nerdexam
GlossaryCVE
Standard

CVE

Also known as: Common Vulnerabilities and Exposures

A CVE (Common Vulnerabilities and Exposures) is a publicly disclosed cybersecurity vulnerability with a unique identifier in the format CVE-YYYY-NNNNN. The CVE program is maintained by MITRE Corporation and provides the canonical reference for vulnerability tracking.

CVE (Common Vulnerabilities and Exposures)

A CVE (Common Vulnerabilities and Exposures) is a publicly disclosed cybersecurity vulnerability with a unique identifier in the format CVE-YYYY-NNNNN, where YYYY is the year of assignment and NNNNN is a sequential number. The CVE program is maintained by MITRE Corporation under sponsorship from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and provides the canonical reference for vulnerability tracking across the security industry.

Why CVEs exist

Before the CVE program (launched in 1999), every security vendor named vulnerabilities differently. The same flaw might be tracked as "BUF-CVE-OVERFLOW-1.2" by one vendor, "Microsoft Security Bulletin MS99-031" by another, and "Bugtraq ID 624" by yet another. Vulnerability management was a coordination nightmare.

CVE solves this by providing a single canonical identifier that everyone can reference. When Microsoft, Red Hat, and the National Vulnerability Database all reference CVE-2023-23397, they're talking about the same flaw.

CVE structure

A typical CVE record includes:

  • CVE ID: unique identifier (e.g., CVE-2024-3094 for the XZ backdoor).
  • Description: plain-language summary of the vulnerability.
  • Affected products: vendor, product, and version ranges.
  • CWE mapping: the underlying weakness type (CWE - Common Weakness Enumeration).
  • References: vendor advisories, exploit code, mitigation guidance.
  • CVSS score: severity rating (see CVSS glossary entry).

How CVEs are assigned

CVE Numbering Authorities (CNAs) are organizations authorized to assign CVE IDs. There are over 350 CNAs worldwide, including major vendors (Microsoft, Red Hat, Apple, Cisco) and coordinating bodies (CISA, JPCERT).

The lifecycle:

  1. Researcher discovers a vulnerability.
  2. Researcher reports to vendor (responsible disclosure).
  3. Vendor (acting as a CNA) assigns a CVE ID.
  4. Patch is developed.
  5. CVE is published when patch is released or after a coordinated disclosure window.

CVE exam topics

  • CompTIA Security+: CVE structure, CVSS scoring, vulnerability scanners (Nessus, Qualys, OpenVAS), patch management, and the CVE-CVSS- CWE relationship.
  • CompTIA CySA+: vulnerability management lifecycle, prioritization using CVSS + EPSS (Exploit Prediction Scoring System) + KEV (Known Exploited Vulnerabilities catalog from CISA).
  • CompTIA PenTest+: finding CVEs in Metasploit, Exploit-DB, and GitHub. CVE search via tools like searchsploit.
  • CISSP: vulnerability management process, risk assessment using CVE
    • CVSS, integration with broader risk management framework.

Notable CVEs to know

Certain CVEs come up repeatedly in security exams as case studies:

  • CVE-2014-0160 (Heartbleed): OpenSSL TLS heartbeat extension vulnerability. Triggered industry-wide reissuance of certificates.
  • CVE-2017-0144 (EternalBlue): SMB vulnerability used by WannaCry ransomware. Microsoft MS17-010 patch.
  • CVE-2021-44228 (Log4Shell): Apache Log4j JNDI injection. Affected millions of Java applications.
  • CVE-2024-3094 (XZ Backdoor): supply-chain attack against the xz compression library, discovered before widespread exploitation.

Understanding the impact, mitigation, and detection patterns of these historical CVEs is more valuable for exam prep than memorizing every CVE number. Focus on the patterns: unauthenticated remote code execution, authentication bypass, supply-chain compromise, and privilege escalation.