Common Vulnerabilities and Exposures
The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. The United States' National Cybersecurity FFRDC, operated by The Mitre Corporation, maintains the system, with funding from the US National Cyber Security Division of the US Department of Homeland Security. The system was officially launched for the public in September 1999.
A vulnerability is a weakness in a piece of computer software which can be used to access things one should not be able to gain access to. For example, software which processes credit cards should not allow people to read the credit card numbers it processes, but hackers might use a vulnerability to steal credit card numbers. Talking about one specific vulnerability is hard because there are many pieces of software, sometimes with many vulnerabilities. CVE Identifiers give each vulnerability one different name, so people can talk about specific vulnerabilities by using their names.
MITRE Corporation's documentation defines CVE Identifiers (also called "CVE names", "CVE numbers", "CVE-IDs", and "CVEs") as unique, common identifiers for publicly known information-security vulnerabilities in publicly released software packages. Historically, CVE identifiers had a status of "candidate" ("CAN-") and could then be promoted to entries ("CVE-"), however this practice was ended in 2005 and all identifiers are now assigned as CVEs. The assignment of a CVE number is not a guarantee that it will become an official CVE entry (e.g. a CVE may be improperly assigned to an issue which is not a security vulnerability, or which duplicates an existing entry).
CVEs are assigned by a CVE Numbering Authority (CNA). While some vendors acted as a CNA before, the name and designation was not created until February 1, 2005. there are three primary types of CVE number assignments:
- The Mitre Corporation functions as Editor and Primary CNA
- Various CNAs assign CVE numbers for their own products (e.g. Microsoft, Oracle, HP, Red Hat, etc.)
- A third-party coordinator such as CERT Coordination Center may assign CVE numbers for products not covered by other CNAs
When investigating a vulnerability or potential vulnerability it helps to acquire a CVE number early on. CVE numbers may not appear in the MITRE or NVD CVE databases for some time (days, weeks, months or potentially years) due to issues that are embargoed (the CVE number has been assigned but the issue has not been made public), or in cases where the entry is not researched and written up by MITRE due to resource issues. The benefit of early CVE candidacy is that all future correspondence can refer to the CVE number. Information on getting CVE identifiers for issues with open source projects is available from Red Hat and GitHub
CVEs are for software that has been publicly released; this can include betas and other pre-release versions if they are widely used. Commercial software is included in the "publicly released" category, however custom-built software that is not distributed would generally not be given a CVE. Additionally services (e.g. a Web-based email provider) are not assigned CVEs for vulnerabilities found in the service (e.g. an XSS vulnerability) unless the issue exists in an underlying software product that is publicly distributed.
CVE data fields
The CVE database contains several fields:
This is a standardized text description of the issue(s). One common entry is:
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
This means that the entry number has been reserved by Mitre for an issue or a CNA has reserved the number. So in the case where a CNA requests a block of CVE numbers in advance (e.g. Red Hat currently requests CVEs in blocks of 500), the CVE number will be marked as reserved even though the CVE itself may not be assigned by the CNA for some time. Until the CVE is assigned, Mitre is made aware of it (i.e., the embargo passes and the issue is made public), and Mitre has researched the issue and written a description of it, entries will show up as "** RESERVED **".
This is a list of URLs and other information
Record Creation Date
This is the date the entry was created. For CVEs assigned directly by Mitre, this is the date Mitre created the CVE entry. For CVEs assigned by CNAs (e.g. Microsoft, Oracle, HP, Red Hat, etc.) this is also the date that was created by Mitre, not by the CNA. The case where a CNA requests a block of CVE numbers in advance (e.g. Red Hat currently requests CVEs in blocks of 500) the entry date that CVE is assigned to the CNA.
The following fields were previously used in older CVE records, but are no longer used.
- Phase: The phase the CVE is in (e.g. CAN, CVE).
- Votes: Previously board members would vote yea or nay on whether or not the CAN should be accepted and turned into a CVE.
- Comments: Comments on the issue.
- Proposed: When the issue was first proposed.
Changes to syntax
In order to support CVE ID's beyond CVE-YEAR-9999 (aka the CVE10k problem) a change was made to the CVE syntax in 2014 and took effect on Jan 13, 2015.
The new CVE-ID syntax is variable length and includes:
CVE prefix + Year + Arbitrary Digits
NOTE: The variable length arbitrary digits will begin at four fixed digits and expand with arbitrary digits only when needed in a calendar year, for example, CVE-YYYY-NNNN and if needed CVE-YYYY-NNNNN, CVE-YYYY-NNNNNN, and so on. This also means there will be no changes needed to previously assigned CVE-IDs, which all include a minimum of four digits.
