Common Vulnerabilities and Exposures
Encyclopedia
The Common Vulnerabilities and Exposures or CVE system provides a reference-method for publicly-known information-security
vulnerabilities
and exposures. MITRE Corporation maintains the system, with funding from the National Cyber Security Division
of the United States Department of Homeland Security
. CVE is used by the Security Content Automation Protocol
.
The same source describes the process of creating a CVE Identifier which:
The MITRE Corporation functions as Editor and Primary CNA. The CVE Editorial Board (set up by MITRE) discusses the candidate and votes on whether or not it should become a CVE entry. If the Board rejects a candidate, the reason for rejection is noted in the Editorial Board Archives posted on the CVE Web site. If the Board accepts a candidate, its status is updated to "entry" on the CVE List. However, the assignment of a candidate number is not a guarantee that it will become an official CVE entry.
When investigating a vulnerability or potential vulnerability it helps to acquire a CAN number early on. An entry is live once a number is assigned. However until the go-public date is reached, the CAN number's entry will not provide any information. It will instead show a placeholder to indicate that the number is taken. The benefit of early CVE candidacy is that all future correspondence can refer to the CAN/CVE number.
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
vulnerabilities
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
and exposures. MITRE Corporation maintains the system, with funding from the National Cyber Security Division
National Cyber Security Division
The National Cyber Security Division is a division of the Office of Cyber Security & Communications, within the United States Department of Homeland Security's Directorate for National Protection and Programs...
of the United States Department of Homeland Security
United States Department of Homeland Security
The United States Department of Homeland Security is a cabinet department of the United States federal government, created in response to the September 11 attacks, and with the primary responsibilities of protecting the territory of the United States and protectorates from and responding to...
. CVE is used by the Security Content Automation Protocol
Security Content Automation Protocol
The Security Content Automation Protocol is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation . The National Vulnerability Database is the U.S...
.
CVE Identifiers
MITRE Corporation's documentation defines CVE Identifiers (also called "CVE names", "CVE numbers", "CVE-IDs", and "CVEs") as unique, common identifiers for publicly-known information security vulnerabilities. CVE identifiers have a status of either "entry" or "candidate". Entry status indicates acceptance of a CVE Identifier into the CVE List, while a status of "candidate" (for "candidates," "candidate numbers," or "CANs") indicates an identifier under review for inclusion in the list.The same source describes the process of creating a CVE Identifier which:
- begins with the discovery of a potential security vulnerability or exposure
- adds to this information a (unique) CVE candidate number assigned by a CVE Candidate Numbering Authority (CNA), posted on the CVE Web site, and proposed to the Board by the CVE Editor
The MITRE Corporation functions as Editor and Primary CNA. The CVE Editorial Board (set up by MITRE) discusses the candidate and votes on whether or not it should become a CVE entry. If the Board rejects a candidate, the reason for rejection is noted in the Editorial Board Archives posted on the CVE Web site. If the Board accepts a candidate, its status is updated to "entry" on the CVE List. However, the assignment of a candidate number is not a guarantee that it will become an official CVE entry.
When investigating a vulnerability or potential vulnerability it helps to acquire a CAN number early on. An entry is live once a number is assigned. However until the go-public date is reached, the CAN number's entry will not provide any information. It will instead show a placeholder to indicate that the number is taken. The benefit of early CVE candidacy is that all future correspondence can refer to the CAN/CVE number.
External links
- CVE - Common Vulnerabilities and Exposures
- MITRE Corporation
- CERT - a security expert coordination effort by the Software Engineering InstituteSoftware Engineering InstituteThe Carnegie Mellon Software Engineering Institute is a federally funded research and development center headquartered on the campus of Carnegie Mellon University in Pittsburgh, Pennsylvania, United States. SEI also has offices in Arlington, Virginia, and Frankfurt, Germany. The SEI operates...
of Carnegie Mellon UniversityCarnegie Mellon UniversityCarnegie Mellon University is a private research university in Pittsburgh, Pennsylvania, United States.... - SecurityFocus - home of the BugTraq mailing list
- www.cvedetails.com - Detailed, easy to use CVE database
- NVD - National Vulnerability Database