Common Vulnerabilities and Exposures (CVE): Overview

High-level overview of Common Vulnerabilities and Exposures (CVE).

MITRE (https://cve.mitre.org/) is a nonprofit research center sponsored by the federal government to identify and catalog vulnerabilities in software or firmware. Common Vulnerabilities and Exposures (CVE) is a program run by MITRE since 1999 that provides unique, common identifiers for publicly known information-security vulnerabilities in publicly released software packages. A vulnerability is a mistake in software code that provides an attacker with access to a system or network.

The National Vulnerability Database (NVD; https://nvd.nist.gov/) contains a list of these CVEs with Common Vulnerability Scoring System (CVSS) scores applied (a scale of one to ten ranking vulnerability severity). The vulnerabilities are catalogued in a standardized way, making it easier to find and access technical information about the specific issue. Scanners generally apply CVSS scores to vulnerabilities as they surface.

CVE standard nomenclature looks something like this: CVE-2016-5595. This translates to the CVE label, the year the vulnerability was discovered, and the number found (in sequence) in that particular year. In the NVD, the CVSS score will range from one to ten (with 10 being the most severe). Details can be vague depending on the source of the information. That is where RiskSense excels at prioritization and CVE resolution management.