CVE
Common Vulnerabilities and Exposures—a public repository of known security vulnerabilities in software and hardware, each identified by a unique CVE ID.
CVE (Common Vulnerabilities and Exposures) is a standardized registry of publicly known information security vulnerabilities, operated by MITRE Corporation and funded by the U.S. Department of Homeland Security.
CVE ID Format
Each vulnerability is assigned a unique identifier in the format CVE-[year]-[number]:
CVE-2021-44228- Log4Shell (critical vulnerability in Apache Log4j)CVE-2017-0144- EternalBlue (exploited by WannaCry)CVE-2023-44487- HTTP/2 Rapid Reset (DoS vulnerability)
CNA and NVD
CVE Numbering Authorities (CNA): Over 300 organizations worldwide (including Microsoft, Google, Red Hat, and BSI) are authorized to assign CVE IDs. Each vendor is responsible for its own products.
National Vulnerability Database (NVD): NIST enriches CVE entries with CVSS scores, CWE classifications, and CPE information. The NVD is the primary source for automated vulnerability management.
Implications for Businesses
Effective patch management relies on CVE tracking:
- Subscribe to CVE feeds (NVD, vendor advisories, BSI alerts)
- Identify affected assets (asset inventory + CMDB)
- Assess CVSS score and exploitability
- Deploy patches according to priority
- Verify remediation
Through CERT-Bund, the BSI operates its own alert service for critical CVEs relevant to Germany.
