You would have heard or seen these terms definitely with the term vulnerability .Today we will take a look at these terms and discuss about them . These are terms related to vulnerability analysis.
Lets begin-
1. CVE (Common Vulnerabilities and Exposure): Security professionals use these to record and share information about known vulnerabilities.
Vulnerabilities are made public to make people aware about it . It has emerged as a standard and accepted by people over the years to make vulnerabilities centralised. CVE is maintained by MITRE Corporation.
In CVE system each vulnerability is given CVE ID. Its format is CVE-YYYY-NNNN, where YYYY is the year that vulnerability was discovered and NNNN is a number which is used only once a year. The CVE id is granted by CVE Numbering Authority(CNA).
The Researcher submits the vulnerability to CNA with all the details and CNA decides whether it should be published or not .
Here you can see CVEs- https://cve.mitre.org/cve/search_cve_list.html
2. CWE (Common Weakness Enumeration): This system is used to classify different types of vulnerabilities.
It helps in our vulnerability assessment , CWE is a list of common software and hardware weakness. Each weakness is given CWE ID as a identifier. Which contains CWE as prefix and then a number e.g CWE-22.
You can see all CWEs here – https://cwe.mitre.org/index.html
3. CVSS (Common Vulnerability Scoring System): It is used to calculate the risk of a vulnerability. Professional use to rate the risk related to a vulnerability. But it can also rate the vulnerability in firmware and hardware .
CVSS history:
CVSS v1 2005 , CVSS v2 2007, CVSS v3 2015 , CVSS v3.1 in 2019 and CVSS v4.0 in 2023.
CVSS 3.1 is widely used for scoring.
CVSS is calculated based on several metrices.
You can use cvss calculator her – https://www.first.org/cvss/calculator/3.1