CVE

A CVE (Common Vulnerabilities and Exposures) refers to a security vulnerability that has been assigned an identifier. For each CVE, there will be a short description of the vulnerability or security hole as well as links to reports and advisories. The site cve.mitre.org lists all known security vulnerabilities. CVEs help professionals coordinate their efforts to prioritize and resolve vulnerabilities, thereby increasing the security of IT systems.

CVE identifiers

CVE identifiers are of the form CVE-AAAA-NNNNN with AAAA the year of publication and NNNNN an identifier number.

More details

As we have seen, a CVE entry has a minimalist content. To go further, a database called NVD (National Vulnerability Database) has been developed (nvd.nist.gov). This allows you to assign a CVSS rating to a CVE, to add relationships with the CWE (Common Weakness Enumeration) and CAPEC (Common Attack Pattern Enumeration and Classification) databases.

The most exploited CVE in 2020

• CVE-2019-19781 (score CVSS : 9,8) - Citrix Application Delivery Controller (ADC) and Gateway directory traversal vulnerability
• CVE-2019-11510 (score CVSS : 10,0) - Pulse Connect Secure arbitrary file reading vulnerability
• CVE-2018-13379 (score CVSS : 9,8) - Fortinet FortiOS path traversal vulnerability leading to system file leak
• CVE-2020-5902 (score CVSS : 9,8) - F5 BIG-IP remote code execution vulnerability
• CVE-2020-15505 (score CVSS : 9,8) - MobileIron Core & Connector remote code execution vulnerability
• CVE-2020-0688 (score CVSS : 8,8) - Microsoft Exchange memory corruption vulnerability
• CVE-2019-3396 (score CVSS : 9,8) - Atlassian Confluence Server remote code execution vulnerability
• CVE-2017-11882 (score CVSS : 7,8) - Microsoft Office memory corruption vulnerability
• CVE-2019-11580 (score CVSS : 9,8) - Atlassian Crowd and Crowd Data Center remote code execution vulnerability
• CVE-2018-7600 (score CVSS : 9,8) - Drupal remote code execution vulnerability
• CVE-2019-18935 (score CVSS : 9,8) - Telerik .NET deserialization vulnerability resulting in remote code execution
• CVE-2019-0604 (score CVSS : 9,8) - Microsoft SharePoint remote code execution vulnerability
• CVE-2020-0787 (score CVSS : 7,8) - Windows Background Intelligent Transfer Service (BITS) elevation of privilege vulnerability
• CVE-2020-1472 (score CVSS : 10,0) - Windows Netlogon elevation of privilege vulnerability

Example of a CVE