There’s a good chance you’ve heard “CVE”, which stands for Common Vulnerabilities and Exposures. CVEs get listed in a huge database that tracks known computer security issues. This provides easy access and reference. So, if you hear someone talking about a CVE – or a CVE record – that means that the security flaw is known and has already been cataloged.
The point of tracking CVEs is this: sharing and cataloging known security flaws allows cybersecurity folks to prioritize and deal with vulnerabilities while making cloud, code, and any other IT system more secure.
Basically, the CVE system provides a common language and reference point. But – and this is the big ‘but’ – bear in mind that my problem may not be your problem!
Who maintains the CVE database?
The MITRE corporation oversees the CVE system, and all CVE records are free for the public to search and use. The Cybersecurity and Infrastructure Security Agency (CISA) helps to provide funding. CVE entries are short and sweet – no deep technical data here. CVE entries also don’t comment on fixes, risks, and impacts. The nitty-gritty details are recorded in other databases. Some examples of those include the U.S. National Vulnerability Database (NVD) and CERT/CC Vulnerability Notes Database.
What does a CVE ID look like?
A CVE ID is like a serial number. When you look at a CVE entry, you'll see the CVE ID, which looks like this: "CVE-YYYY-#####".
What does a CVE record include?
A CVE record includes the following information:
Date Record Created
CVE records also include some legacy bits and bobs, which aren’t relevant for new entries: phase, votes, comments, proposed.
How do they find vulnerabilities and exposures?
Anyone can report them, from a tech company to a curious user. Some even offer rewards for finding and reporting these issues. If it's open-source software, it's all about community support.
Once a vulnerability is reported, a CNA gives it a CVE ID, writes a short description, and adds some references. Then, it's posted on the CVE website. Sometimes, they even get an ID before the issue goes public. Keeps the bad guys at bay.
Now, not every issue gets a CVE. Of course, there are rules! Three main criteria apply:
Independently fixable. This means the flaw is fixable, independent, and irrelevant to other bugs.
Acknowledged by the vendor. This means that the vendor acknowledges that the bug exists and that it could negatively affect security. Another option is to have a shared vulnerability report that includes a description of the bug’s negative impact and how it violates the system’s security policy.
Affects just one codebase. If it impacts more than one product, they get separate CVEs. The idea is to create CVE records in as much isolation as possible.
How can I find CVE records?
First of all, CVE information is free and available to the public. So, that’s good news.
The easiest way to find the newest CVEs is to follow @CVEnew on X. This feed is constantly updating with tweets about multiple new CVEs every day. Just yesterday I looked and there were over 80 new CVEs! If you follow, your feed will be full of them!
What about a more thorough way to find past CVE records? If you want all the records since 1999 or a particular year, or even search by topic, just go to CVE.org/Downloads. Bulk files are now in JSON 5.0 format and can be downloaded via a GitHub repository. (Note: the previous filing system will become unavailable on January 1, 2024.)
CVEdetails.com has an easy-to-use online version of the database - with daily updates!
How do you match your libraries to the right CVE?
When analyzing a vulnerability you want to retrieve the correct CVE. To make sure you have the right CVE, best practice is to check for the version number and package name. There are many tools, such as Trivy, that do this automatically for you. (Aikido leverages Trivy for some of this functionality.)
Common Vulnerability Scoring System - CVSS
The NVD and others use the Common Vulnerability Scoring System (CVSS), which determines the severity of a vulnerability or an exposure. It's like a report card for security issues, ranging from 0.0 (no big deal) to 10.0 (huge problem). So, each CVE entry has a CVSS score.
How is a CVSS score calculated?
The CVSS score is calculated with a formula based on vulnerability-based metrics. A CVSS score comes out of scores from these three areas: Base, Temporal, and Environmental. The Base score is obligatory and the starting point and has impact and exploitability subscores. Then, the Temporal score can be calculated from the Base. Next, the Environmental score can be calculated from the Temporal. These calculations lead to the overall CVSS score.
Something for formula geeks! Check out how the scoring system and CVSS calculator work. Find out what the calculations are and which precise metrics create each score. Attack vector! Attach complexity! Lots of fun!
What is the CVSS scoring scale?
The current (v3.1) CVSS scoring scale includes five categories:
This is easy! When you are in the online database each CVE record page has a link to the NVD’s CVSS score. Just click and go! For example, using CVE-2023-40033 from earlier in this post, when we click on “CVSS scores” (top right-hand corner of the record) we learn that this vulnerability has a score of 7.1 (High).
What is a CWE?
Common Weakness Enumeration, or CWE, is a list of common software and hardware weaknesses. CWE is a community-developed resource and provides standardization for the type and scope of weaknesses.
To quote MITRE, ‘the main goal of CWE is to stop vulnerabilities at the source ... to eliminate the most common mistakes before products are delivered.’ CWE also gives devs a framework for discussion and action against security threats while mapping to vulnerability databases (e.g. CVE).
How is that different from CVE? CWE focuses on the underlying weakness that might lead to a vulnerability. Meanwhile, CVE describes actual vulnerabilities. Like CVE, CWE also has severity scoring via CWSS and CWRAF.
What can I do to maintain a strong security posture?
Don’t blindly follow the CVSS scores to set your security priorities
Are all CVEs a problem for you? Nope. These are information, but like a lot of information, not all CVEs will be relevant to your context. And, even for those that may seem to be, there are plenty of situations where even CVEs with high CVSS scores may not be relevant or a risk to you:
Level of business impact: A vulnerability, despite having a high CVSS score, does not pose a significant risk to the organization's specific business operations, customer data, or critical system. Or, a risk assessment or other tool determines that other factors (e.g. a function isn’t reachable) outweigh the CVSS score in importance.
Unique Systems: When using custom or unique software, CVSS scores may not accurately reflect the actual risk associated with vulnerabilities in specific systems.
Resource limitations: You'd love to fix every high-scoring CVSS vulnerability, but you've got to be realistic. Prioritize before pouring tons of resources into something that's not cost-effective.
Already Covered: You may already have solid defenses in place. Even if a vulnerability scores high, you might decide it's not worth the hype if you've already got safeguards that keep it in check.
CWE awareness: Stay aware of CWEs that might affect what you are delivering.
Get a vulnerability scanner
There are also new platforms popping up that help you spot emerging trends – check out Fletch, which specializes in awareness speed and contextualizing threats. Nessus scans for over 59,000 CVEs. Nexpose uses its own scoring system which takes into account the age of the vulnerabilities and what sort of patches and remedies are already in place. Nmap and OpenVAS are open-source vulnerability scanners.
Meanwhile, why not test Aikido Security to monitor and improve your overall security posture, too? Try out Aikido for free!
Get ahead of the CurVE
The thing about CVEs is that they are about the PAST, i.e. vulnerabilities and exposures that have already happened. That means the bad actors sometimes have time to do damage before you have time to react. In addition to using a vulnerability scanner, make sure you take steps to manage your risk. These can include making sure patches are up to date and carrying out penetration tests.
TL;DR sec provides a good breakdown of the software supply chain and, more importantly, how to secure each stage.
Additionally, we like to keep Aikido users (free and paying) and our LinkedIn followers in the loop with relevant LI posts. For example, here’s a recent post we’ve put up about CVE-2023-4911 – the (not-so-funny) Looney Tunables bug.
Check your code for the most common exploits
Use the OWASP Top 10 and CIS compliance benchmarks to check your code. These standard tools help you deal with the most common weaknesses (OWASP) and baseline configurations for cybersecurity (CIS).