Common Vulnerabilities and Exposures
The Common Vulnerabilities and Exposures (CVE) system tracks publicly known security vulnerabilities and exposures in publicly released software packages.
The MITRE Corporation, an American not-for-profit organization, maintains the system using funding from the United States Government to provide alerts and guidance for the general public and for U.S. government agencies.
CVEs are listed on the CVE Program’s website and on the US National Vulnerability Database.
How CVEs are assigned
CVE IDs are issued through a federated model. A CVE Numbering Authority (CNA) is an organization authorized to assign CVE IDs to vulnerabilities within its own scope — participating vendors (for example Microsoft, Oracle, and Red Hat), coordination centers such as CERT/CC, and some open-source projects act as CNAs. When a CNA is unavailable, MITRE (the CVE Program’s root and Primary CNA) can assign an ID directly.
Related systems: CVSS and CWE
A CVE record identifies a specific vulnerability, but it does not by itself indicate how severe the vulnerability is or what class of weakness it represents.
- CVSS — the Common Vulnerability Scoring System produces a 0.0–10.0 severity score with a qualitative rating (Low / Medium / High / Critical). NVD publishes CVSS v3.x and v4.0 scores for CVE records; as of July 2022 NVD no longer generates CVSS v2.0 scores for new evaluations. CVSS is described by NIST as “a qualitative measure of severity” and is explicitly not a measure of risk.
- CWE — the Common Weakness Enumeration is a taxonomy of software and hardware weakness types (for example CWE-79 for cross-site scripting, CWE-89 for SQL injection). CVE records commonly cite one or more CWE IDs to classify the underlying weakness that led to the vulnerability.