What Are Software Vulnerabilities and CVEs?

An introduction to software vulnerabilities and vulnerability documentation through the CVE Program
Michelle McAveety

A software vulnerability is a weakness in a program which, if left unaddressed, may be used by attackers to access, manipulate, or compromise a computer system. Vulnerabilities can be introduced at different stages of development and vary in their scope, criticality, and potential attack vector depending on their root cause. As a consequence, software developers spend time and resources triaging, remediating, and patching vulnerabilities to harden their software security and to prevent attackers from exploiting unintended program behavior.

With software supply chain attacks on the rise, it is essential that developers and other technology professionals become knowledgeable about software vulnerabilities. Staying on top of the latest threats helps protect against targeted cyber attacks, ensuring the safety of important information and computer systems.

Understanding software vulnerabilities is the first step in mitigating them in order to improve the security of the software you consume, develop, and release. In this article, you will be introduced to software vulnerabilities, examples of their causes and impacts, and learn how known vulnerabilities are documented through the CVE Program.

What Makes a Vulnerability?

Any party, process, or other input (like a dependency or package) involved in software production can introduce vulnerabilities into the final release. When third-party inputs used in development have software vulnerabilities, the resulting product may be impacted by them as well. Alternatively, developers writing their own code may unintentionally introduce vulnerabilities to a project through their programming, processes, or habits.

If left unresolved, software weaknesses can advance to become vulnerabilities if hackers are able to exploit them via an attack. For example, not conducting input validation in a program could allow unfiltered or malicious input to affect the program, creating an improper input validation vulnerability. A notorious example of this is the Log4Shell vulnerability, which widely impacted many systems that used the Log4j logging utility.

Attackers may target software vulnerabilities if they see an opportunity to compromise sensitive data or systems for their own benefit. They may choose to prioritize some vulnerabilities over others depending on how lucrative and accessible the opportunity is.

Malicious actors can approach a vulnerability from different attack vectors depending on the weakness type being targeted. In some cases, attack vectors are easier to reach, meaning less leverage is required to expose and exploit the software’s weaknesses.

The CVE Program

Founded by the MITRE Corporation in 1999, the CVE Program was established with the goal to collect and document information surrounding known vulnerabilities in software products. Standing for Common Vulnerabilities and Exposures, CVEs are records of publicly disclosed software vulnerabilities. Over time, the program catalog has expanded to include over 200,000 software vulnerabilities, with more being added every day.

The CVE Program is supported by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA). In addition, the CVE Program feeds the U.S. National Vulnerability Database (NVD), which provides additional information for each CVE entry.

What Is a CVE?

A CVE entry represents a known weakness in a software product and contains information to help address any potential risks to the integrity of a system caused by the vulnerability. Each CVE is assigned a unique CVE ID and is recorded with a description of the vulnerability, a list of affected software releases, any relevant references, and other pertinent information.

CVE Numbering Authorities (CNAs) are the entities responsible for assigning CVE IDs. CNAs can be software vendors, research groups, open source sponsors, and similar organizations. When a new vulnerability is discovered and reported to a CNA, the CNA will request that a CVE ID is reserved for it. Once reserved, details are added to the CVE record and the entry is published to the database.

While the CVE Program database functions stand-alone to communicate known vulnerabilities with developers, a variety of related efforts provide additional information and context to support the database.

  • The Common Vulnerability Scoring System, or CVSS, is a metric which helps assess the severity of any given vulnerability and serves as a tool for developers who are determining which CVEs to address first.

  • Similar to the CVE Program, MITRE also supports the Common Weaknesses Enumeration, or CWE. The CWE catalogs product-unspecific types of software weaknesses which may produce vulnerabilities if present in a program.

  • The U.S. National Vulnerability Database (NVD) connects to the CVE database to provide further information regarding CVE entries. The NVD provides additional references and public advisories regarding each vulnerability. It also connects each CVE with a CVSS score, links a vulnerability’s associated CWE(s), and reports whether it is in the CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Learn More

In this article, you were introduced to software vulnerabilities, learned about their characteristics, and how they are tracked in the CVE Program catalog. This understanding will help you to start triaging and addressing vulnerabilities present in the software you produce or consume to limit the potential for attackers to successfully exploit your systems.

To learn more about software vulnerabilities, you can visit the CVE Program website, explore the NVD, or take a look at the KEV catalog.

You can also check out our other articles on why you should care about vulnerabilities in your software, infamous software vulnerabilities, and our guide to addressing vulnerabilities in your software.