CVE
From MRL Wiki
Common Vulnerabilities and Exposures (CVE) is a list of information security vulnerabilities and exposures hosted by MITRE. CVE makes a particular effort to distinguish itself from vulnerability databases by introducing a standardized approach of naming and classifying vulnerabilities from a number of different vulnerability databases. The rigorous classification approach taken by CVE creates a common reference point for all vulnerabilities while avoiding pitfalls of individual vulnerability databases.
Contents |
[edit] CVE Entries
Every vulnerability or exposure in CVE is assigned a unique identification number. Here is an example of a CVE entry:
Name: CVE-2001-0002 Description: Internet Explorer 5.5 and earlier allows remote attackers to obtain the physical location of cached content and open the content in the Local Computer Zone, then use compiled HTML help (.chm) files to execute arbitrary programs. Status: Entry Reference: MS:MS01-015 Reference: URL:http://www.microsoft.com/technet/security/bulletin/MS01-015.asp Reference: BUGTRAQ:20001120 IE 5.x/Outlook allows executing arbitrary programs using .chm files and temporary internet files folder Reference: MISC:http://www.guninski.com/chmtempmain.html Reference: BID:2456 Reference: URL:http://www.securityfocus.com/bid/2456 Reference: OSVDB:7823 Reference: URL:http://www.osvdb.org/7823 Reference: OVAL:oval:org.mitre.oval:def:920 Reference: URL:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:920 Reference: XF:ie-chm-execute-files(5567) Reference: URL:http://xforce.iss.net/xforce/xfdb/5567
[edit] CVE Status
Before individual vulnerability or exposure can appear on CVE list it must go through three stages of review:
- Submission - information about the vulnerability or exposure is collected from various sources and represented in a standardized format. The submission entry is further matched with other submissions and refined to prevent overlaps. At last the submission goes through the editing stage to receive Candidate status.
- Candidate Stage - vulnerability or exposure submissions that went through the rigorous process of the Submission stage are further subjected to the voting by editorial board that will decide whether to accept, require modification, or outright reject the entry. It takes one day to one month to assign a candidate number.
- Entry Stage - if the candidate vulnerability or exposure entry is accepted by the editorial board, the status of a candidate is changed to Entry and it is added to the CVE List. It takes six months to a year for the typical candidate to become an official CVE entry.
[edit] Editorial Board
MITRE created CVE Editorial Board which consists of commercial security tool vendors, members of academia, research institutions, government agencies, and other prominent security experts. It serves as an authority on which vulnerabilities or exposures are included in CVE, then determines the common name and description for each entry.
[edit] CVE Compatible
The primary goal of CVE List is to provide compatibility across different vulnerability databases. Individual database, tool, or service can be certified as CVE Compatible if it meets several requirements:
- CVE Searchable - A user can search using a CVE name to find related information.
- CVE Output - Information is presented which includes the related CVE name(s).
- CVE Mapping - The repository owner has provided a mapping relative to a specific version of CVE, and has made a good faith effort to ensure accuracy of that mapping.
- Documentation - The organization’s standard documentation includes a description of CVE, CVE compatibility, and the details of how its customers can use the CVE-related functionality of its product or service.
[edit] See Also
[edit] External Links
- http://cve.mitre.org/ - CVE Official Page
- http://cve.mitre.org/cve/ - CVE List