Feb 02, 2024 · 10 Min read

What is CVE and CVSS

CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed information security flaws.

Post

What is CVE

CVE stands for Common Vulnerabilities and Exposures. CVE is a centralized list used to identify, reference, and track security vulnerabilities found in computer software and hardware.

Each CVE has a unique identifier called a CVE ID, which typically consists of the year followed by a sequence number. For example, CVE-2024-12345. Each CVE ID refers to one or more security vulnerabilities found in a software or hardware product. Information related to these vulnerabilities, such as descriptions, impacts, and mitigation or resolution steps, is usually included in the CVE database.

The CVE database is managed by the Mitre Corporation, a nonprofit organization that collaborates with the international information security community to identify, describe, and address security vulnerabilities in software and hardware products.

The primary goal of CVE is to provide a standard way for information security organizations, security researchers, software vendors, and end users to communicate about security vulnerabilities found in various products. With this system in place, all parties can use the same reference when discussing specific vulnerabilities, making it easier to exchange information and collaborate in improving computer system security globally.

Severity CVE ( CVSS )

Severity in the context of CVE refers to the level of severity or seriousness of a security vulnerability. Typically, CVE severity is expressed on a scale that depicts the level of impact that can be caused by exploiting the vulnerability. Severity scales are commonly used to assist organizations and users in assessing the priority of mitigating and addressing vulnerabilities.

Post

Scores are calculated based on a formula that depends on several metrics that approximate ease of exploit and the impact of exploit. Scores range from 0 to 10, with 10 being the most severe. While many utilize only the CVSS Base score for determining severity, temporal and environmental scores also exist, to factor in availability of mitigations and how widespread vulnerable systems are within an organization, respectively.

Some commonly used severity scales in the context of CVE include:

1. CVSS (Common Vulnerability Scoring System): CVSS is an industry standard used to assess the severity of security vulnerabilities. CVSS provides a numerical score based on various metrics, such as attack complexity, exploit success, vulnerability impact, and others. CVSS scores can range from 0 to 10, where higher scores indicate higher severity levels.

2. Severity Levels: Some organizations and vendors use their own severity level classifications, such as "Critical," "High," "Medium," and "Low." Typically, vulnerabilities with "Critical" or "High" severity levels are considered to have significant impacts and require immediate attention.

3. Vendor-specific Severity Ratings: Some software or hardware vendors may use their own severity scales to assess the severity of vulnerabilities in their products. This may vary from one vendor to another.

4. Impact Metrics: Some CVE entries also include information about the potential impacts of exploiting the vulnerability, such as unauthorized access to systems, potential for executing malicious code, or loss of sensitive data.

Assessing CVE severity is crucial as it helps organizations and users prioritize mitigation and remediation actions based on the severity level. By understanding the severity of a CVE, organizations can determine the most effective actions to reduce security risks associated with the vulnerability.

Web Database CVE

There are several websites that store CVE data and provide information related to security vulnerabilities. Some of them include:

1. NVD (National Vulnerability Database): NVD is the official database managed by the National Institute of Standards and Technology (NIST) in the United States. NVD provides access to comprehensive information about CVEs, including vulnerability descriptions, CVSS scores, and links to additional resources. The NVD website can be accessed at https://nvd.nist.gov/

2. MITRE CVE List: MITRE Corporation, the organization that manages CVEs, also provides access to the complete list of CVEs on their website. The MITRE CVE List website can be accessed at https://cve.mitre.org/

3. SecurityFocus: SecurityFocus is a platform that provides information about security vulnerabilities, including CVEs. This website has a list of CVEs that can be accessed at https://www.securityfocus.com/

Vendor Websites: Some software or hardware vendors also provide information about security vulnerabilities affecting their products on their official websites. This includes vendors such as Microsoft, Adobe, Cisco, and others.

These websites provide valuable information for information security professionals, system administrators, and end users who want to track and address security vulnerabilities in the systems and software they manage.