WP What is CVE and CVSS | Vulnerability Scoring Explained | Imperva

CVE Vulnerability

145.4k views
Testing and Assessment

What is the Common Vulnerabilities and Exposures (CVE) Glossary

CVE stands for Common Vulnerabilities and Exposures. CVE is a glossary that classifies vulnerabilities. The glossary analyzes vulnerabilities and then uses the Common Vulnerability Scoring System (CVSS) to evaluate the threat level of a vulnerability. A CVE score is often used for prioritizing the security of vulnerabilities.

The CVE glossary is a project dedicated to tracking and cataloging vulnerabilities in consumer software and hardware. It is maintained by the MITRE Corporation with funding from the US Division of Homeland Security. Vulnerabilities are collected and cataloged using the Security Content Automation Protocol (SCAP). SCAP evaluates vulnerability information and assigns each vulnerability a unique identifier.

Once evaluated and identified, vulnerabilities are listed in the publicly available MITRE glossary. After listing, vulnerabilities are analyzed by the National Institute of Standards and Technology (NIST). All vulnerability and analysis information is then listed in NIST’s National Vulnerability Database (NVD).

The CVE glossary was created as a baseline of communication and source of dialogue for the security and tech industries. CVE identifiers serve to standardize vulnerability information and unify communication amongst security professionals. Security advisories, vulnerability databases, and bug trackers all employ this standard.

Which Vulnerabilities Qualify for a CVE

To be categorized as a CVE vulnerability, vulnerabilities must meet a certain set of criteria. These criteria includes:

Independent of other issues

You must be able to fix the vulnerability independently of other issues.

Acknowledged by the vendor

The vulnerability is known by the vendor and is acknowledged to cause a security risk.

Is a proven risk

The vulnerability is submitted with evidence of security impact that violates the security policies of the vendor.

Affecting one codebase

Each product vulnerability gets a separate CVE. If vulnerabilities stem from shared protocols, standards, or libraries a separate CVE is assigned for each vendor affected. The exception is if there is no way to use the shared component without including the vulnerability.

What is the Common Vulnerability Scoring System (CVSS)

The CVSS is one of several ways to measure the impact of vulnerabilities, which is commonly known as the CVE score. The CVSS is an open set of standards used to assess a vulnerability and assign a severity along a scale of 0-10. The current version of CVSS is v3.1, which breaks down the scale is as follows:

Severity Base Score
None 0
Low 0.1-3.9
Medium 4.0-6.9
High 7.0-8.9
Critical 9.0-10.0

The CVSS standard is used by many reputable organizations, including NVD, IBM, and Oracle. If you want to see how CVSS is calculated, or convert the scores assigned by organizations that do not use CVSS, you can use the NVD calculator.

Severity of top CVE vulnerabilities

Severity of top CVE vulnerabilities

CVE Identifiers

When vulnerabilities are verified, a CVE Numbering Authority (CNA) assigns a number. A CVE identifier follows the format of — CVE-{year}-{ID}. There are currently 114 organizations, across 22 countries, that are certified as CNAs. These organizations include research organizations, and security and IT vendors. CNAs are granted their authority by MITRE, which can also assign CVE numbers directly.

Vulnerability information is provided to CNAs via researchers, vendors, or users. Many vulnerabilities are also discovered as part of bug bounty programs. These programs are set up by vendors and provide a reward to users who report vulnerabilities directly to the vendor, as opposed to making the information public. Vendors can then report the vulnerability to a CNA along with patch information, if available.

Once a vulnerability is reported, the CNA assigns it a number from the block of unique CVE identifiers it holds. The CNA then reports the vulnerability with the assigned number to MITRE. Frequently, reported vulnerabilities have a waiting period before being made public by MITRE. This allows vendors to develop patches and reduces the chance that flaws are exploited once known.

When a CVE vulnerability is made public, it is listed with its ID, a brief description of the issue, and any references containing additional information or reports. As new references or findings arise, this information is added to the entry.

Open CVE Databases

There are many databases that include CVE information and serve as resources or feeds for vulnerability notification. Below are three of the most commonly used databases.

National Vulnerability Database (NVD)

NVD was formed in 2005 and serves as the primary CVE database for many organizations. It provides detailed information about vulnerabilities, including affected systems and potential fixes. It also scores vulnerabilities using CVSS standards.

As previously stated, CVE information from MITRE is provided to NVD, which then analyzes the reported CVE vulnerability. Although these organizations work in tandem and are both sponsored by the US Department of Homeland Security (DHS), they are separate entities.

Vulnerability Database (VULDB)

VULDB is a community-driven vulnerability database. It provides information on vulnerability management, incident response, and threat intelligence. VULDB specializes in the analysis of vulnerability trends. These analyses are provided in an effort to help security teams predict and prepare for future threats.

CVE Details

CVE Details is a database that combines NVD data with information from other sources, such as the Exploit Database. It enables you to browse vulnerabilities by vendor, product, type, and date. It includes CVE vulnerabilities, as well as vulnerabilities listed by Bugtraq ID, and Microsoft Reference.

RSS Resources

If you like to use RSS for quick and easy updates on CVE vulnerabilities you can try the following list:

For more resources refer to this post on Reddit.

Imperva Application Security

The Imperva security team uses a number of CVE databases to track new vulnerabilities, and update our security tools to protect customers against them.

Our Web Application Firewall (WAF) blocks all attempts to exploit known CVEs, even if the underlying vulnerability has not been fixed, and also uses generic rules and behavior analysis to identify exploit attacks from new and unknown threat vectors.

When a new CVE emerges, our solution is rapidly updated with its signature, making it possible to block zero-day attacks on the network edge, even before a vendor patch was issued or applied to the vulnerable system.

Imperva also maintains the Cyber Threat Index to promote visibility and awareness of vulnerabilities, their types and level of severity and exploitability, helping organizations everywhere prepare and protect themselves against CVE vulnerabilities.