ELI5: What is CVE?
Every known security weakness gets its own ID number, like how every book in a library has a call number. This makes it easy to talk about the same problem without confusion.
Definition
CVE (Common Vulnerabilities and Exposures) is a publicly maintained catalog of known cybersecurity vulnerabilities, each assigned a unique identifier in the format CVE-[YEAR]-[NUMBER] (e.g., CVE-2021-44228 for Log4Shell). Maintained by MITRE and funded by the U.S. government, the CVE system provides a standardized naming convention that allows security tools, researchers, and organizations to refer to the same vulnerability with a common identifier.
Key Details
- Each CVE entry includes a description, severity rating, and references to vendor advisories
- CVE IDs allow security tools to communicate about vulnerabilities without ambiguity
- The National Vulnerability Database (NVD) enriches CVE data with CVSS scores and additional metadata
- Vulnerability scanners use CVE IDs to match findings to known vulnerabilities
- Zero-day vulnerabilities are those for which no CVE exists yet (or CVE was just assigned)
Connections
- Parent: vulnerability-management — CVE is the universal identifier system for vulnerability tracking
- See also: cvss-common-vulnerability-scoring-system