CVE stands for Common Vulnerabilities and Exposures, a program launched in 1999 by MITRE, a nonprofit that operates research and development centers sponsored by the federal government. Its purpose is to identify and catalog vulnerabilities in software or firmware into a free “dictionary” for organizations to improve their security.
According to the CVE website, a vulnerability is a mistake in software code that provides an attacker with direct access to a system or network. It could allow an attacker to pose as a super-user or system administrator with full access privileges.
An exposure is a mistake that gives an attacker indirect access to a system or network. It could allow an attacker to gather customer information that could be sold.
The dictionary’s main purpose is to standardize the way each known vulnerability or exposure is identified. Standard IDs allow security administrators to access technical information about a specific threat across multiple CVE-compatible information sources.
CVE is sponsored by US-CERT, within the Department of Homeland Security (DHS) Office of Cybersecurity and Information Assurance (OCSIA). MITRE, maintains the CVE dictionary and public website. It also manages the CVE Compatibility Program, which promotes the use of standard CVE identifiers by authorized CVE Numbering Authorities (CNAs).
The following questions and answers are adapted from the CVE website and from Kurt Seifried, director at the Distributed Weakness Filing (DWF) project, senior software engineer for Red Hat Product Security and a CVE board member
Is CVE just another vulnerability database?
No. CVE is designed to allow vulnerability databases and other capabilities to be linked together, and to facilitate the comparison of security tools and services. CVE only contains the standard identifier number with status indicator, a brief description and references to related vulnerability reports and advisories. It does not include risk, impact, fix or detailed technical information. The US National Vulnerability Database (NVD) does include fix, scoring, and other information for identifiers on the CVE List.
Can hackers use the CVE to break into networks?
The short answer is yes, but MITRE and the CVE board contend that the benefits of CVE outweigh the risks:
- CVE lists only publicly known vulnerabilities and exposures, which means skilled hackers likely know about them anyway.
- It takes much more work for an organization to protect its networks and fix all possible holes than it takes for a hacker to find a single vulnerability, exploit it, and compromise the network.
- There is growing agreement in the infosec community that sharing information is beneficial. This is reflected in the fact that the CVE Board and CNAs include key infosec organizations.