Understanding CVE vs CVSS

CVE (Common Vulnerabilities and Exposures)

CVE is simply a list of all publicly disclosed vulnerabilities that includes:

• CVE ID - Unique identifier for the vulnerability
• Description - Details about the security issue
• Dates - When the vulnerability was discovered and disclosed
• Comments - Additional information and references

CVSS (Common Vulnerability Scoring System)

CVSS is the overall score assigned to a vulnerability. The CVSS score is not reported in the CVE listing – you must use the NVD (National Vulnerability Database) to find assigned CVSS scores.

How They Work Together

The Relationship

1. CVE provides the standardized naming and cataloging of vulnerabilities
2. CVSS provides the standardized scoring system to assess severity
3. NVD combines both CVE information and CVSS scores in one database

Example

• CVE-2021-44228 (Log4Shell) - The vulnerability identifier
• CVSS Score: 10.0 - The severity rating (Critical)
• NVD Entry - Contains both the CVE details and CVSS score

CVSS Scoring System

Score Ranges

• 0.1 - 3.9: Low severity
• 4.0 - 6.9: Medium severity
• 7.0 - 8.9: High severity
• 9.0 - 10.0: Critical severity

Scoring Components

CVSS scores are calculated based on multiple factors:

Base Score Metrics

• Attack Vector - How the vulnerability can be exploited
• Attack Complexity - Difficulty of exploitation
• Privileges Required - Level of privileges needed
• User Interaction - Whether user interaction is required
• Scope - Impact on other components
• Confidentiality Impact - Impact on data confidentiality
• Integrity Impact - Impact on data integrity
• Availability Impact - Impact on system availability

Temporal Score Metrics

• Exploit Code Maturity - Availability of exploit code
• Remediation Level - Availability of fixes
• Report Confidence - Confidence in the vulnerability report

Environmental Score Metrics

• Security Requirements - Organization-specific security needs
• Modified Base Metrics - Environment-specific modifications

Using CVE and CVSS in Practice

Vulnerability Management

• CVE IDs help track and reference specific vulnerabilities
• CVSS scores help prioritize remediation efforts
• Combined approach enables effective risk assessment

Prioritization Strategy

1. Critical (9.0-10.0): Immediate attention required
2. High (7.0-8.9): Address within days/weeks
3. Medium (4.0-6.9): Address within weeks/months
4. Low (0.1-3.9): Address as resources permit

Tools and Resources

CVE Databases

• CVE Database - Official CVE database
• NVD Database - CVE details with CVSS scores
• CVE Search - Search CVE entries

CVSS Calculators

• CVSS Calculator - Official CVSS calculator
• NVD CVSS Calculator - NVD’s CVSS calculator

Related Security Concepts

Vulnerability Management

• What is a CVE? - Understanding Common Vulnerabilities and Exposures
• What is CVSS? - Common Vulnerability Scoring System
• What is a Cybersecurity Exposure? - Understanding exposures vs vulnerabilities

Security Solutions

• Tetrate Security Solutions - Enterprise security for service mesh environments
• Istio and Envoy CVE Scanning - CVE scanning for service mesh components

Best Practices

CVE Management

• Regular monitoring of CVE databases for relevant vulnerabilities
• Automated scanning to identify affected systems
• Documentation of CVE tracking and remediation efforts

CVSS Assessment

• Use latest CVSS version (currently 3.1) for scoring
• Consider environmental factors when calculating scores
• Regular review of CVSS scores as new information becomes available

Integration with Security Tools

• Vulnerability scanners that report CVE IDs and CVSS scores
• Security information and event management (SIEM) systems
• Patch management systems that prioritize based on CVSS scores

Understanding the difference between CVE and CVSS is essential for effective vulnerability management and security risk assessment in modern IT environments.