Which vulnerabilities are common enough to become CVE? Is it related to "application"s only, or websites are accepted as well?Is a vulnerability in an unpopular website (or a local service) considered common enough?
Asked
Active
Viewed 708 times
4 Answers
10
From the CVE FAQ:
An information security vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network. See the Terminology page for a complete explanation of how this term is used on the CVE Web site.
The intention of CVE is to be comprehensive with respect to all publicly known vulnerabilities and exposures. While CVE is designed to contain mature information, our primary focus is on identifying vulnerabilities and exposures that are detected by security tools and any new problems that become public.
If an individual website was breached, it is unlikely that the website owners will make publicly known. If they did make the details public, and it only affected their own proprietary software, it would be of little value to the public. If the vulnerability was in software used and produced by some vendor (open or closed), then its likely it could be come a CVE.
If a website is breached, that might not be the result of a CVE type attack, but maybe the more generic Common Weakness Enumeration (CWE). For example, if a site was breached by SQL injection or XSS, the specific string would not likely be a CVE, but could be classified under the CWE.
If you are looking for details of specific website attacks, you would want to look for breach reporting, such as the Privacy Right's Clearinghouse's Data Breach List.
The best way to test this would be to try to submit your find and see what the CVE community wants to do with it in their review process.
Eric G
- 9,691
- 4
- 31
- 58
3
My understanding is that issues that affect individual websites (say, an XSS on facebook) are not eligible for a CVE, though web applications are. So, an issue that only affects Facebook isn't, but an issue in a web application like WordPress would be.
The application doesn't have to be popular - I once requested a CVE for an application that probably has less than 1,000 users.
You can request a CVE either directly from Mitre or (for open source software) via the oss-security mailing list - if there is a problem, or the issue isn't eligible, they'll let you know.
There are other groups such as OSVDB that track a broader range of issues; though I don't believe they track issues in specific web sites either.
Adam Caudill
- 1,794
- 14
- 18
1
CVEs are for vulnerabilities in software that is shipped and then consumed, not for vulnerabilities in services (e.g. websites). So if a vulnerability in the service (e.g. a website) is in something that is widely available as a software package (e.g. a flaw that is at its root in Apache, or PHP or WordPress for example) then the flaw within that software package would get a CVE.
If the flaw is in a service that is a custom written piece of software that is not available for download (e.g. Amazon, eBay, etc.) then that vulnerability would not get a CVE.
Ultimately the goal of CVE is to provide an identifier for a vulnerability so that when multiple organizations (e.g. the reporter and the upstream and the community using it) need to discuss the vulnerability they can all be sure they're actually talking about the same thing.
Kurt
- 266
- 1
- 6
0
For exactness sake, they have it now published what vendors/software is of interest to them for the CVE: CVE Products Covered
-
this is a link-only answer. Please include the relevant parts of the link in your answer (or make it a comment) – schroeder Oct 04 '16 at 20:28