The Common Vulnerabilities and Exposures (CVE) system identifies all vulnerabilities and threats related to the security of information systems. To do this, a unique identifier is assigned to each vulnerability.
Identifier format :
CVE-YYYY-NNNN (YYYY is the year of publication and NNNN a unique identifier number).
The aim is to create a dictionary that lists all the vulnerabilities with a brief description of each of them, as well as a set of links that users can view for more details. This database is proposed for consultation and maintained by the non-profit organization MITRE supported by the Department of Homeland Security of the United States. To view the CVEs, visit https://www.cve.mitre.org.
In the database of the CVE system we find the identifier of one of the last vulnerabilities that allowed a massive attack by ransomware (Wannacry): CVE-2017-0144. This is the identifier of the SMB protocol vulnerability, which is at the origin of the production lines shutdown of Renault. More than 200,000 computers were impacted in about 100 countries.
In this database we also find the identifier of one of the most important flaws of the last years: CVE-2014-0160. "Heardbleed" is the name of a security flaw found in OpenSSL open source software. For more information, see the article "HEARTBLEED OPENSSL : EXPLANATION AND EXPLOIT" written by one of our collaborators on our website.
First, it should be noted that CVE only concern software (CMS being considered as software). When a flaw is detected, it is called a "0 Day". This means that it has not been published or corrected. If the target company accepts the flaw, it can ask the MITRE to validate the CVE. If MITRE considerates that the software in question is widely used and supported it will validate the request of the company. It is also entitled to refuse. When the MITRE gives its consent, it provides a unique CVE identifier to the company which must in turn fill a form with a full description of the flaw. The company can get help from the person who put the flaw in evidence. Once completed, the form is returned to MITER in order to publish the flaw.
The two companies that publish the most CVE are Apple and Microsoft. For a company, publish a CVE is synonymous with transparency with consumers regarding their security policy.
There is also the Common Weakness Enumeration (CWE), which includes more specific categories of flaw so that companies can better understand how flaws affect their software. In this register we can find, for example, descriptions of the flaws XSS, CSRF, SQLi, …