Highest Voted 'cve' Questions - IT Security Stack Exchange

42

votes

4 answers

Are CVE counts a good indicator of a software's security?

Looking at the count of CVE reports by product, I'm tempted to use it as an indicator of which programs are the most secure, and choose the ones I install accordingly. But I wonder if these numbers are misleading. For example, the Linux kernel is…

cve

asked Jan 03 '17 at 14:35

Hey

1,955
1
18
25

28

votes

6 answers

How useful are CVE entries?

Most of the CVE entries are not supplemented by complete explanation of the bug itself, even a proof-of-concept demonstrating the bug. All they have is some very high-level, abstract description of possible side effect, e.g. CVE-2016-8412…

cve

asked Feb 09 '17 at 18:05

sherlock

569
4
7

12

votes

2 answers

Why the big jump in CVE-2017 numbering?

Can anyone explain, why the numbering from this years CVE entries jumped from CVE-2017-15xxx to CVE-2017-1000xxx? What about entries with the numbering sequence CVE-2017-16xxx, CVE-2017-17xxx, and so on? Why are ~984 000 entries not numbered…

cve

asked Oct 24 '17 at 09:57

urandom

171
6

10

votes

4 answers

How general should a vulnerability be to be eligible for a CVE?

Which vulnerabilities are common enough to become CVE? Is it related to "application"s only, or websites are accepted as well?Is a vulnerability in an unpopular website (or a local service) considered common enough?

cve

asked Apr 02 '13 at 23:40

semekh

223
1
7

7

votes

3 answers

Source where you can find if a CVE has a patch or not

I'm wondering if there is a source available which has a list of CVE numbers and shows whether they have been patched or not (and maybe a link to a relevant patch). I know Secunia has something like this but I was wondering if there any others.

cve

asked May 14 '13 at 13:56

Lucas Kauffman

54,437
17
116
196

6

votes

4 answers

When to apply for a CVE?

When you find a vulnerability, do you contact CVE assigners before contacting the vendor or after the vendor has fixed the problem? PS: do not link to How are CVE identifiers assigned and managed?, as it doesn't answer my question.

cve

asked Jul 12 '14 at 13:46

user15194

5

votes

1 answer

Why is the code CVE-2010-5298 used for a vulnerability discovered in 2014?

I was looking through the OpenSSL vulnerabilities list and came across CVE-2010-5298 as a 2014 vulnerability. At http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298, under Date Entry Created, it says 20140414. However, under…

cve

asked Jul 17 '14 at 17:46

user193130

155
4

3

votes

1 answer

Why doesn't the official CVE database list the names of the reporters?

Why does neither MITRE nor NVD list out the name(s) of the reporter(s) of a CVE? e.g. for CVE-2018-1123, neither MITRE, nor NVD gives credit to reporters. However, for some CVEs, SecurityFocus does list out the names of the reporters. If an external…

cve

asked Aug 01 '18 at 21:23

sherlock

569
4
7

3

votes

1 answer

NVD: How to query without false positives when CPE Entries are not filled in for many CVEs?

So my naive approach was to query NVD for CPE URIs of software products I use. Unfortunately I notice a lot of entries don't have CPE entries. (e.g. for 2016 there are currently 1332 without CPE URI). So this means I have to grep through these for…

cve

asked Jul 03 '18 at 13:33

arved

132
6

3

votes

1 answer

List of CVE resolved in OpenJDK build

What is the list of the CVE resolved in OpenJDK build that published in https://github.com/ojdkbuild/ojdkbuild/releases? For example in this build: https://github.com/ojdkbuild/ojdkbuild/releases/tag/1.8.0.151-1 Alternatively, can I assume that…

cve

asked Dec 16 '17 at 13:35

Michael

1,479
1
18
37

2

votes

1 answer

Which CVE Numbering Authority (CNA) should I contact for a vulnerability found in the GNU Scientific Library?

I may have found a security bug in GNU Scientific Library (https://www.gnu.org/software/gsl/) and would like to request a CVE ID number with it. According to the procedure explained here: https://cve.mitre.org/cve/request_id.html#cna_participants, I…

cve

asked Dec 02 '20 at 15:43

zell

125
4

2

votes

2 answers

Requesting a CVE for unpublished vulnerability in open-source project?

MITRE reorganized their assignment policy last year. They introduced a list of covered products and excluded other products from CVEs. This year, they again opened up CVEs to all existing software, except open source software not in a list of…

cve

asked Mar 28 '17 at 21:35

tim

29,640
7
98
121

2

votes

0 answers

Multiple CVE for the same product - Windows security patches

I've been tasked with updating the Microsoft security patches list to be installed in our computers. I've done a first pass of the KBs and their related bulletins in the Microsoft site and I'm a bit confused by one aspect of it. Take for example,…

cve

asked Sep 01 '16 at 19:09

LFC

21
1

2

votes

2 answers

How many security-related websites/sofware/system/human brain will break when we get more than 10000 CVEs a year?

The last time such a question was asked, there weren't even an official solution. Now we are supposedly on 5 digit CVE numbers for a whole year now, I've never seen then in the wild (apart from on MITRE website). Will the security industry crumble…

cve

asked Jan 21 '16 at 18:24

billc.cn

3,936
1
18
25

1

vote

2 answers

In the context of a CVE, what does "unspecified vectors" mean?

Let's take this CVE for example: http://www.cvedetails.com/cve/CVE-2014-9283/ obtain administrative access via unspecified vectors. What unspecified vectors means ? I saw this term in a a lot of CVE. Does this mean via unspecified factors ? (In…

cve

asked Mar 04 '15 at 10:20

Jeremy Allard

113
3

Questions tagged [cve]