CVE Records (also referred to by the community as "CVE Identifiers," "CVE IDs," "CVE names," "CVE numbers," and "CVEs") are unique, common identifiers for publicly known cybersecurity vulnerabilities. Information is included about the topics below.
CVE Records Defined
Creation of CVE Records
CVE Records Defined
Each CVE Record includes the following:
- CVE ID number with four or more digits in the sequence number portion of the ID (e.g., "CVE-1999-0067", "CVE-2014-12345", "CVE-2016-7654321").
- Brief description of the security vulnerability.
- Any pertinent references (i.e., vulnerability reports and advisories).
States of CVE Records | More details about? |
How do I? | Other questions? |
Creation of CVE Records
The process of creating a CVE Record begins with the discovery of a potential cybersecurity vulnerability. The information is then assigned a CVE ID by a CVE Numbering Authority (CNA), a Description and References are added by the CNA, and then the CVE Record is posted on the CVE website by the CVE Program Secretariat.
The documents below explain the creation of records in more detail:
CVE Numbering Authority (CNA) Rules
The guidelines the CVE Program uses to ensure that CVE Records are created in a consistent fashion, independent of which CVE Numbering Authority (CNA) is doing the creation.
CVE Numbering Authorities
Defines the role and responsibilities of CNAs; shows the number and types of participating CNAs from around the world; provides documentation for CNAs, including the CNA Rules document and Researcher Reservation Guidelines; and provides details of why and how to become a CNA.
Participating CNAs
Provides a list of the products and product categories covered by all CVE Numbering Authorities (CNAs), including Root CNAs.
CVE References
Each CVE Record includes appropriate references. Each reference used in CVE (1) identifies the source, (2) includes a well-defined identifier to facilitate searching on a source's website, and (3) notes the associated CVE ID. CVE also includes a Reference Maps page with links to documents from the commonly used information sources that are used as references for CVE Records.
FAQs
FAQs from the Frequently Asked Questions page also address specific questions about CVE Records on the following topics:
Requesting CVE IDs
To receive a CVE ID for your issue you must contact a CVE Numbering Authority (CNA). See Request a CVE ID for details.
Enhanced Info for CVE Records & Scoring
U.S. National Vulnerability Database (NVD)
Launched by the National Institute of Standards and Technology (NIST) in 2005, NVD provides a vulnerability database of enhanced CVE content that is fully synchronized with the CVE List, so any updates to the CVE List appear immediately in NVD.
In addition to advanced searching (e.g., by operating system, etc.), NVD also provides the following enhanced CVE content:
FAQs
Some examples of CVE record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE records for community benefit.
What CVE score is critical? ›
What is the Common Vulnerability Scoring System (CVSS)
| Severity | Score |
|---|
| Low | 0.1-3.9 |
| Medium | 4.0-6.9 |
| High | 7.0-8.9 |
| Critical | 9.0-10.0 |
1 more rowI would say that threat actors can use CVE as a way of information about vulnerabilities. But I'd say it is also important to note that CVE's main purpose would be to strengthen cybersecurity. Scroll down to CVE List Basics . What is the process by which a vulnerability becomes a CVE listing?
What are the three elements that make up a CVE record? ›
A CVE Entry must contain three elements: (1) a unique CVE ID, (2) a short description, and (3) external references, as shown in the following example.
What is CVE in simple words? ›
CVE stands for Common Vulnerabilities and Exposures. The system provides a method for publicly sharing information on cybersecurity vulnerabilities and exposures.
What is the most common CVE? ›
The most exploited vulnerabilities in 2022
- CVE-2020-3452. CVE-2020-3452 is a read-only path traversal vulnerability that affects Cisco ASA and FTD software.
- CVE-2022-24086. ...
- CVE-2020-1938 (GhostCat) ...
- CVE-2018-2894. ...
- CVE-2019-8442. ...
- CVE-2021-26086. ...
- CVE-2020-14179. ...
- CVE-2018-13379. ...
The Common Vulnerability Scoring System (CVSS) is a public framework for rating the severity and characteristics of security vulnerabilities in information systems. It provides a numerical score ranging from 0 to 10 to indicate the severity of a vulnerability, with 10 being the most severe.
How are CVE scores calculated? ›
CVEs are given a rating using the Common Vulnerability Scoring System (CVSS). The base score is composed of six metrics which can be used to calculate a severity score of 0-10. These metrics are: Access vector – The way in which a vulnerability can be exploited (e.g., locally or remotely)
Do all vulnerabilities have a CVE? ›
The intention of the CVE Program is to be comprehensive with respect to all publicly known vulnerabilities. While CVE prioritizes the assignment of CVE Records for the vendors, products, and product categories listed on the List of Partners page, a CVE ID may be requested for any vulnerability.
Who would dispute a CVE? ›
Incomplete information: A Published CVE Record may lack sufficient information for the vulnerability to be re-created by a CVE Program stakeholder. In this case, the technology vendor, maintainer, or third party may dispute the CVE Record.
The ownership structure of Cenovus Energy (CVE) stock is a mix of institutional, retail and individual investors. Approximately 28.79% of the company's stock is owned by Institutional Investors, 11.19% is owned by Insiders and 60.02% is owned by Public Companies and Individual Investors.
How does the CVE distribute its information? ›
One way or another, information about the flaw makes its way to a CNA. The CNA assigns the information a CVE ID, and writes a brief description and includes references. Then the new CVE is posted on the CVE website. Often, a CVE ID is assigned before a security advisory is made public.
How does CVE compare to a vulnerability database? ›
Defining CVSS, CVE and NVD
CVE – Common Vulnerabilities and Exposures (CVE) is a list of publicly disclosed vulnerabilities and exposures that is maintained by MITRE. NVD – The National Vulnerability Database (NVD) is a database, maintained by NIST, that is fully synchronized with the MITRE CVE list.
How does a vulnerability become a CVE listing? ›
Vulnerabilities are first discovered, then reported to the CVE Program. The reporter requests a CVE ID, which is then reserved for the reported vulnerability.
Who is behind CVE? ›
The United States' National Cybersecurity FFRDC, operated by The MITRE Corporation, maintains the system, with funding from the US National Cyber Security Division of the US Department of Homeland Security.
What does a CVE report contain? ›
A CVE entry describes a known vulnerability or exposure. Each CVE entry contains a standard identifier number with status indicator (i.e. "CVE-1999-0067", "CVE-2014-12345", "CVE-2016-7654321"), a brief description and references related vulnerability reports and advisories. Each CVE ID is formatted as CVE-YYYY-NNNNN.
What is an example of a CVE number? ›
CVE Records
CVE ID with four or more digits in the sequence number portion of the ID (i.e., “CVE-1999-0067”, “CVE-2019-12345”, “CVE-2021-7654321”). Brief description of the security vulnerability.
What is the format of the CVE list? ›
Format
- The preferred format for submitting CVE assignment information is using the JSON schema.
- In a flat file, use this format: [CVEID]: [PRODUCT]: [VERSION]: [PROBLEMTYPE]: [REFERENCES]: [DESCRIPTION]: ...
- In a Comma Separated Values (CSV) file, each row should include each of these columns with CVE ID as a primary key.
There are currently over 199,000 CVE records available in the NVD, with thousands of new vulnerabilities reported and cataloged each year.
