Overview
CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. When someone refers to a CVE, they mean a security flaw that's been assigned a CVE ID number.
Security advisories issued by vendors and researchers almost always mention at least 1 CVE ID. CVEs help IT professionals coordinate their efforts to prioritize and address these vulnerabilities to make computer systems as secure as possible.
How does the CVE system work?
In 1999, MITRE Corporation, a U.S. Government-funded research and development company, developed the CVE system, a uniform standard for reporting and tracking software security bugs.
CVE entries are brief. They don’t include technical data or information about risks, impacts, and fixes. Those details appear in other databases, including the U.S. National Vulnerability Database (NVD), the CERT/CC Vulnerability Notes Database, and various lists maintained by vendors and other organizations.
Across these different systems, CVE IDs give users a reliable way to recognize unique vulnerabilities and coordinate the development of security tools and solutions. The MITRE Corporation maintains the CVE list, but a security flaw that becomes a CVE entry is often submitted by organizations and members of the open source community.
About CVE identifiers
CVE identifiers (or CVE IDs) are assigned by a CVE Numbering Authority (CNA). Approximately 100 CNAs exist, including security companies, research organizations, and major IT vendors such as Red Hat, IBM, Cisco, Oracle, and Microsoft. MITRE can also issue CVEs directly.
CNAs are issued blocks of CVE IDs, which the CNAs hold in reserve to attach to new issues as they're discovered. Thousands of CVE IDs are issued every year. A single complex product, like an operating system (OS), can accumulate hundreds of CVEs. This means it's particularly vulnerable once it enters its end-of-maintenance phase (when bug fixes and security patches stop being issued) and end-of-life phase (when all first-party support ends). For example, when CentOS Linux 7 entered its end-of-life period on July 1, 2024, a new CVE was announced within a day. This underscores the importance of migrating to a stable OS that receives regular security patches and updates.
Anyone—a vendor, a researcher, or just an astute user—can discover a security flaw and bring it to someone's attention. Many vendors offer bug bounties to encourage responsible disclosure of security issues. If you find a vulnerability in open source software you should submit it to the relevant community.
One way or another, information about the flaw makes its way to a CNA. The CNA then assigns the information a CVE ID. Finally, the new CVE is posted on the CVE website.
A CNA often assigns a CVE ID before making the security advisory public. Vendors commonly keep security flaws secret until they've developed and tested fixes to help prevent attackers from exploiting unpatched flaws.
Once made public, a CVE entry includes the CVE ID (in the format "CVE-2019-1234567"), a brief description of the security vulnerability or exposure, and references, which can include links to vulnerability reports and advisories.
What qualifies as a CVE?
According to the CVE Numbering Authority operational rules, CVE IDs are assigned to flaws that meet specific criteria. Flaws must:
- Be independently fixable.
The flaw can be fixed independently of any other bugs. - Be acknowledged by the affected vendor or documented.
The software or hardware vendor acknowledges the bug's existence and confirms that it negatively impacts security. Alternatively, the reporter must have shared a vulnerability report that demonstrates both the negative impact of the bug and that it violates the security policy of the affected system. - Affect only 1 codebase.
If a flaw impacts more than 1 product, it gets a separate CVE for each product. In cases of shared libraries, protocols or standards, the flaw gets a single CVE only if there’s no way to use the shared code without being vulnerable. Otherwise each affected codebase or product gets a unique CVE.
What is the Common Vulnerability Scoring System?
There are multiple ways to evaluate the severity of a vulnerability. One is the Common Vulnerability Scoring System (CVSS), a set of open standards for assigning a number to a vulnerability to assess its severity. The NVD, CERT, and others use CVSS scores to assess the impact of vulnerabilities. Scores range from 0.0 to 10.0, with higher numbers representing a higher degree of severity. Many security vendors have created their own scoring systems as well.
3 key takeaways
Know your deployments. Just because a CVE exists doesn’t mean the risk applies to your specific environment and deployment. Be sure to read each CVE to validate that it's relevant (wholly or partially) to your environment's operating system, application, modules, and configurations.
Practice vulnerability management. Vulnerability management is a repeatable process to identify, classify, prioritize, remediate, and mitigate vulnerabilities. This means understanding how a risk would apply to your organization so you can properly prioritize any outstanding vulnerabilities that need to be addressed.
Be ready to communicate. CVEs will impact your organization’s systems because of both the vulnerabilities themselves and any potential downtime required to address them. Communicate and coordinate with your internal customers, and share the vulnerabilities with any central risk-management function in your organization.
How Red Hat works with CVEs
As a major contributor to open source software, Red Hat is continuously engaged in the security community. Red Hat is a CNA and uses CVE IDs to track security vulnerabilities. Red Hat Product Security maintains an open and frequently updated database of security updates, which you can view by CVE number.
What is the Red Hat Security Data API?
Red Hat Product Security provides access to raw security data on the Red Hat Customer Portal and in a machine-consumable format with the Security Data API (application programming interface).
In addition to the security reports and metrics Red Hat produces, customers can use this raw data to produce their own metrics for their unique situations.
The data provided by the Security Data API includes OVAL (Open Vulnerability and Assessment Language) definitions, Common Vulnerability Reporting Framework (CVRF) documents, and CVE data. Data is available in XML or JSON format.
