Le CVE (Common Vulnerabilities and Exposures) is a standardised public repository which uniquely identifies and catalogues vulnerabilities from computer security.
Each CVE entry is a normalized reference including :
- A unique identifier (e.g:
CVE-2024-12345). - A technical description vulnerability.
- From references (links to advisories, patches, analyses).
🎯 Objective serve as universal language to unambiguously identify security flaws, making it easier for researchers, publishers and organisations to share information.
Differences between CVE and CVSS
| Criteria | CVE | CVSS |
|---|---|---|
| Nature | Identifier vulnerability. | Scoring system assessing severity. |
| Function | Answers the question "What's the flaw?". | Responds to "How serious is it?". |
| Format | Text ID (eg: CVE-2024-12345). |
Numerical score (e.g: 9.8 Critical). |
| Governance | Managed by MITRE Corporation (with partners). | Managed by FIRST (Forum of Incident Response and Security Teams). |
| Use | A common reference for a fault. | Helps prioritise patches. |
in a nutshell:
- CVE = "What's the flaw?" → Identity card vulnerability.
- CVSS = "How dangerous is she?" → Richter scale cyber risk.
Example
- CVE-2014-0160 (Heartbleed) :
- Description Vulnerability in OpenSSL allowing servers' memory to be read.
- CVSS v3.1 Score : 7.5 (High)
- Attack vector Network (AV:N ).
- Impact Information leakage (C:H /I:L /A:N ).
Complementarity
- CVE + CVSS = a full alert :
- Le CVE identifies what vulnerability exists (ex :
CVE-2023-4863). - Le CVSS says why it is dangerous (score 8.8 = High Risk).
- Le CVE identifies what vulnerability exists (ex :
- Case studies :
- A company consults the CVE database to check whether its systems are affected.
- It uses the CVSS score to decide whether the flaw should be corrected as a matter of urgency.
Issues
- CVE :
- Completeness: Delays in recording vulnerabilities zero-day.
- Quality: Descriptions sometimes too technical for non-experts.
- CVSS :
- Subjectivity: Scores may vary depending on the interpretation of the metrics.
- Limitations: Does not always reflect the real risk in context (hence the importance of metrics). environmental).
🔧 Associated tools
- CVE databases such as NVD (National Vulnerability Database).
- CVSS Online calculators (e.g: NVD CVSS Calculator).
