Common Vulnerabilities and Exposures (CVE)

Common Vulnerabilities and Exposures (CVE) is a list of computer security flaws ranked on critical measures to aid individuals and companies with assessing the risk posed by the vulnerability or exposure to yourself. When someone refers to a CVE, you can easily find the vulnerability by searching, and you can easily ascertain the criticality of the risk to your organization due to the structured, consistent review and documenting of the vulnerability or exposure in a consistent fashion. Security warnings issued by vendors or researchers almost always mention at least one CVE ID. 

CVE entries are brief, they don’t include technical data, or information about potential impacts or the fixes themselves. Those details appear in other databases, including the U.S. National Vulnerability Database (NVD), the CERT/CC Vulnerability Notes Database, and additional lists controlled by the vendor in question or other cybersecurity organizations. Across these different systems, CVE IDs give users a reliable way to understand unique security flaws in a repeatable fashion.

A related standard for ranking the criticality of a CVE is found in the Common Vulnerability Scoring System (CVSS), a set of open standards for assigning a number to a vulnerability to assess its severity. CVSS scores are listed in CVE, NVD, and CERT advisories. Scores range from 0.0 to 10.0, with higher numbers representing a higher degree of severity of the vulnerability. Many security vendors have created their own scoring systems, as well.

The CVE is managed by the MITRE Corporation, which’s funded by the Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security.