Security Glossary
Comprehensive definitions of security terms, vulnerability intelligence terminology, and cybersecurity concepts. Understand CVE, CVSS, EPSS, and more.
CVE - Common Vulnerabilities and Exposures
A CVE (Common Vulnerabilities and Exposures) is a unique identifier assigned to publicly known cybersecurity vulnerabilities. Each CVE entry includes a standardized description, severity rating, and references to advisories, patches, and exploits. CVEs are assigned by CVE Numbering Authorities (CNAs) and provide a common language for referencing security flaws across the cybersecurity community.
Example:
CVE-2021-44228 (Log4Shell) - A critical remote code execution vulnerability in Apache Log4j.
CVSS - Common Vulnerability Scoring System
CVSS is a framework for rating the severity of security vulnerabilities. It provides a numerical score (0.0 to 10.0) and a severity rating (None, Low, Medium, High, Critical). CVSS v3.1 considers factors like attack vector, attack complexity, privileges required, user interaction, scope, and impact on confidentiality, integrity, and availability.
EPSS - Exploit Prediction Scoring System
EPSS predicts the probability that a vulnerability will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS focuses on exploitability. Scores range from 0.0 (very low probability) to 1.0 (very high probability). EPSS helps organizations prioritize patching efforts based on real-world threat intelligence.
Use Case:
A CVE with CVSS 7.5 (High) but EPSS 0.95 (95% exploit probability) should be prioritized over a CVSS 9.0 (Critical) with EPSS 0.05 (5% exploit probability).
KEV - Known Exploited Vulnerabilities
KEV is a catalog maintained by CISA (Cybersecurity and Infrastructure Security Agency) of vulnerabilities that are known to be actively exploited in the wild. CVEs listed in KEV require immediate patching as they pose an active threat. Federal agencies are required to patch KEV-listed vulnerabilities within specific timeframes.
⚠️ Critical Priority:
CVEs in the KEV catalog have confirmed active exploitation and should be patched immediately, regardless of CVSS score.
CWE - Common Weakness Enumeration
CWE is a community-developed list of common software and hardware security weaknesses. Unlike CVEs which identify specific vulnerabilities, CWEs categorize types of weaknesses (e.g., SQL Injection, Buffer Overflow). Multiple CVEs can map to the same CWE, helping developers understand common patterns in security flaws.
Example:
CWE-89 (SQL Injection) - A weakness category that many SQL injection CVEs reference.
Zero-Day Vulnerability
A zero-day vulnerability is a security flaw that is exploited before the vendor is aware of it or has released a patch. The term "zero-day" refers to the number of days the vendor has had to fix the issue (zero). These vulnerabilities are particularly dangerous because there are no patches or mitigations available when exploitation begins.
RCE - Remote Code Execution
RCE vulnerabilities allow attackers to execute arbitrary code on a remote system without authentication or with limited privileges. These are among the most severe vulnerabilities as they can lead to complete system compromise. RCE vulnerabilities often have CVSS scores of 9.0 or higher.
Severity:
RCE vulnerabilities are typically rated as CRITICAL (CVSS 9.0-10.0) and require immediate patching.
CNA - CVE Numbering Authority
CNAs are organizations authorized by MITRE to assign CVE identifiers to vulnerabilities within their scope. Major CNAs include MITRE, NVD, GitHub, Google, Microsoft, and Red Hat. CNAs ensure CVEs are assigned consistently and follow the CVE assignment rules.
NVD - National Vulnerability Database
NVD is the U.S. government repository of standards-based vulnerability management data. NVD provides CVSS scores, CPE (Common Platform Enumeration) mappings, and vulnerability impact analysis. While MITRE assigns CVEs, NVD enriches them with additional metadata and scoring.
PoC - Proof of Concept
A PoC is a demonstration that a vulnerability can be exploited. PoCs help security researchers and developers understand how an attack works, but they can also be used maliciously. The presence of public PoCs increases the likelihood that a vulnerability will be exploited in the wild.
CPE - Common Platform Enumeration
CPE is a structured naming scheme for IT systems, platforms, and software packages. CPEs help identify which products are affected by a CVE. For example, a CVE might affect "cpe:2.3:a:apache:log4j:2.14.1:*:*:*:*:*:*:*" (Apache Log4j version 2.14.1).