Security Weekly

What is a CVE?

Cleanshot 2023 11 30 At 14.14.30

Published:

Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Week 44

In previous weeks, we have talked a lot about different security vulnerabilities and linked to their CVE IDs. I realized however, that I have not properly covered what a CVE is and what is it used for.

To date, Patchstack is one of the three official CNA’s (CVE Numbering Authority) in the WordPress ecosystem and by far the largest one of all three. So, let’s break down what CVEs are and what they are used for.

Common Vulnerabilities and Exposures

The Common Vulnerabilities and Exposures (CVE) program is an internationally recognized system for identifying and cataloging publicly known software security vulnerabilities.

As the software is eating the world, the number of known vulnerabilities has also increased significantly. What was needed was a simple way to help security professionals ensure that they are talking about the same thing.

The program was launched already back in 1999 by the MITRE Corporation in collaboration with the U.S. Department of Homeland Security (DHS), the CVE program aims to create a standardized identification system that enables effective communication about vulnerabilities.

All of the CVE’s are published on the National Vulnerability Database (NVD) and at CVE.org. Each vulnerability has a unique CVE ID number which can look something like this: CVE-2024-10027

How does the CVE program work?

The core of the program consists of a community-driven, distributed network of over 400 organizations around the world, known as CVE Numbering Authorities (CNAs). These CNAs include major tech companies, security firms, research organizations, and government agencies.

CNAs are carefully chosen; their knowledge is verified, and they are then authorized to assign CVE IDs to vulnerabilities found in products within their specific scope and submit them to the CVE database for publication. For example, you can see the assigned Patchstack scope here.

The CVE process looks something like this:

  • Identification of Vulnerability: When a vulnerability is discovered in a software or hardware product, the discovering party (which could be a researcher, software vendor, or security professional) may report it to a relevant CNA.
  • Assignment of CVE ID: If the CNA verifies the vulnerability, it assigns a unique CVE identifier, or CVE code, to it. This code allows other parties to reference the vulnerability using a single, standardized identifier.
  • Publication of CVE Record: The assigned CVE ID and accompanying details about the vulnerability are published in the CVE database, making it publicly accessible. The CVE entry usually includes information such as the affected product, vulnerability type, and potential impact.
  • Utilization by the Security Community: Once published, organizations, cybersecurity professionals, and individuals can use the CVE record to evaluate risks, apply patches, and take steps to secure their systems against the identified vulnerability.

What are CVE Codes?

A CVE code, also known as a CVE ID, is a unique alphanumeric identifier assigned to a particular security vulnerability. Each CVE code follows a standardized format, which makes it easy for organizations to reference and manage vulnerabilities.

The format of a CVE code is: CVE-[Year]-[Number]

  • CVE: The prefix indicating it is part of the Common Vulnerabilities and Exposures system.
  • Year: This four-digit number denotes the year when the vulnerability was reported or when CVE was assigned.
  • Number: This portion is a unique identifier assigned sequentially within the specified year.

The CVE codes help to quickly identify from which period the vulnerability is from and separate different vulnerabilities. The CVE record also includes additional information, such as the description of the vulnerability, the versions affected and other critical details that would help developers identify and patch vulnerabilities more easily.

Here are also some additional resources that I can recommend if you’re interested in CVE statistics or want to know more about the program itself:

  1. https://cve.icu/intro.html
  2. https://cve.mitre.org/index.html
  3. https://nvd.nist.gov/

Join the Conversation!

There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!

Group Thread
Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Brought to you by:
Logo

Patchstack auto-mitigates security vulnerabilities found on WordPress core, plugins and themes. Patchstack is the leading vulnerability intelligence provider in the entire WordPress ecosystem and has the largest collection of vulnerability specific vPatch rules that provide precision protection without any performance hit nor false positives. Patchstack is the go-to security provider for many of the leading agencies such as 10up, Valet, SiteCare and others.

Never Miss an Issue!

Subscribe and have Security Weekly delivered to your inbox every week!

Care Plan Toolkit

Save time, boost profits, and confidently manage client websites with proven tools, tips, and resources.

Bento Toolkit

More from Security Weekly

Week 47

Why Use Virtual Patching for WordPress Security?

Virtual patching is a security strategy that involves applying protective measures to the WordPress application without …

Week 46

What Role Does AI Play in WordPress Security?

We can’t ignore the power of LLMs and AI when it comes to security. At Patchstack, …

Week 45

Where to get your WordPress plugins and themes?

As of writing this article, it’s a hot topic. Some plugins which have been available on …