Common Vulnerabilities and Exposures (CVE) is a dictionary of standard terms related to security threats. These threats fall into two categories, known as vulnerabilities and exposures. A vulnerability is a fact about a computer, server or network that presents a definite, identifiable security risk in a certain context. An exposure is a security-related situation, event or fact that may be considered a vulnerability by some people but not by others.
CVE was developed and is maintained by the MITRE Corporation to facilitate the sharing of data among diverse security interests. It can simplify the process of searching for information in security-related databases and on the Internet. The dictionary is the product of collaboration among experts and representatives from security-related organizations worldwide.
Items in CVE are given names according to the year of their formal inclusion and the order in which they were added to the list in that year. For example, CVE-2002-0250 refers to a specific Web-based configuration utility that may allow an unauthorized user to modify a system administrator's password. This item was added in the year 2002 and was given sequence number 250 for that year.
At least two different definitions of security-related vulnerability exist. In its most often-used perspective, a vulnerability is an identifiable problem that can directly result in the compromise of a system in the short term. An example is a known security loophole in an operating system (OS) that has been exploited in real-world situations with adverse consequences. The less common definition of vulnerability refers to any factor that does not pose an imminent, direct security risk but can indirectly increase the risk in the long term. An example of this second definition is a high-speed Internet connection. It is easier to hack into a computer connected to the Internet through a cable modem with a downstream speed of 5 Mbps (megabits per second) and an upstream speed of 1 Mbps, than it is to hack into a computer working through a dial-up modem with downstream and upstream speeds of 56 Kbps (kilobits per second).
According to the MITRE Corporation, the content of CVE should not depend on the perspective of the individual user. Any CVE entry that can be considered a vulnerability from all perspectives is known as a universal vulnerability. All other entries are categorized as exposures. An unpatched, previously exploited security loophole in an OS would constitute a universal vulnerability according to the CVE standard. A high-speed Internet connection would constitute an exposure.