common vulnerabilities and exposures (CVE)

What is a CVE? 

CVE stands for "Common Vulnerabilities and Exposures". It's a system that gives a unique name to publicly known cyber security issues. Think of it like a library catalog for computer bugs. Each CVE entry helps people talk about the same problem using the same name, so security teams around the world can stay on the same page.

CVE entries include an ID number (like CVE-2024-1234), a short description of the problem, and a reference to where more information can be found. These entries don’t fix the issues - they just describe them so others can understand and respond. When a new vulnerability is found, especially one that could let a hacker break into a system, it's often reported and given a CVE.

Having a central list of vulnerabilities helps security, IT, and DevOps teams track what risks are out there and what might need to be fixed. 

This system is managed by a group called MITRE, with help from the U.S. government.

CVE vs CVSS 

CVSS stands for the "Common Vulnerability Scoring System". While CVE gives each vulnerability a name, CVSS tells you how serious it is. It uses a score from 0 to 10, where 10 is the most critical.

Think of it like this: if CVE is the name of a storm, CVSS is the weather report that tells you how strong the storm is. Both are used together - CVE tells you what the problem is, and CVSS helps you decide how quickly you need to fix it.

CVE vs CWE

CWE stands for "Common Weakness Enumeration". It lists general types of problems (e.g. weak passwords) that can lead to vulnerabilities, like leaving a door unlocked. CVE lists the actual events where that door was left open and someone could sneak in.

Best CVE databases 

Several websites collect and organize CVE data:

• NVD (National Vulnerability Database): Maintained by the U.S. government, it includes CVE details and CVSS scores.
• CISA’s Known Exploited Vulnerabilities (KEV) Catalog: A database of CVEs that have been exploited in the wild.
• cvemon: A free vulnerability intelligence platform that includes a CVE database, collates different data sources in one place, and features a "hype score" to highlight trending CVEs.

These databases help security teams research vulnerabilities, understand how they work, and determine whether their systems might be affected.

CVE scanning tools

CVE scanners, more typically known as vulnerability scanners, search systems for known vulnerabilities. They compare the software you’re running to lists of CVEs to spot problems.

Popular tools include:

• Intruder: Easy but powerful vulnerability scanning, including proactive protection from emerging threats, suitable for non-technical users
• OpenVAS: Free and open-source vulnerability scanning, ideal for small businesses with a limited internet footprint.
• Probely: Specializes in DAST web application and API vulnerability scanning.
• Acunetix: Provides both DAST and IAST web application vulnerability scanning.
• Tenable Nessus: Best for enterprises with a dedicated security team.
• Qualys: Offers an extensive feature set, suitable for large enterprises.
• Rapid7: Best for enterprise organizations managing IT risk compliance.
• Nuclei: Popular with bug bounty hunters, penetration testers, and security researchers.

These tools help businesses stay safe by finding weak spots before attackers do. They check for missing updates, misconfigurations, and known software bugs. Regular scans are a key part of strong cyber security.

Scan your environment for CVES - get started today with a free trial.