Common Vulnerabilities and Exposures

CVE was developed and is maintained by the MITRE Corporation to facilitate the sharing of data among diverse security interests. It can simplify the process of searching for information in security-related databases and on the Internet. The dictionary is the product of collaboration among experts and representatives from security-related organizations worldwide.

Items in CVE are given names according to the year of their formal inclusion and the order in which they were added to the list in that year. For example, CVE-2002-0250 refers to a specific Web-based configuration utility that may allow an unauthorized user to modify a system administrator's password. This item was added in the year 2002 and was given sequence number 250 for that year.

At least two different definitions of security-related vulnerability exist. In its most often-used perspective, a vulnerability is an identifiable problem that can directly result in the compromise of a system in the short term. An example is a known security loophole in an operating system (OS) that has been exploited in real-world situations with adverse consequences. The less common definition of vulnerability refers to any factor that does not pose an imminent, direct security risk but can indirectly increase the risk in the long term. An example of this second definition is a high-speed Internet connection. It is easier to hack into a computer connected to the Internet through a cable modem with a downstream speed of 5 Mbps (megabits per second) and an upstream speed of 1 Mbps, than it is to hack into a computer working through a dial-up modem with downstream and upstream speeds of 56 Kbps (kilobits per second).

According to the MITRE Corporation, the content of CVE should not depend on the perspective of the individual user. Any CVE entry that can be considered a vulnerability from all perspectives is known as a universal vulnerability. All other entries are categorized as exposures. An unpatched, previously exploited security loophole in an OS would constitute a universal vulnerability according to the CVE standard. A high-speed Internet connection would constitute an exposure.

Learn more about Auditing, testing and assessment for financial services compliance

Do you have something to add to this definition? Let us know. Send your comments to techterms@whatis.com

More resources from around the web: - Read an overview of CVE in the official brochure. - The MITRE Corporation maintains a CVE Web site. - View or download the current free version of CVE.

FILE EXTENSION AND FILE FORMAT LIST File Extension and File Format List: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z #

RELATED CONTENT Vendor audit and monitoring contractual rights Third-party contracts must include vendor auditing and vendor monitoring rights. Audit requirements drive demand for privileged account management SOX compliance requirements and data security concerns are accelerating growth of the privileged account management market Regulatory reform will require much work ahead Financial security pros will need to step it up in light of President Obama's plan to overhaul the financial regulatory system, David Schneier writes.

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Big 4  (SearchFinancialSecurity.com) The Big 4, also known as the Final 4, are the four largest international accounting and professional services firms.