Learn About CVE | Common Vulnerabilities and Exposures | CVE Board | CNA | Root CNA | MITRE

 

Learn About CVE | Common Vulnerabilities and Exposures | CVE Board | CNA | Root CNA | MITRE Common Vulnerabilities and Exposures (CVE) is a list of publicly disclosed information security vulnerabilities and exposures. What is CVE What is vulnerability in Software's/Hardware's? What is exposure in Software's/Hardware's? What is the goal of CVE? Who is MITRE? What is the CVE Board? What are CNAs? Who are CNAs and root CNA ? How is a vulnerability or exposure added to CVE? CVE® is a list of records—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities. CVE Records are used in numerous cybersecurity products and services from around the world, including the U.S. National Vulnerability Database (NVD). A vulnerability is a weakness which can be exploited in a cyber attack to gain unauthorized access to or perform unauthorized actions on a computer system. Vulnerabilities can allow attackers to run code, access system memory, install different types of malware and steal, destroy or modify sensitive data. An exposure is a mistake that gives an attacker access to a system or network. Exposures can lead to data breaches; data leaks and personally identifiable information (PII) being sold on the dark web. In fact, some of the biggest data breaches were caused by accidental exposure rather than sophisticated cyber attacks. The goal of CVE is to make it easier to share information about known vulnerabilities across organizations. CVE does this by creating a standardized identifier for a given vulnerability or exposure. CVE identifiers or CVE names allow security professionals to access information about specific cyber threats across multiple information sources using the same common name. The Mitre Corporation is an American not-for-profit organization. It manages federally funded research and development centers supporting several U.S. government agencies MITRE maintains the CVE dictionary and CVE website, as well as the CVE Compatibility Program.  CVE Project is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and US-CERT. The CVE Board is comprised of cybersecurity organizations including security tool vendors, academia, research institutions, government departments and agencies, security experts and end-users of vulnerability information. CVE Numbering Authorities (CNAs) are organizations that identify and distribute CVE id numbers to researchers and vendors for inclusion in public announcements of new vulnerabilities. CNAs include software vendors, open source projects, coordination centers, bug bounty service providers and research groups. CNAs are a federated systems that helps identify vulnerabilities and assigns them an ID without directly involving MITRE which is the primary CNA. MITRE serves as the primary CNA while root CNAs cover a certain area or niche. In many cases, a root CNA is a major company like Apple who posts vulnerabilities about its own products. In other cases, the root CNA may be focused on open source vulnerabilities. There are more than 100 CNAs in multiple countries including like Microsoft, Adobe, Apple, Cisco, Google, Hewlett Packard Enterprise, Huawei, IBM, Intel, Mozilla, Oracle, Red Hat, Siemens, Symantec, VMWare, Atlassian, Autodesk, Cloudflare, Elastic, GitHub, Kubernetes, Netflix and Salesforce. CVEs are added when a researcher finds a flaw or design oversight in software or firmware. The vendor does not have to see it as a vulnerability for it to be listed as a CVE. That said, the researcher may be required to provide evidence of how it could be used as part of an exploit. The stronger the claim, the more likely it will be added to CVE and the more likely it will have a high Common Vulnerability Scoring System score in vulnerability databases. Potential CVEs reported by established vendors or other trusted parties will generally be added to the CVE list quickly.