CVE, or Common Vulnerabilities and Exposures, is a list of publicly known cybersecurity vulnerabilities and exposures. These vulnerabilities and exposures can exist in software, hardware, or organizational processes, leaving systems susceptible to exploitation.
When someone refers to a CVE, it’s a security flaw with a CVE ID number, such as CVE-2023-6345.
Common Vulnerabilities and Exposures are ranked according to the Common Vulnerability Scoring System (CVSS). CVSS scores range from 0.0 to 10.0, with higher numbers equaling a higher degree of security severity.
A vulnerability refers to a weakness or flaw in a system’s design, implementation, or configuration that attackers could exploit to compromise the integrity, availability, or confidentiality of the system or its data.
These vulnerabilities can result from coding errors, misconfigurations, lack of security controls, or unforeseen interactions between system components.
Examples of vulnerabilities include buffer overflow vulnerabilities, SQP injection flaws, insecure default settings, and missing security patches.
An exposure refers to a situation where sensitive information or assets are left unprotected or accessible to unauthorized users. They arise due to poor security practices or inadvertent actions rather than flaws in the system itself.
Exposures include leaving sensitive data unencrypted, failing to secure network ports or services, granting excessive privileges to users, or neglecting to implement access controls.
To qualify as a CVE and be assigned a CVE ID, flaws must meet the following criteria.
1. Be independently fixable — The flaw can be fixed independently of any other bugs.
2. Be acknowledged by the affected vendor OR documented — The software vendor must acknowledge the flaw and its negative impact on security. Alternatively, the reporter must have shared a vulnerability report demonstrating the bug’s negative impact and how it violates the security policy of the affected system.
3. Affects one codebase — Flaws that impact multiple products get separate CVEs for each codebase or product. Only one single CVE is issued in cases of shared libraries, protocols, or standards IF there’s no way to use the shared code without being vulnerable.