CVE is short for “Common Vulnerabilities and Exposures”.

CVE is managed by the MITRE corporation and is funded by the DHS CISA. According to the Mitre site, “The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.” It provides a free list of security vulnerabilities that have been disclosed to the public and gives an easy way for IT and Security teams to look up and prioritize security issues to address.

CVE provides an identifier assigned by a CVE Numbering Authority (CNA). Once an issue is brought up to a CNA, they can assign the issue/information a CVE ID and provide a brief description to post on the CVE website.

According to RedHad, “Often, a CVE ID is assigned before a security advisory is made public. It’s common for vendors to keep security flaws secret until a fix has been developed and tested. That reduces opportunities for attackers to exploit unpatched flaws.”

CVE IDs are in the format of CVE-2021-1234567 and an entry includes the CVE ID, a brief description, a product and version, and links to the reports.

What are the requirements for a CVE?

Not all vulnerabilities will receive a CVE ID.

RedHat provides a list of criteria.

CVE Criteria

Sources: mitre, RedHat