulnerability was publicly shared.
7/28/2021 (C) Dr. Jyoti Lakhani

12. What is the CVE Board?
The CVE Board is comprised of cyber security organizations
including security tool vendors, academia, research institutions,
government departments and agencies, security experts and
end-users of vulnerability information.
The CVE Board provides critical input regarding data sources,
product coverage, coverage goals, operating structure and
strategic direction of the CVE program.
All CVE Board discussions can be found via their email discussion
archives and meeting archives. The CVE Board Character is also
publicly accessible.
7/28/2021 (C) Dr. Jyoti Lakhani

13. What are CNAs?
CVE Numbering Authorities (CNAs) are organizations that
identify and distribute CVE id numbers to researchers and
vendors for inclusion in public announcements of new
vulnerabilities. CNAs include software vendors, open source
projects, coordination centers, bug bounty service providers and
research groups.
CNAs are a federated systems that helps identify vulnerabilities
and assigns them an ID without directly involving MITRE which
is the primary CNA.
7/28/2021 (C) Dr. Jyoti Lakhani

14. Who are CNAs?
There are currently 104 CNAs in 18 countries including many
household names like Microsoft, Adobe, Apple, Cisco, Google,
Hewlett Packard Enterprise, Huawei, IBM, Intel, Mozilla,
Oracle, Red Hat, Siemens, Symantec, VMWare, Atlassian,
Autodesk, Cloudflare, Elastic, GitHub, Kubernetes, Netflix and
Salesforce.
What is a root CNA?
MITRE serves as the primary CNA while root CNAs cover a
certain area or niche.
In many cases, a root CNA is a major company like Apple who
posts vulnerabilities about its own products. In other cases, the
root CNA may be focused on open source vulnerabilities.
7/28/2021 (C) Dr. Jyoti Lakhani

15. Where is the latest version of the CVE list?
The latest version of the CVE list can always be found
on cve.mitre.org. While the CVE list is free, it can be hard to know
which vulnerabilities affect your organization without additional
tools. This is why many organizations now use tools that monitor
for changes in the CVE list that affect them.
New CVE identifiers are added daily.
Look for sophisticated tools that automatically monitor
you and your vendors for vulnerabilities. Managing third-party
risks and fourth-party risks is a fundamental part of information
risk management and your information security policy.
Make vulnerability management part of your vendor risk
management, third-party risk management framework and cyber
security risk assessment processes.
7/28/2021 (C) Dr. Jyoti Lakhani

16. How is a vulnerability or exposure added to CVE?
CVEs are added when a researcher finds a flaw or design oversight
in software or firmware. The vendor does not have to see it as a
vulnerability for it to be listed as a CVE. That said, the researcher
may be required to provide evidence of how it could be used as
part of an exploit.
The stronger the claim, the more likely it will be added to CVE and
the more likely it will have a high Common Vulnerability Scoring
System score in vulnerability databases.
Potential CVEs reported by established vendors or other trusted
parties will generally be added to the CVE list quickly.
7/28/2021 (C) Dr. Jyoti Lakhani

17. Does CVE list all known vulnerabilities and exposures?
CVE does not list all known vulnerabilities and exposures. The
goal of CVE is to be comprehensive and it is. Given the scale of
vulnerabilities and exposures, it's likely an impossible task for
one system to contain everything.
What is the Common Vulnerability Scoring System (CVSS)?
The Common Vulnerability Scoring System (CVSS) is a set of open
standards for assigning a number to a vulnerability to assess its
severity. CVSS scores are used by the NVD, CERT, UpGuard and
others to assess the impact of a vulnerability.
CVSS scores range from 0.0 to 10.0. The higher the number the
higher degree of severity.
7/28/2021 (C) Dr. Jyoti Lakhani