What is CVE and CVSS | Vulnerability Scoring Explained | Imperva (2024)

Table of Contents
What is the Common Vulnerabilities and Exposures (CVE) Glossary Which Vulnerabilities Qualify for a CVE Independent of other issues Acknowledged by the vendor Is a proven risk Affecting one codebase What is the Common Vulnerability Scoring System (CVSS) CVE Identifiers Open CVE Databases National Vulnerability Database (NVD) Vulnerability Database (VULDB) CVE Details RSS Resources Imperva Application Security

What is the Common Vulnerabilities and Exposures (CVE) Glossary

CVE stands for Common Vulnerabilities and Exposures. CVE is a glossary that classifies vulnerabilities. The glossary analyzes vulnerabilities and then uses the Common Vulnerability Scoring System (CVSS) to evaluate the threat level of a vulnerability. A CVE score is often used for prioritizing the security of vulnerabilities.

The CVE glossary is a project dedicated to tracking and cataloging vulnerabilities in consumer software and hardware. It is maintained by the MITRE Corporation with funding from the US Division of Homeland Security. Vulnerabilities are collected and cataloged using the Security Content Automation Protocol (SCAP). SCAP evaluates vulnerability information and assigns each vulnerability a unique identifier.

Once evaluated and identified, vulnerabilities are listed in the publicly available MITRE glossary. After listing, vulnerabilities are analyzed by the National Institute of Standards and Technology (NIST). All vulnerability and analysis information is then listed in NIST’s National Vulnerability Database (NVD).

The CVE glossary was created as a baseline of communication and source of dialogue for the security and tech industries. CVE identifiers serve to standardize vulnerability information and unify communication amongst security professionals. Security advisories, vulnerability databases, and bug trackers all employ this standard.

Which Vulnerabilities Qualify for a CVE

To be categorized as a CVE vulnerability, vulnerabilities must meet a certain set of criteria. These criteria includes:

Independent of other issues

You must be able to fix the vulnerability independently of other issues.

Acknowledged by the vendor

The vulnerability is known by the vendor and is acknowledged to cause a security risk.

Is a proven risk

The vulnerability is submitted with evidence of security impact that violates the security policies of the vendor.

Affecting one codebase

Each product vulnerability gets a separate CVE. If vulnerabilities stem from shared protocols, standards, or libraries a separate CVE is assigned for each vendor affected. The exception is if there is no way to use the shared component without including the vulnerability.

What is the Common Vulnerability Scoring System (CVSS)

The CVSS is one of several ways to measure the impact of vulnerabilities, which is commonly known as the CVE score. The CVSS is an open set of standards used to assess a vulnerability and assign a severity along a scale of 0-10. The current version of CVSS is v3.1, which breaks down the scale is as follows:

See Also
The art of threat modeling: 3 frameworks to know

SeverityBase Score
None0
Low0.1-3.9
Medium4.0-6.9
High7.0-8.9
Critical9.0-10.0

The CVSS standard is used by many reputable organizations, including NVD, IBM, and Oracle. If you want to see how CVSS is calculated, or convert the scores assigned by organizations that do not use CVSS, you can use the NVD calculator.

What is CVE and CVSS | Vulnerability Scoring Explained | Imperva (2)

Severity of top CVE vulnerabilities

CVE Identifiers

When vulnerabilities are verified, a CVE Numbering Authority (CNA) assigns a number. A CVE identifier follows the format of — CVE-{year}-{ID}. There are currently 114 organizations, across 22 countries, that are certified as CNAs. These organizations include research organizations, and security and IT vendors. CNAs are granted their authority by MITRE, which can also assign CVE numbers directly.

Vulnerability information is provided to CNAs via researchers, vendors, or users. Many vulnerabilities are also discovered as part of bug bounty programs. These programs are set up by vendors and provide a reward to users who report vulnerabilities directly to the vendor, as opposed to making the information public. Vendors can then report the vulnerability to a CNA along with patch information, if available.

Once a vulnerability is reported, the CNA assigns it a number from the block of unique CVE identifiers it holds. The CNA then reports the vulnerability with the assigned number to MITRE. Frequently, reported vulnerabilities have a waiting period before being made public by MITRE. This allows vendors to develop patches and reduces the chance that flaws are exploited once known.

When a CVE vulnerability is made public, it is listed with its ID, a brief description of the issue, and any references containing additional information or reports. As new references or findings arise, this information is added to the entry.

Open CVE Databases

There are many databases that include CVE information and serve as resources or feeds for vulnerability notification. Below are three of the most commonly used databases.

National Vulnerability Database (NVD)

NVD was formed in 2005 and serves as the primary CVE database for many organizations. It provides detailed information about vulnerabilities, including affected systems and potential fixes. It also scores vulnerabilities using CVSS standards.

