CVEs

Common Vulnerabilities and Exposures is a standard to identify and categorize known vulnerabilities. They follow the structure CVE-YEAR-IDNUMBER. For example, the CVE-2017-0144 is associated with the famous exploit Etenalblue.

There are some sources where people can access these reported vulnerabilities, or know how they are measured and categorized. Here are some of them:

  • CVE Mitre: Provides a reference system for publicly known information security vulnerabilities and exposures

  • NVD: The National Vulnerability Database, managed by NIST, is a comprehensive database of vulnerability information, primarily based on CVE entries

  • CVSS Calculator: Online tool that helps to calculate the Common Vulnerability Scoring System (CVSS) score for a given vulnerability

  • NIST CVSS Calculator: Provided by NIST, enables users to calculate CVSS scores for vulnerabilities, offering a standardized approach to evaluating the potential impact of vulnerabilities

  • CVEdetails: Aggregates and displays information on CVEs, providing a detailed breakdown of the vulnerability, and being a useful tool for analyzing security risks and trends across different software and hardware products

CVSS

The Common Vulnerability Scoring System is an industry standard for categorizing the severity associated with an issue calculating a score that consists of the exploitability and impact of an issue. This calculation is based on three principal groups of metrics:

https://www.first.org/cvss/v3-1/media/MetricGroups.svg

  • Base Metric Group: Represents the vulnerability characteristics and consists of exploitability metrics which are a way to evaluate the technical means needed to exploit the issue, and impact metrics which represent the repercussions of successfully exploiting an issue and what is impacted in an environment based on the CIA triad

  • Temporal Metric Group: Details the availability of exploits or patches regarding the issue. Consists of the exploit code maturity which represents the probability of an issue being exploited based on ease of exploitation techniques, the remediation level used to identify the prioritization of a vulnerability, and the report confidence represents the validation of the vulnerability and how accurate the technical details of the issue are

  • Environmental Metric Group: Represents the significance of the vulnerability of an organization, taking into account the CIA triad. It uses the modified base metrics which represent the metrics that can be altered if the affected organization deems a more significant risk in confidentiality, integrity, and availability to their organization

PreviousVulnerabilitiesNextCyberattacks

Last updated