Common Vulnerabilities and Exposures (CVE) is a standardized list of vulnerabilities and security risks of computer systems. Thanks to the unique naming, the exchange of data about vulnerabilities and security risks is simplified. Sequential numbers uniquely identify the various entries.
What is CVE?
The acronym CVE stands for Common Vulnerabilities and Exposures. It is a standard that clearly names vulnerabilities and security risks of computer systems and lists them in a generally accessible directory. The aim is to simplify the exchange of data on vulnerabilities between different manufacturers, for example, and to enable unique identification. IPS or IDS systems can use the CVE directory in their vulnerability management.
Basically, the directory distinguishes between security holes, vulnerabilities, and exposures. While security gaps are caused by an error in the code and allow direct access to a system, an exposure allows indirect access and, for example, the copying of customer data or the unauthorized acquisition of further rights. The CVEs are maintained by the so-called CVE Editorial Board.
Members are representatives of security organizations, academic institutions, vendors, and security experts. The moderator on the Editorial Board is the nonprofit MITRE Corporation, which is supported by the U.S. government. MITRE also manages the website. CVE numbers have been assigned since 1999.
Aims of the Common Vulnerabilities and Exposures
The main goal of Common Vulnerabilities and Exposures is to uniquely name known vulnerabilities or exposures to provide administrators or vendors with quick access to threat information. The unique numbers allow quick access to additional CVE-compliant sources of information. Common Vulnerabilities and Exposures facilitate searches in other databases and allow data to be shared between vendors with their various security tools.
The syntax of CVEs
CVE names, also called CVE IDs or just CVEs, are structured according to a well-defined syntax. Each name contains the following information:
- Unique identification number, for example, CVE-1999-0050
- Status “Entry” or “Candidate
- Brief description of the vulnerability or exposure
- Appropriate references
Continuous identification numbers were initially four digits long with leading zeros. Now the format allows any number of digits (but at least four).
The different states of the CVE
CVEs distinguish the two statuses “Entry” and “Candidate” (entry or candidate). The Entry status indicates that the ID is accepted by the Common Vulnerabilities and Exposures list. An entry with Candidate status is under observation and has not yet been officially added to the list. It is still under review to determine if it will be added to the list.
Importance of CVE compatibility
Databases, security tools, or websites may be CVE compatible. Compatibility states that CVE IDs are used correctly and according to the syntax to associate them with other information. This ensures that compatible services and applications can exchange information with each other. The four minimum requirements for compatibility are:
- Vulnerabilities and associated information are discoverable under the CVE ID
- Information provided uses CVE names
- Documentation includes descriptions of compatibility and information on how the information provided is usable by other services or products
- Owner of a repository has ensured accurate mapping to specific CVE versions.