CVE - KhepriHuang/Documentation GitHub Wiki

What is a CVE?

CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. When someone refers to a CVE, they mean a security flaw that's been assigned a CVE ID number. CVE entries are brief. They don’t include technical data, or information about risks, impacts, and fixes. Those details appear in other databases. Eg. U.S. National Vulnerability Database (NVD), CERT/CC Vulnerability Notes Database. CVE identifiers are assigned by a CVE Numbering Authority (CNA). CVE reports can come from anywhere. A vendor, a researcher, or just an astute user can discover a flaw and bring it to someone’s attention. One way or another, information about the flaw makes its way to a CNA. The CNA assigns the information a CVE ID, and writes a brief description and includes references. Then the CVE entry is posted on the CVE website. Often, a CVE ID is assigned before a security advisory is made public. It’s common for vendors to keep security flaws secret until a fix has been developed and tested. That reduces opportunities for attackers to exploit unpatched flaws. Once made public, a CVE entry includes the CVE ID (in the format “CVE-2021-1234567”), a brief description of the security vulnerability or exposure, and references, which can include links to vulnerability reports and advisories.

What qualifies for a CVE?

CVE IDs are assigned to flaws that meet a specific set of criteria. They must be:

  1. Independently fixable. The flaw can be fixed independently of any other bugs.
  2. Acknowledged by the affected vendor OR documented. The software or hardware vendor acknowledges the bug and that it has a negative impact on security. Or, the reporter must have shared a vulnerability report that demonstrates the negative impact of the bug AND that it violates the security policy of the affected system.
  3. Affecting one codebase. Flaws that impact more than one product get separate CVEs. In cases of shared libraries, protocols or standards, the flaw gets a single CVE only if there’s no way to use the shared code without being vulnerable. Otherwise each affected codebase or product gets a unique CVE.

What is the Common Vulnerability Scoring System?

There are multiple ways to evaluate the severity of a vulnerability. One is the Common Vulnerability Scoring System (CVSS), a set of open standards for assigning a number to a vulnerability to assess its severity. CVSS scores are used by the NVD, CERT and others to assess the impact of vulnerabilities. Scores range from 0.0 to 10.0, with higher numbers representing a higher degree of severity of the vulnerability. Many security vendors have created their own scoring systems, as well.

https://www.redhat.com/en/topics/security/what-is-cve

What is CWE?

The Common Weakness Enumeration Specification (CWE) provides a common language of discourse for discussing, finding and dealing with the causes of software security vulnerabilities as they are found in code, design, or system architecture. Each individual CWE represents a single vulnerability type. CWE is currently maintained by the MITRE Corporation.

Bellowing is one CWE related to over flow.

CWE-120 : Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

CVSS - Common Vulnerability Scoring System Calculator

CVSSv3.0以3個群組來進行判斷,分別是基本矩陣群 (Base metric group)、暫時矩陣群 (Temporal metric group)及環境矩陣群 (Environmental metric group),其中基本矩陣群會訂定出基本分數,暫時矩陣群及環境矩陣群則分別以基本矩陣群所產出的分數為基準,進行進一步的判斷,以獲取更嚴密的分數,但也因為後兩項算是進階選項,如果使用者想要進一步評估漏洞才會使用,大部分都只使用了基本矩陣群的部分。

https://www.first.org/cvss/calculator/3.1

https://ithelp.ithome.com.tw/articles/10203313

https://ithelp.ithome.com.tw/articles/10203906 -----------------------------------------------------------------------------------------------

*影響產品名稱:

*版本:

*產品開發者/廠商:

*產品網站:

*漏洞類型: (可參考 https://nvd.nist.gov/vuln/categories)

*漏洞說明:

漏洞描述:

觸發漏洞特定條件:

觸發漏洞方法:

佐證資料:

*漏洞威脅:

FIRST CVSS 計算機:https://www.first.org/cvss/calculator/3.1