CVE stands for Common Vulnerabilities and Exposures and it is a unique number assigned to a specific computer vulnerability. When someone refers to a CVE, they are referring to a security vulnerability that has been assigned a CVE number that acts as a unique identifier for that vulnerability. Most security advisories will mention at least 1 CVE, sometimes multiple CVEs when they are giving the breakdown of a new vulnerability. CVEs are assigned by a CVE Numbering Authority (CNA). There are over 100 different CNAs and some of them are major IT vendors or security companies who are authorized to assign CVE IDs to products within their scope. Some examples of CNAs are MITRE corporation, Cybersecurity and Infrastructure Security Agency (CISA), Adobe, Apple and Google.
What’s in a CVE record?
Each CVE record comes with a certain set of information, first is the ID itself. A CVE ID begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. So, for example, vulnerabilities disclosed in 2021 would look like this: “CVE-2021-12345, CVE-2021-12347, CVE-2021-23456”.
Next the record will usually have a description of the vulnerability or exposure, outlining things like how this vulnerability was discovered, what systems/software it affects, known exploits and their impacts, vulnerable versions, and current security mitigations. This is where security professionals find most of the information that they are looking for.
The last component of the CVE is usually references. Each CVE record will contain references to the CVE’s source, its identifier to facilitate searching for it on the internet and any other important notes on the CVE.
Why are CVEs important?
CVEs are a uniform way of identifying security vulnerabilities, it allows security researchers to share information with one another and find information on specific vulnerabilities by creating common language. CVE numbers also integrate with many tools, one example is Qualysguard, which allows you to scan your environment based on CVE numbers. CVE numbers are consistently used within the industry so it’s important that you get familiar with the concept. Almost any security vulnerability will have an associated CVE number that you can use to further research the problem.
CVE numbers are simply identifiers (almost like a name) for different types of security vulnerabilities. These numbers are assigned based on the company who oversees that product and by researching the CVE number you can find a lot of information about that vulnerability and how to mitigate it in your company’s environment. CVEs are very commonly used within cybersecurity to communicate security vulnerabilities and they are also integrated into security software so that you can scan for the associated vulnerabilities by entering in the CVE ID.