CVE & Vulnerabilities

CVE stands for Common Vulnerabilities and Exposures. It is a publicly available, standardised list of known cybersecurity vulnerabilities. Each CVE entry has a unique identifier (e.g., CVE-2021-44228 for Log4Shell), a description of the vulnerability, and references to relevant advisories, patches, and proof-of-concept code. The CVE programme was launched by MITRE Corporation in 1999 and is sponsored by CISA (Cybersecurity and Infrastructure Security Agency). How CVEs are assigned: 1. Discovery — A security researcher, vendor, or organisation discovers a vulnerability. 2. Reporting — The discoverer reports it to a CNA (CVE Numbering Authority). CNAs include major vendors (Microsoft, Google, Red Hat, Apple), research organisations, and bug bounty programmes. 3. CVE ID Reservation — A CVE ID is reserved (e.g., CVE-2024-XXXX) — often before public disclosure to allow vendors time to patch. 4. Coordinated Disclosure — The researcher and vendor agree on a disclosure date (typically 90 days, per Google Project Zero's standard). 5. Publication — The CVE is published in the CVE database at cve.org and in the NVD (National Vulnerability Database at nvd.nist.gov) with full details including CVSS score. Key distinction: • CVE ID — The unique identifier and description of the vulnerability. • NVD — The enriched database that adds CVSS scores, affected configurations, and patch links. • CISA KEV (Known Exploited Vulnerabilities) — A separate catalogue of CVEs confirmed to be actively exploited in the wild. Patching KEV entries should be treated as highest priority.