There are currently 212,492 vulnerabilities identified, categorized and publicly cataloged in the national vulnerability database by CISA (the Cybersecurity and Infrastructure Security Agency)– and that number continues to rise. Effective vulnerability management should include tracking and managing publicly disclosed CVEs to defend against cyberattacks.
What is a CVE?
The Common Vulnerabilities and Exposures (CVE) System, launched in 1999, is a system that provides publicly recognized information related to vulnerabilities and exposures. The CVE database is managed by the National Cybersecurity FFRDC, a Federally Funded Research and Development Center, and operated by the MITRE Corporation and funded by the United States Department of Homeland Security.
How Do CVE IDs Work?
Within MITRE Corporation’s system, there are defined CVE Identifiers. These unique, common identifiers serve as ID numbers for publicly available security vulnerabilities that are found in public software. While vetting or reviewing suppliers’ vulnerabilities, having the CVEs will help you make educated decisions about that supplier.
There are three ways vulnerabilities can be assigned a CVE number:
1. The MITRE Corporation. The MITRE Corporation is the primary CVE Numbering Authority (CNA) for the CVA Program. It also functions as an editor, reviewing numbers submitted by other CNAs. The CVE Numbering Authorities or CVE Program can assign a CVE ID and publish CVE records.
2. Software developer assignments. Many corporations assign CVEs for vulnerabilities related to their own products; for example, Microsoft may assign a number to vulnerabilities associated with its software. Some vendors even offer bug bounty programs to encourage the discovery of CVEs.
3. Third-party assignments. Third-party coordinators, including the CERT Coordination Center, can assign CVE numbers in other scenarios. It is important to assign CVE numbers as early as possible. They serve as a form of tracking, allowing all forms of documentation and discussion to reference this specific number.
Which Types of Vulnerabilities Are Included?
The CVE system is used for all forms of software that have been publicly released. This includes finished versions of software products, but also pre-release versions and betas, assuming they’ve been made public. Some forms of commercial software are included in this system, with a few exceptions; for example, custom-built software that is only used by one company would not be considered publicly released.
All entries in the CVE list rely on the same data fields. For example, there’s a standardized description of the issue briefly summarizing the nature of the vulnerability. There’s also a section for references which contains a list of URLs and other information relevant to the issue. Think of it as a “further reading” section.
What is the Common Vulnerability Scoring System?
The severity of a CVE is determined by the common vulnerability scoring system (CVSS), a score that ranges from 0 to 10, with scores of 10 being critical and scores of 1 being low.
The Risks of Publicizing Vulnerabilities
Intuitively, it may seem like a bad idea to publicize information about security flaws and vulnerabilities. After all, the list is publicly available—which means hackers and would-be cybercriminals have access to the list of vulnerabilities as well. If they were so motivated, they could use this list as a way to exploit these vulnerabilities and attack companies and individuals.
However, the cybersecurity community has gradually come to accept that the best path forward is transparency; in other words, it’s better to publicize the information related to vulnerabilities than it is to try and keep things hidden. There are risks and downsides to this approach, but the potential benefits far outweigh these risks and downsides.
One key point here is that it takes far longer for an organization to make efforts to patch or guard against a vulnerability than it takes for a hacker to exploit it. Therefore, it’s vital to circulate information about vulnerabilities as early and efficiently as possible.
It’s also important to recognize that the CVE only lists security vulnerabilities that are already publicly known. In other words, sufficiently skilled and resourceful hackers already know about these vulnerabilities anyway; they can’t use the CVE list to gain a meaningful advantage.
The Benefits of the CVE System
While there are risks to publishing CVEs, there are many benefits to the CVE system as well, including:
Centralized management of vulnerabilities
One of the biggest advantages is that the CVE provides a centralized place where vulnerabilities can be managed and reviewed, regardless of their point of origin. If your organization uses many different software products from a range of different developers, you can rely on the CVE list to provide you with information on vulnerabilities in all of them. You don’t have to consult multiple vulnerability databases to stay up-to-date.
Because the MITRE Corporation serves as the functional “editor” of this list, you can rest assured that vulnerabilities are being evaluated consistently. You don’t have to worry that a vulnerability is getting skipped over due to poor management, or that duplicates and mistaken number assignments are muddling the list.
Common formatting and descriptions
Within the CVE, all entries offer the same data fields (for the most part). Once you are accustomed to reviewing CVE entries, it becomes easier to review. Additionally, you can compare vulnerabilities apples to apples, since they all rely on the same formatting.
Encouraged public sharing of knowledge
The very existence of the CVE system encourages the public sharing of information. When a company discovers a vulnerability in its published software, they’re incentivized to report that vulnerability. Many companies already have systems in place for identifying, cataloging and communicating information about vulnerabilities, but the CVE makes everything more streamlined—not to mention universal.
Research and better security
Of course, the most important benefit of the CVE is that it provides information about vulnerabilities and exposures to the people who need the information most—cybersecurity experts within organizations. You can use the CVE to research software products you’re considering for your business, proactively identify potential vulnerabilities and figure out solutions and workarounds before it’s too late.
Accessing the CVE List
MITRE makes the CVE list publicly available so you can access it at any time, for any purpose. You can download the full CVE list here, or use the CVE site to search for a specific CVE. Downloads are available in many formats, including CSV, HTML, text and XML.
How Panorays Can Help Manage Your Third-Party Risk
Staying on top of the new CVEs that are discovered, cataloged and published every day is a critical responsibility of the security community. Panorays delivers visibility of CVEs related to your third parties’ external attack surface to identify and assess vulnerabilities in the extended supply chain. These external attack surface assessments work together with automated and customized security questionnaires to quickly evaluate your third-party security risk — handling the whole process from inherent to residual risk, remediation and ongoing monitoring.
Want to learn more about how to automate your third-party risk management? Get started with a Free Account today.
CVE stands for common vulnerabilities and exposures. It is a weakness in a software, hardware or component that an attacker can exploit to gain unauthorized access to an organization’s system. These CVEs are then recorded in a national vulnerability database with a CVE record. A CVE entry includes: a brief description of the vulnerability, a CVE identifier, its impact, products affected, and required steps toward remediation.
An example of a CVE is the WIN-RAR zero-day exploitability (CVE-2023-38831) that has been actively exploited since April 2023. It was exploited with malware to target online cryptocurrency accounts. Users are strongly recommended to upgrade to the latest WIN-RAR version to defend against these attacks.
CVEs are important because they identify a particular vulnerability that could potentially be exploited by malicious attackers. Cybersecurity professionals track and monitor CVEs with a variety of security tools to prevent attackers from gaining unauthorized access to their network and infrastructure.