What are CVEs?

CVE stands for Common Vulnerability and Exposures

NVD stands for National Vulnerability Database

Currently, there are over 200,000 CVE records available in the NVD

CVEs are given a rating using the Common Vulnerability Scoring System (CVSS). The base score is composed of six metrics which can be used to calculate a severity score of 0-10. These metrics are:

• Access vector – The way in which a vulnerability can be exploited (e.g., locally or remotely). Remotely ranks higher.

• Attack complexity – How difficult a vulnerability is to exploit. The more difficult, the lower the score.

• Authentication – How many times an attacker has to use authentication credentials to exploit the vulnerability. The higher the number, the lower the score.

• Confidentiality – How much sensitive data an attacker can access after exploiting the vulnerability. Access large amounts, the higher the score.

• Integrity – How much and how many files can be modified as a result of exploiting the vulnerability. The more modified, the higher the score.

• Availability – How much damage exploiting the vulnerability does to the target system (e.g. reduced performance/functionality). The more damage, the higher the score.

With the most dangerous CVEs, the metric most often used is not the CVSS score, but rather how commonly a CVE has been exploited. Or what is more commonly called “Out In The Wild” which means the exploit was used before patch updates could happen. Remember, most Zero-Day CVEs are caught before they're ever deployed to the public.

Because there have been vulnerabilities exploited in the wild, the Cybersecurity and Infrastructure Security Agency (CISA) now maintains a Known Exploited Vulnerabilities (KEV) catalog. The KEV catalog currently contains over 800 entries.

Why are they important?

CVEs are not malicious code created by bad actors.

CVEs are vulnerabilities within legitimate code used in any computing software. Often, CVEs occur in source code or fundamental coding blocks.

The most recent two that ranked high on the NVD scale was CVE-2023-4863 and CVE-2023-44487.

CVE-2023-4863: Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

and

CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly.

While patching has been ongoing, it could take years for all the patching work to be completed.