The Common Vulnerabilities and Exposures system, commonly know simply as “CVE”, is a catalog of known software and information systems security threats.
There are many software security products and security researchers around who use them to identify security problems. It can easily happen that multiple people discover the same problem. Thus a need arose to use standard terminology to identify and describe the problems.
CVE provides standard terminology to describe the problems being reported, and a catalog in which the problem can be uniquely identified and given its own name and identifying number. CVE is sponsored by the United States Department of Homeland Security (DHS).
CVE divides security threats into two categories: vulnerabilities and exposures. CVE does not contain information such as risk, impact, fix information, or detailed technical information. CVE only contains the standard identifier number with status indicator, a brief description, and references to related vulnerability reports and advisories.
CVE is used by makers of software products and information systems to disclose security problems with their products, and to identify the sources of information about them. For more information about how the makers of software and systems perform disclosure of security problems, see the RBCS Responsible Disclosure page.
Responsible disclosure policies are relatively new in the physical security industry. Axis Communications, the company who pioneered network cameras in 1996, is one security industry leader who uses CVE to register its product vulnerabilities and exposures according to its Vulnerability Disclosure Policy.
Vulnerabilities vs. Exposures
According to the CVE website, a vulnerability is defined as a mistake in software code that provides an attacker with direct access to a system or network. For example, the vulnerability may allow an attacker to pose as a superuser or system administrator who has full access privileges.
An information security vulnerability is defined as a mistake in software that can be directly used by a hacker to gain access to a system or network.
For CVE, a vulnerability is a state in a computing system (or set of systems) that either:
- allows an attacker to execute commands as another user
- allows an attacker to access data that is contrary to the specified access restrictions for that data
- allows an attacker to pose as another entity
- allows an attacker to conduct a denial of service
One example of a vulnerabilities is an unprotected password file that can be re-written to provide access to critical data.
Another example is a published default password that isn’t required to be changed (common among physical security systems and devices)
An information security exposure is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network. CVE considers a configuration issue or a mistake an exposure if it does not directly allow compromise but could be an important component of a successful attack, and is a violation of a reasonable security policy.
For example, an operating system that allows software to run or install even if its security signature is invalid, leaves the computer open to the installation or execution of malware files.