CVE represents Common Vulnerabilities and Exposures and is alluded to as “a word reference of freely known information security vulnerabilities and exposures.” Currently, MITRE Corporation works under an agreement with the U.S. Dept. of Homeland Security.
Practically speaking, The National Vulnerability Database (NVD) is a database of publicly recognized security vulnerabilities in operation. The CVE IDs are used as internationally undisclosed security vulnerabilities.
NVD and MITRE do not monitor “any” vulnerabilities that have ever occurred-only to those providers are guaranteed to map vulnerabilities through CVE ID. The CVE team has editorial authority to not include vulnerabilities for a variety of reasons.
Every entry in the CVE dictionary is enumerated with a CVE ID. The CVE ID is written in the CVE-year-number format, where the integer is at least a 4-digit number.
Relevant bugs that exist in applications are given unique CVE IDs. Adequately, this is utilized as a worldwide unique tracking ID for a vulnerability.
It is much easier to refer to the vulnerability by the CVE ID than by the name and version of the software when security analysts address vulnerabilities in a single version of a software application. CVE IDs are also used by many private sectors and government agencies to monitor vulnerability information. CVE ID also makes use of most threat scanning software.
MITRE and other parties try to ensure that CVEs are not duplicated, i.e. that is, weakness is followed freely with just a solitary CVE ID.
MITRE is the primary CVE maintainer and is also the primary CVE ID assigner. MITRE examines the vulnerability anytime a new vulnerability is identified, to evaluate the specifics and whether someone else has already identified the vulnerability. If the vulnerability happens to be recent, the vulnerability is given a new CVE ID for use in subsequent debate and communications.
MITRE, however, has appointed a small group of third-party organizations as CVE Numbering Authorities (CNAs), ensuring that these organizations have minimal power under some cases to grant CVE IDs without the intervention of MITRE. The same work rules that MITRE observes are supposed to be observed by CNAs; this often suggests that the option of CVE ID assignment does not reflect what you would expect. The CNAs either report to MITRE the newly assigned CVE IDs or publish an advisory with the CVE IDs so that MITRE can include the CNA-assigned CVE IDs in the overall MITRE CVE dictionary.
Large software vendors are usually CNAs with their own devices; Microsoft and Red Hat may assign bugs in their own devices as CVE IDs, and only to their own products. A list of CNAs is provided by MITRE.
The CERT / CC is a more general CNA; while they can assign CVE IDs for most products. They usually do not assign CVE IDs for vulnerabilities in products treated by other CNAs. Generally, they are often constrained to assign CVE IDs to vulnerabilities that we explicitly coordinate.
The two major CVE databases:
The CVE master list is retained by MITRE: http:/cve.mitre.org/cve.html
The National Vulnerability Database (NVD) is managed by NIST: https://nvd.nist.gov/vuln/search
As they are managed by third parties, the CERT / CC is unable to upgrade these databases.
Until releasing a complete CVE submission, MITRE conducts analysis on the flaw and scans for replication. Depending on the severity and quantity, this analysis often takes a considerable amount of time.
If you are a researcher and have an issue with the vulnerability information for a CVE, contact [email protected]
If you are a vendor and have a comment about something on NVD, contact [email protected]