The CVE glossary contains a list of entries, each including a unique ID number, public reference, and description. Each CVE refers to a specific exposure or vulnerability, defined as follows:
- A security vulnerability—an error in software code that provides threat actors with direct access to a network or system. Direct access enables actors to act as superusers or system administrators with full privileges.
- An exposure—a flaw that provides a threat actor with indirect access to a system or network. Indirect access enables actors to collect information.
The CVE project provides a system for identifying and managing exposures and vulnerabilities. Here is how a CVE listing is created:
- A developer, organization, or code author identifies an exposure or vulnerability.
- The CVE Numbering Authority (CNA) species the CVE ID number for the exposure or vulnerability.
- The CNA writes a brief description of the specific issue and includes references. The description
- The final CVE entry is added to the CVE glossary and posted on the CVE website.
Note that CVE descriptions don’t include technical information, details about fixes, or data about specific effects of the flaw. This information is offered by databases such as the US NVD (National Vulnerability Database) and the CERT/CC Vulnerability Notes Database. The NVD provides CVSS-Based scores, information on fixes, and other details required for mitigation.