CVE SPLIT and MERGE
CVE attempts to assign one CVE per security issue, however in many cases this would lead to an extremely large number of CVEs (e.g. where several dozen cross-site scripting vulnerabilities are found in a PHP application due to lack of use of
htmlspecialchars() or the insecure creation of files in
To deal with this, there are guidelines (subject to change) that cover the splitting and merging of issues into distinct CVE numbers. As a general guideline one should first consider issues to be merged, then issues should be split by the type of vulnerability (e.g. buffer overflow vs. stack overflow), then by the software version affected (e.g. if one issue affects version 1.3.4 through 2.5.4 and the other affects 1.3.4 through 2.5.8 they would be SPLIT) and then by the reporter of the issue (e.g. Alice reports one issue and Bob reports another issue the issues would be SPLIT into separate CVE numbers).
Another example is Alice reports a /tmp file creation vulnerability in version 1.2.3 and earlier of ExampleSoft web browser, in addition to this issue several other
/tmp file creation issues are found, in some cases this may be considered as two reporters (and thus SPLIT into two separate CVEs, or if Alice works for ExampleSoft and an ExampleSoft internal team finds the rest it may be MERGE'ed into a single CVE). Conversely, issues can be merged, e.g. if Bob finds 145 XSS vulnerabilities in ExamplePlugin for ExampleFrameWork regardless of the versions affected and so on they may be merged into a single CVE.
Search CVE identifiers
CVE identifiers are intended for use with respect to identifying vulnerabilities:
Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities. CVE’s common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools. If a report from one of your security tools incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.
Users who have been assigned a CVE identifier for a vulnerability are encouraged to ensure that they place the identifier in any related security reports, web pages, emails, and so on.
CVE assignment issues
Per section 7.1 of the CNA Rules, a vendor which received a report about a security vulnerability has full discretion in regards to it. This can lead to a conflict of interest as a vendor may attempt to leave flaws unpatched by denying a CVE assignment at first place – a decision which Mitre can't reverse.
- Wu, Xiaoxue; Zheng, Wei; Chen, Xiang; Wang, Fang; Mu, Dejun (2020). "CVE-assisted large-scale security bug report dataset construction method". Journal of Systems and Software. 160: 110456. doi:10.1016/j.jss.2019.110456.
- "CVE – Common Vulnerabilities and Exposures". Mitre Corporation. 2007-07-03. Retrieved 2009-06-18.
CVE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.
- "CVE - History". cve.mitre.org. Retrieved 25 March 2020.
- cve.mitre.org. CVE International in scope and free for public use, CVE is a dictionary of publicly known information security vulnerabilities and exposures.
- "CVE - Frequently Asked Questions". cve.mitre.org. Retrieved 2021-09-01.
- Kouns, Jake (August 16, 2009). "Reviewing(4) CVE". OSVDB: Everything is Vulnerable. Archived from the original on 2021-09-01. Retrieved September 1, 2021.
- "CVE - CVE Numbering Authorities". Mitre Corporation. 2015-02-01. Retrieved 2015-11-15.
- "CVE - CVE Blog "Our CVE Story: Ancient History of the CVE Program – Did the Microsoft Security Response Center have Precognition?" (guest author)". cve.mitre.org. Retrieved 2021-09-17.
"CVE OpenSource Request HOWTO". Red Hat Inc. 2016-11-14. Retrieved 2019-05-29.
There are several ways to make a request depending on what your requirements are:
"About GitHub Security Advisories". GitHub Inc. Retrieved 2021-12-23.
GitHub Security Advisories builds upon the foundation of the Common Vulnerabilities and Exposures (CVE) list
- "CVE - CVE ID Syntax Change". cve.mitre.org. September 13, 2016.
- CVE Abstraction Content Decisions: Rationale and Application
- "CVE - About CVE". cve.mitre.org. Retrieved 2015-07-28.
- "CVE - CVE Numbering Authority (CNA) Rules".
- Official website
- National Vulnerability Database (NVD)
- Common Configuration Enumeration (CCE) at NVD
- vFeed the Correlated and Aggregated Vulnerability Database - SQLite Database and Python API
- Cyberwatch Vulnerabilities Database, third party
- What Enterprises need to know about IT Security Audit Services?