Highest Voted 'cve' Questions - IT Security Stack Exchange

57

votes

6 answers

Should we release the security issues we found in our product as CVE or we can just update those on weekly release notes?

We are a vendor providing a product that is being used in enterprises. We know that those companies having periodic CVE scans on products they are using part of their vulnerability management process. My question is, do we have to raise a CVE if our…

vulnerability known-vulnerabilities cve

asked Mar 13 '19 at 11:27

Filipon

1,204
10
22

40

votes

4 answers

Are CVE counts a good indicator of a software's security?

Looking at the count of CVE reports by product, I'm tempted to use it as an indicator of which programs are the most secure, and choose the ones I install accordingly. But I wonder if these numbers are misleading. For example, the Linux kernel is…

cve

asked Jan 03 '17 at 14:35

Hey

1,905
1
16
23

28

votes

6 answers

How useful are CVE entries?

Most of the CVE entries are not supplemented by complete explanation of the bug itself, even a proof-of-concept demonstrating the bug. All they have is some very high-level, abstract description of possible side effect, e.g. CVE-2016-8412…

cve

asked Feb 09 '17 at 18:05

sherlock

519
4
6

27

votes

3 answers

Why did Java (JRE) vulnerabilities peak in 2012-2013?

I've taken a graph of the amount of CVE reports concerning the JRE per Year. Now as you can see this spiked in 2012-2013, which could have been guessed easily, if you look at the amount of news items concerning java in the past years. However, I'm…

java cve

asked Apr 07 '14 at 14:01

Glenn Vandamme

373
3
9

25

votes

4 answers

Difference between hardening guides (CIS, NSA, DISA)

I'm researching OS hardening and it seems there are a variety of recommended configuration guides. I realize the different configuration providers supply different offerings per Operating System, but let's assume (for convenience) we're talking…

vulnerability-scanners compliance configuration cve nist

asked Nov 19 '14 at 03:57

blong

359
1
3
9

23

votes

4 answers

How to subscribe to information about new vulnerabilities in selected products?

In order to be informed about critical vulnerabilities in selected products I'd want to subscribe to some list about them. I'd want to configure the list of products by myself. The question: Where can I get security breach alerts? gives information…

zero-day cve

asked Dec 17 '12 at 18:17

Andrei Botalov

5,267
10
45
73

20

votes

1 answer

How to read CVE - 2016 - 5696 correctly

The Ubuntu CVE Tracker page contains multiple tables related to kernel packages, some of which say DNE , others pending and version next to each . I would like to know how to properly read each table. Does the version next to pending refer to…

ubuntu cve

asked Aug 18 '16 at 22:19

Sergiy Kolodyazhnyy

519
5
17

19

votes

1 answer

What to do after you get a CVE?

I recently reported a security vulnerability and it was patched. The patch (and associated issue) are both out in the open in a Github repo (aka public). I contacted cve-assign@mitre.org to get a CVE Identifier issued for the vulnerability. I have…

disclosure cve

asked Aug 06 '15 at 14:16

David Dworken

193
5

17

votes

3 answers

Would CVE-2016-0728 affect Docker?

I ended up having a discussion about Docker and system security today and we came to the point where we asked ourselves of the latest CVE-2016-0728 exploit (privilege escalation) would affect Docker containers as well. Docker utilizes the system…

cve docker

asked Jan 20 '16 at 13:06

Sven van de Scheur

273
1
6

12

votes

2 answers

Why the big jump in CVE-2017 numbering?

Can anyone explain, why the numbering from this years CVE entries jumped from CVE-2017-15xxx to CVE-2017-1000xxx? What about entries with the numbering sequence CVE-2017-16xxx, CVE-2017-17xxx, and so on? Why are ~984 000 entries not numbered…

cve

asked Oct 24 '17 at 09:57

urandom

161
6

11

votes

1 answer

CentOS Security Tracker

Most Linux distros provide a page where you can check whether the latest package has any security vulnerabilities and what version they are fixed in. I understand that CentOS derives most of it's packages from RHEL, which has that kind of page…

audit centos cve

asked Jan 28 '15 at 10:35

TimC

552
5
12

11

votes

1 answer

How to exactly create a CVE?

I found an heap overflow exploit for a vulnerability in git servers. This lead to lucrative operations on various bug bounty programs (GitHub already promised to put me in their top 10). When it was corrected recently, the case of remote code…

c cve heap-overflow

asked Dec 11 '15 at 02:40

user2284570

1,402
1
14
33

10

votes

4 answers

How general should a vulnerability be to be eligible for a CVE?

Which vulnerabilities are common enough to become CVE? Is it related to "application"s only, or websites are accepted as well?Is a vulnerability in an unpopular website (or a local service) considered common enough?

cve

asked Apr 02 '13 at 23:40

semekh

223
1
7

10

votes

2 answers

Does CVE-2021-42694 affect only compiled code?

A new critical issue was discovered in the character definitions of the Unicode Specification through 14.0. Does it only affect code compiled from sources with disallowed unicode characters? RHEL describes that it is relevant only to GCC. Is it only…

vulnerability cve unicode

asked Nov 16 '21 at 12:38

Michael

1,457
1
18
36

10

votes

2 answers

How are CVE identifiers assigned and managed?

CVE Identifiers (a.k.a. CVE IDs) are used to uniquely identifier a particular vulnerability. We've all seen them on various bulletins, and they're useful when researching an issue. But how are they assigned? What process is involved in getting a CVE…

known-vulnerabilities cve

asked Dec 10 '12 at 12:53

Polynomial

132,208
43
298
379

Questions tagged [cve]