As previously stated, CVE information from MITRE is provided to NVD, which then analyzes the reported CVE vulnerability. Although these organizations work in tandem and are both sponsored by the US Department of Homeland Security (DHS), they are separate entities.

Vulnerability Database (VULDB)

VULDB is a community-driven vulnerability database. It provides information on vulnerability management, incident response, and threat intelligence. VULDB specializes in the analysis of vulnerability trends. These analyses are provided in an effort to help security teams predict and prepare for future threats.

CVE Details

CVE Details is a database that combines NVD data with information from other sources, such as the Exploit Database. It enables you to browse vulnerabilities by vendor, product, type, and date. It includes CVE vulnerabilities, as well as vulnerabilities listed by Bugtraq ID, and Microsoft Reference.

RSS Resources

If you like to use RSS for quick and easy updates on CVE vulnerabilities you can try the following list:

For more resources refer to this post on Reddit.

Imperva Application Security

The Imperva security team uses a number of CVE databases to track new vulnerabilities, and update our security tools to protect customers against them.

Our Web Application Firewall (WAF) blocks all attempts to exploit known CVEs, even if the underlying vulnerability has not been fixed, and also uses generic rules and behavior analysis to identify exploit attacks from new and unknown threat vectors.

When a new CVE emerges, our solution is rapidly updated with its signature, making it possible to block zero-day attacks on the network edge, even before a vendor patch was issued or applied to the vulnerable system.

Imperva also maintains the Cyber Threat Index to promote visibility and awareness of vulnerabilities, their types and level of severity and exploitability, helping organizations everywhere prepare and protect themselves against CVE vulnerabilities.

What is CVE and CVSS | Vulnerability Scoring Explained | Imperva (2024)
Top Articles
Vortex Viper 3-9x40 Review
Zales vs. Kay vs. Jared (Which One is Better in 2024?)
Kmart near me - Perth, WA
Where are the Best Boxing Gyms in the UK? - JD Sports
Thor Majestic 23A Floor Plan
Splunk Stats Count By Hour
Maria Dolores Franziska Kolowrat Krakowská
How Many Cc's Is A 96 Cubic Inch Engine
Nfr Daysheet
oklahoma city for sale "new tulsa" - craigslist
Sissy Transformation Guide | Venus Sissy Training
Wfin Local News
Gw2 Legendary Amulet
Big Y Digital Coupon App
Lesson 1 Homework 5.5 Answer Key
83600 Block Of 11Th Street East Palmdale Ca
Palace Pizza Joplin
Moparts Com Forum
Diesel Mechanic Jobs Near Me Hiring
Mbta Commuter Rail Lowell Line Schedule
Michael Shaara Books In Order - Books In Order
The Cure Average Setlist
Craighead County Sheriff's Department
Rural King Credit Card Minimum Credit Score
Eine Band wie ein Baum
Robeson County Mugshots 2022
Doublelist Paducah Ky
Doki The Banker
Village
Craigslist Fort Smith Ar Personals
Federal Express Drop Off Center Near Me
Craftsman Yt3000 Oil Capacity
Kelley Fliehler Wikipedia
How Much Is An Alignment At Costco
What Happened To Father Anthony Mary Ewtn
Makemkv Key April 2023
Save on Games, Flamingo, Toys Games & Novelties
Breckie Hill Fapello
Panchitos Harlingen Tx
Heelyqutii
Seven Rotten Tomatoes
SF bay area cars & trucks "chevrolet 50" - craigslist
3 Zodiac Signs Whose Wishes Come True After The Pisces Moon On September 16
Disassemble Malm Bed Frame
Dr Mayy Deadrick Paradise Valley
Blue Beetle Showtimes Near Regal Evergreen Parkway & Rpx
Nimbleaf Evolution
10 Types of Funeral Services, Ceremonies, and Events » US Urns Online
Strange World Showtimes Near Century Federal Way
BYU Football: Instant Observations From Blowout Win At Wyoming
Sunset On November 5 2023
Olay Holiday Gift Rebate.com
Latest Posts
Vortex Viper 3-9x40 Review
Promotional scheme either roofing atlanta replacement @charteroffersreliableloang - Tumblr Blog | Tumlook
Article information

Author: Kerri Lueilwitz

Last Updated:

Views: 5717

Rating: 4.7 / 5 (67 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Kerri Lueilwitz

Birthday: 1992-10-31

Address: Suite 878 3699 Chantelle Roads, Colebury, NC 68599

Phone: +6111989609516

Job: Chief Farming Manager

Hobby: Mycology, Stone skipping, Dowsing, Whittling, Taxidermy, Sand art, Roller skating

Introduction: My name is Kerri Lueilwitz, I am a courageous, gentle, quaint, thankful, outstanding, brave, vast person who loves writing and wants to share my knowledge and understanding with you.