Security Diaries All About Security
Related Articles
When it comes to information security there are many standards, guides, frameworks and terminologies that you must learn to understand Infosec better. In this guide, I will help you understand the difference between two Acronyms that we use every day and also help you to understand when to use what.
What is CVE?
CVE stands for Common Vulnerabilities and Exposures
In simple terms, CVE is nothing but a list of known vulnerabilities of the software. It is a catalogue that helps you understand what is the vulnerability of the product. It is a standardized way to keep track of all the vulnerabilities.
For Example:
I have a Paint application and due to my bad coding skills, I have introduced a buffer overflow vulnerability, unintentionally though and this vulnerability exists in version 1.2 and earlier versions. I have released a fix in 1.3. now we need a standard way to represent this particular vulnerability and this is where CVE comes into play. CVE is a unique ID that represents this particular vulnerability.
CVE ID contains 2 parameters
CVE-YEAR-SERIAL.
YEAR represents in which year the vulnerability has been identified and the serial number of the vulnerability.
Example:
CVE-2021-44228 – This CVE belongs to the Log4j vulnerability, one of the most critical vulnerabilities we have. This vulnerability was a nightmare. Here in this CVE 2021 is the year the vulnerability has been identified in Log4j and 44228 is the serial number.
In the CVE description, we will find the vulnerable product, version ranges, kind of vulnerability, CVSS score, CVSS vector, references, solutions, CWE, CPEs,
What is CWE?
CWE stands for Common Weakness Enumeration.
This specifies the names of vulnerabilities.
For example in the above CVE, the vulnerability name is Remote code Execution but multiple issues lead to RCE. For this particular CWE, we have CWE IDs of 917, 502, 20, 400
917 – Improper Neutralization of Special Elements used in an Expression Language Statement
502 – Deserialization of Untrusted Data
20 – Improper Input Validation
400 – Uncontrolled Resource Consumption
In this case, due to the above issues, the product was vulnerable to RCE
Difference between CVE and CWE
CVE refers to the vulnerability of the product where as CWE refers to the vulnerability name. CWE is just a weakness but CVE is a weakness in the product.
Who created CVE and CWE?
MITRE designed both standards to provide a uniform way of recognizing cybersecurity vulnerabilities.
MITRE contains all the information about CVE and CWEs which includes vulnerabilities, applications, versions, remediation steps, risk levels, the criticality of vulnerability and many more.
MITRE has helped us to have better visibility of threats and manage them in a better way.
When to use what?
CWE is a vulnerability that only represents the weakness but it won’t contain any information on which application or product the vulnerability exists where as CVE contains more information on vulnerabilities, the application vulnerable to, version range and solution to fix the vulnerability.
CWE doesn’t contain any CVE but CVE contains CWE which helps to understand all types of weaknesses present in the CVE. CWE collaborates with CVE to provide more accurate information.
