Understanding Common Vulnerabilities and Exposures (CVE): A Complete Guide
If you’re worried about home security, there are many things you can do to keep your house safe from burglars. The same goes for keeping your software systems secure and safe from hackers.
A flaw in one of the locks or windows of your house is a weakness that could be exploited by someone who would want to break into your home. Common Vulnerabilities and Exposures (CVE) are flaws in your computer system that can be exploited.
Just as you'd want to fix any broken locks or reinforce weak windows in your house, you also want to address a CVE to prevent unauthorized access or damage to your data.
What is a CVE?
CVE is a standardized identifier assigned to a specific security vulnerability or exposure in software or hardware. CVE aims to provide a common language and framework for identifying, tracking, and sharing information about security vulnerabilities across different organizations, vendors, and security researchers.
When security researchers discover a CVE, it's like someone noticing a weak spot in a house's security system and reporting it to the homeowner, who then takes action to fix the vulnerability.
Just as you'd want to stay updated on the security of your home and fix any vulnerabilities to keep it safe, software development teams need to remain aware of CVE and apply patches to their systems to keep them secure from cyber threats.
In software development, CVEs serve several important purposes:
- Identification: They provide a unique and standardized way to identify and reference specific security vulnerabilities. Each CVE entry has a unique identifier and detailed information about the vulnerability, such as its severity, affected software versions, and potential impact.
- Collaboration: They facilitate communication between stakeholders in the software development and security communities. Using a common identifier, everyone involved (researchers, vendors, engineers, etc.) can easily share information about vulnerabilities, discuss potential mitigations, and coordinate efforts to address security issues.
- Prioritization: They help prioritize security efforts by providing a standardized way to assess the severity and impact of vulnerabilities according to factors like the potential risk and the availability of patches or mitigations.
By tracking CVEs and addressing known vulnerabilities promptly, companies can reduce exposure to security risks and protect their systems and data from exploitation by attackers. CVEs play a crucial role in risk management strategies by providing visibility into the security posture of software systems and guiding decisions about resource allocation and security investments.
What’s the Difference Between Vulnerabilities and Exposures?
In the context of CVEs, the terms "vulnerability" and "exposure" are often used interchangeably, but they have distinct meanings.
A vulnerability refers to a flaw or weakness in a software system, application, network, or hardware component that an attacker could exploit to compromise a system's or its data's integrity, confidentiality, or availability.
Vulnerabilities can arise due to programming errors, design flaws, misconfigurations, or other issues. Vulnerabilities include buffer overflows, SQL injection, cross-site scripting (XSS), and insecure cryptographic algorithms.
An exposure refers to a vulnerability discovered and made public, thereby exposing the affected system to potential exploitation by attackers. It manifests a vulnerability in a real-world scenario where it becomes known to the public or potential threat actors.
Exposures are typically documented in CVE entries, which provide detailed information about the vulnerability, including its impact, affected software versions, and mitigations.
Why Is Tracking CVEs Important?
Cybercrime continues to grow yearly, as do the number, speed, and sophistication of exploits. According to a recent Qualys report, more than 26,400 vulnerabilities were disclosed in 2023, surpassing 2022’s CVE count by over 1,500.
The report also shows that companies need to increase the speed with which they patch their security flaws. According to Qualys, 25% of high-risk CVEs were exploited on the day of publication, and 75% were exploited within 19 days.
IBM’s 2024 X-Force Threat Intelligence Index found that, according to Red Hat Insights from 2023, 92% of their customers had “at least one CVE with known exploits in their environment at the time of scanning,” and 81% had three or more.
The CVE System: How It Works
The CVE Program manages the CVE system, which is operated by the Cybersecurity and Infrastructure Security Agency (CISA) within the United States Department of Homeland Security (DHS). The CVE Program is a community-driven initiative managed by the MITRE Corporation that aims to standardize identifying and naming vulnerabilities in software and hardware.
A CVE Numbering Authority (CNA) is an organization authorized by the CVE Program to assign a CVE ID (identifier) to each vulnerability. CVE numbering authorities play a crucial role in the CVE ecosystem by providing a centralized, standardized CVE database to identify and track vulnerabilities. They are responsible for assigning CVE identifiers to vulnerabilities affecting the products or systems within their scope.
CNAs can be organizations, vendors, open-source projects, or government agencies that meet certain criteria and agree to adhere to the CVE Program's guidelines and practices. They typically have expertise in the products or systems they cover, allowing them to accurately identify and assign CVE IDs to vulnerabilities within their domain.
When a security vulnerability is discovered, parties can request a CVE identifier for the vulnerability from the CVE Program. The requestor provides detailed information about the vulnerability, including its impact, affected software versions, and any available mitigations.
Once the CVE Program validates and approves the request, a unique CVE identifier is assigned to the vulnerability, and the CVE entry is added to the CVE List. The CVE entry includes comprehensive details about the vulnerability, such as its description, severity rating, affected products, and references to additional information or patches.
The CVE List is publicly accessible and serves as a centralized repository of known vulnerabilities, allowing security researchers, vendors, and users to search, reference, and share information about security vulnerabilities across different platforms and organizations.
How are CVEs Qualified?
Any security vulnerability, software, hardware, or firmware exposure can qualify for a CVE identifier. Common vulnerabilities include programming errors, design flaws, misconfigurations, and cryptographic weaknesses.
Vulnerabilities may be discovered through various means, including security research, penetration testing, code analysis, and incident response.
To qualify as a CVE identifier, a vulnerability must meet specific criteria, including:
- Reproducibility: It can be reliably demonstrated or exploited under specific conditions.
- Impact: It must have a potential effect on the security, integrity, confidentiality, or availability of the affected system or data.
- Specificity: It must be specific and well-defined, with clear documentation of its nature, cause, and potential consequences.
