Common Vulnerability & Exposures (CVE)

Recently a news came up, that a bug hunter named Bhavuk Jain, has found a bug inside the “sign in with apple” auth request made by different third party application. This bug allowed the user’s full apple account takeover. The apple is the one of the most secured multi-national brand, and has always focused on the security of it’s users. When bhavuk found this bug and reported it to the apple, he was rewarded with a bounty of $100,000, after the bug was fixed and CVE was allocated to it.

So today’s article is gonna be about what actually are CVEs…

What is CVE & CVE identifiers?

CVE Identifiers are unique, common identifiers for publicly known information security vulnerabilities. Each CVE Identifier includes all of the following:

  • CVE identifier number.
  • Indication of “entry” or “candidate” status.
  • Brief description of the security vulnerability or exposure.
  • Any pertinent references (i.e., vulnerability reports and advisories or OVAL-ID).
  • CVE Identifiers are used by information security product/service vendors and researchers as a standard method for identifying vulnerabilities and for cross-linking with other repositories that also use CVE Identifiers.

How is CVE is allocated to the vulnerability?

With my experience, I have noticed CVE approach is to create separate CVE Entries for independently fixable vulnerabilities, except when they are the result of a library, protocol, or standard, but some evil minds may think of it as a database to get records of previous vulnerabilities. CVE List Rules are the guidelines the CVE Program uses to ensure that CVE Entries are created in a consistent fashion, independent of which CNA is doing the creation, include the following: CVE Counting Rules, CVE Information Format, and Process to Correct Counting Issues.

Why CVEs are important?

So think for a moment that we don’t have CVEs, then how are we gonna manage the vulnerability inside the systems, and more importantly how are we gonna link it to the history of patches and changes made to the service/software/site/system. Well, clearly we need CVEs as much as we want nobody to hack our systems or digital banking accounts.

Nehh, just a n00b

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store