CVE (CVE)
A CVE is a unique ID given to a known security vulnerability, like a case number for a bug. When a security flaw is discovered in software (a bug in Windows, a hole in a web framework, a weakness in a router’s firmware), it gets assigned a CVE number (like CVE-2024-3094). This lets everyone (vendors, security teams, news outlets) refer to the exact same vulnerability without confusion. It is the standard way the security industry tracks and discusses flaws.
Common Vulnerabilities and Exposures (CVE) is a standardized naming system for publicly disclosed cybersecurity vulnerabilities, maintained by the MITRE Corporation and funded by the US Cybersecurity and Infrastructure Security Agency (CISA).
CVE identifier format: CVE-YYYY-NNNNN (year of assignment + sequential number, 5+ digits since 2014).
CVE lifecycle:
- Discovery: researcher or vendor finds a vulnerability
- CNA assignment: a CVE Numbering Authority (CNA) reserves an ID. Major CNAs: MITRE, Microsoft, Google, Red Hat, GitHub.
- Coordination: vendor is notified and develops a patch (responsible disclosure period, typically 90 days)
- Publication: CVE details are published in the NVD (National Vulnerability Database) with description, affected products, and CVSS score
- Remediation: organizations patch or mitigate
CVSS (Common Vulnerability Scoring System):
| Score | Severity | Action |
|---|---|---|
| 9.0-10.0 | Critical | Patch immediately |
| 7.0-8.9 | High | Patch within days |
| 4.0-6.9 | Medium | Patch within weeks |
| 0.1-3.9 | Low | Patch in next cycle |
CVSS v3.1 considers: attack vector (network/adjacent/local/physical), attack complexity, privileges required, user interaction, scope, and CIA impact (confidentiality, integrity, availability).
CISA KEV (Known Exploited Vulnerabilities): a catalog of CVEs actively being exploited in the wild. Federal agencies must remediate KEV entries within specified timelines. Critical prioritization resource for all organizations.
Querying CVE databases
# Search NVD for recent critical vulnerabilities
$ curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?\
cvssV3Severity=CRITICAL&resultsPerPage=3" | \
jq '.vulnerabilities[].cve | {id, published, description: .descriptions[0].value[:100]}'
# Check if your system has a specific CVE patched
$ dpkg -l | grep libxz # Check xz version (CVE-2024-3094)
$ rpm -q --changelog openssl | grep CVE | head -5
# Scan installed packages for known CVEs (Debian/Ubuntu)
$ sudo apt install debsecan
$ debsecan --suite bookworm --only-fixed
CVE-2024-1234 openssl - fixed in 3.0.13-1
CVE-2024-5678 curl - fixed in 8.5.0-2
# Scan npm dependencies for known CVEs
$ npm audit
found 3 vulnerabilities (1 moderate, 2 high)
run `npm audit fix` to fix 2 of themCVEs are the shared language of vulnerability management. When a critical CVE drops (Log4Shell/CVE-2021-44228, XZ backdoor/CVE-2024-3094), security teams worldwide race to assess exposure and patch. Vulnerability scanners (Nessus, Qualys, Trivy) map installed software to CVE databases to identify unpatched systems. Compliance frameworks require documented vulnerability management programs with defined patching timelines based on CVSS severity. The CISA KEV catalog is particularly valuable: if a CVE is on the KEV list, it is actively being exploited and should be prioritized above its CVSS score alone. For developers, npm audit, pip audit, and trivy scan project dependencies against CVE databases, catching vulnerable libraries before they reach production.