- Scope: It must affect a specific software, hardware, or firmware component and have a discernible boundary of impact.
Once these criteria are met, the CVE Program assigns a unique CVE identifier to the vulnerability and creates a CVE entry to document the details of the vulnerability in the CVE List.
What is the Common Vulnerability Scoring System (CVSS)?
The Common Vulnerability Scoring System (CVSS) is a standardized framework that assesses the severity and impact of information security vulnerabilities. CVSS provides a consistent method for scoring and prioritizing vulnerabilities based on their characteristics and potential risk to systems and data.
The CVSS framework assigns numerical scores to vulnerabilities based on several metrics, including:
- Base Score: Intrinsic characteristics, such as its exploitability, impact, and complexity.
- Temporal Score: Characteristics that may change over time, such as the availability of patches or exploit code.
- Environmental Score: Characteristics specific to a particular environment, such as the configuration and security controls in place.
The CVSS scores range from 0.0 to 10.0, with higher scores indicating more severe vulnerabilities. CVSS scores help organizations and their DevSecOps teams prioritize their security efforts by focusing on vulnerabilities with the highest potential impact and risk, allowing development teams to prioritize vulnerabilities, allocate resources for remediation, and communicate the severity of security issues to stakeholders.
Tools for Identifying and Managing CVEs
Thankfully, software development organizations have plenty of options in terms of tools that can help them keep CVEs in check and mitigate security vulnerabilities effectively, including:
- Static Application Security Testing (SAST) tools that analyze source code and binaries for potential security vulnerabilities, including those that may lead to CVEs. SAST tools identify coding errors, design flaws, and other issues early in the software development lifecycle. SAST tools are still underutilized. Our 2024 State of Software Quality report found that just 42% of respondents currently use SAST tools.
- Software Composition Analysis (SCA) tools that analyze software dependencies and third-party components to identify vulnerabilities and licensing issues. SCA tools help organizations manage the security risks associated with open-source and third-party software libraries.
- Dynamic Application Security Testing (DAST) tools that assess web applications for vulnerabilities by way of real-time simulated attacks. DAST tools help detect vulnerabilities that may not be apparent in the source code, including those associated with CVEs.
- Patch management tools that automate the process of deploying software patches and updates to address known vulnerabilities. They help ensure that systems and software are updated with the latest security fixes, reducing the risk of exploitation.
- Security configuration management tools that assist in maintaining secure configurations for software, devices, and infrastructure components. They help enforce security best practices and policies to prevent misconfigurations that could lead to CVEs.
- Container security tools that help organizations that use containerized applications. Container security tools help scan container images and runtime environments for vulnerabilities, including those associated with CVEs. They ensure that containers are deployed securely and free from known vulnerabilities.
- Threat intelligence platforms that aggregate and analyze data from various sources, providing insights into emerging threats and vulnerabilities, including CVEs. They help organizations stay informed about the latest security risks and proactively protect their systems.
CVEs provide a common language for discussing and addressing vulnerabilities. These tools help development teams proactively identify and remediate these vulnerabilities in their software applications, reducing the risk of security and data breaches.
CVE Examples
What do these CVEs actually look like? Let’s look at some common examples of CVEs that have garnered significant attention within the cybersecurity community due to their widespread impact and severity.
- CVE-2017-0144 (EternalBlue): This CVE refers to a vulnerability in the Windows operating system's Server Message Block (SMB) protocol. Exploiting this vulnerability allowed attackers to execute arbitrary code remotely, leading to the infamous WannaCry ransomware attack in 2017.
- CVE-2014-0160 (Heartbleed): Heartbleed was a critical vulnerability in the OpenSSL cryptographic library that allowed attackers to steal sensitive information (usernames, passwords, encryption keys) from vulnerable servers without leaving any trace.
- CVE-2018-11776 (Apache Struts): This CVE refers to a vulnerability in the Apache Struts framework, a popular open-source web application framework for Java. Exploiting this vulnerability allowed attackers to execute arbitrary code remotely on web servers running vulnerable versions of Apache Struts. The vulnerability was famously exploited in the Equifax data breach in 2017 that exposed the personal data of millions of individuals. The resulting settlement cost Equifax $425 million.
- CVE-2019-0708 (BlueKeep): BlueKeep was a critical vulnerability in the Remote Desktop Protocol (RDP) service on older versions of Microsoft Windows. Exploiting this vulnerability could allow attackers to execute arbitrary code remotely without requiring authentication, potentially leading to widespread malware infections and unauthorized system access.
- CVE-2020-1472 (ZeroLogon): ZeroLogon was a critical vulnerability in implementing the Netlogon Remote Protocol (MS-NRPC) in Microsoft Windows. Exploiting this vulnerability allowed attackers to gain administrative access to Active Directory domain controllers, potentially compromising the entire network infrastructure.
These CVEs have been extensively studied, documented, and discussed in the context of cybersecurity awareness, best practices, and mitigation strategies. However, it's important to note that the prevalence of CVEs can vary over time and across different industries and technology stacks.
New vulnerabilities are constantly being discovered, and the impact of CVEs may vary depending on factors such as the affected software or hardware, the exploitability of the vulnerability, and the potential consequences of exploitation.
Codacy Can Help Keep Your Software Secure
If you’re looking for an affordable and scalable code analysis tool to keep your application secure, try Codacy. Our application security platform offers SAST features, enabling you to scan your source code to identify vulnerabilities such as XSS, SQL injection, Broken Access Control, and other critical issues outlined in the OWASP Top 10 list.
Codacy also helps identify hard-coded secrets like exposed API, encryption keys, and passwords that may compromise your application security and integrates with popular security tools, such as Trivy and Semgrep.
Start your free trial today to evaluate Codacy’s code security and quality features.