Skip to content
Standards

CVE

CVE (Common Vulnerabilities and Exposures) is an international system for identifying and cataloging publicly known security vulnerabilities. Each vulnerability receives a unique CVE identifier that allows unambiguous reference to a specific security issue.

What is CVE?

CVE Definition

CVE (Common Vulnerabilities and Exposures) is an international system for identifying and cataloging publicly known security vulnerabilities in software and hardware. The program is managed by MITRE Corporation in collaboration with the U.S. CISA (Cybersecurity and Infrastructure Security Agency).

How Does the CVE System Work?

CVE Identifier Format

Each vulnerability receives a unique identifier in the format:

CVE-YYYY-NNNNN

Where:

  • CVE - system prefix
  • YYYY - year of submission or publication
  • NNNNN - sequential number (4 to 7 digits)

Example: CVE-2021-44228 (Log4Shell)

CVE Assignment Process

  1. Discovery - security researcher discovers vulnerability
  2. Assignment - CNA (CVE Numbering Authority) assigns identifier
  3. Description - detailed vulnerability description is created
  4. Publication - entry is added to public CVE database
  5. Updates - information about patches and exploits is added

CVE Entry Elements

Each CVE entry contains:

  • CVE Identifier - unique number
  • Description - brief vulnerability description
  • References - links to sources (advisories, patches)
  • CNA - organization responsible for the entry
  • Status - entry state (Reserved, Published, Rejected)

CVSS - Vulnerability Scoring

CVE is often associated with CVSS (Common Vulnerability Scoring System):

CVSS ScoreSeverity
9.0 - 10.0Critical
7.0 - 8.9High
4.0 - 6.9Medium
0.1 - 3.9Low
0.0None

Where to Find CVE Information?

Official Databases

  • NVD (National Vulnerability Database) - nvd.nist.gov
  • CVE.org - official MITRE site
  • CISA Known Exploited Vulnerabilities - catalog of actively exploited vulnerabilities

Tools and Services

  • Vulners - vulnerability aggregator
  • Snyk - open-source vulnerability database
  • Exploit-DB - exploit database
  • SecurityFocus - advisories and discussions

CVE in Security Management

Vulnerability Management

  • Vulnerability scanners use CVE for identification
  • Reports contain CVE references
  • Patch prioritization based on CVSS

Incident Response

  • Quick identification of exploited vulnerabilities
  • Infrastructure impact assessment
  • Remediation information lookup

Compliance

  • Audit requirements (PCI DSS, SOC 2)
  • Remediation action documentation
  • Reporting to regulators

CNA - CVE Numbering Authorities

CNAs are organizations authorized to assign CVE identifiers:

  • Root CNA - MITRE (manages entire program)
  • Top-Level CNAs - major organizations (Apple, Microsoft, Google)
  • Regular CNAs - software and hardware vendors
  • Research CNAs - security companies

Most Famous CVE Vulnerabilities

CVENameImpact
CVE-2021-44228Log4ShellRCE in Apache Log4j
CVE-2017-5754MeltdownCPU memory leak
CVE-2014-0160HeartbleedOpenSSL data leak
CVE-2017-0144EternalBlueSMB exploit (WannaCry)
CVE-2021-34527PrintNightmareRCE in Windows Print Spooler

CVE System Limitations

  • Not all vulnerabilities have CVE
  • Publication delays
  • Varying description quality
  • No severity standardization (CVSS dependency)
  • Zero-day vulnerabilities may lack CVE

Best Practices

  1. Monitor new CVEs - alert subscriptions
  2. Prioritize - focus on critical and actively exploited
  3. Automate scanning - regular infrastructure testing
  4. Document - track remediation status for each CVE
  5. Integrate with SIEM - alert correlation with CVE database

The CVE system is a fundamental tool in IT security management, enabling unambiguous communication about vulnerabilities worldwide.

Explore our services

Tags:

cve vulnerabilities security mitre vulnerability management

Want to Reduce IT Risk and Costs?

Book a free consultation - we respond within 24h

Response in 24h Free quote No obligations
Book a Call +48 22 487 86 36

Or download free guide:

Download NIS2 Checklist