News & Events

Right-click and copy a URL to share an article. Send feedback about this page to cve@mitre.org.

Siemens Added as CVE Numbering Authority (CNA)
March 23, 2017 | Share this article

Siemens AG is now a CVE Numbering Authority (CNA) for Siemens issues only.

CNAs are OS and product vendors, developers, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE IDs in the first public disclosure of the vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 53 organizations currently participate as CNAs: Adobe; Apache; Apple; BlackBerry; Brocade; Canonical; CERT/CC; Check Point; Cisco; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; F5; Flexera Software; Fortinet; FreeBSD; Google; HackerOne; HP; Hewlett Packard Enterprise; Huawei; IBM; ICS-CERT; Intel; ISC; JPCERT/CC; Juniper; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Netgear; Nvidia; Objective Development; OpenSSL; Oracle; Puppet; Qihoo 360; Rapid 7; Red Hat; Siemens; Silicon Graphics; Symantec; Talos; TIBCO; VMware; and Yandex.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

FOCUS ON: The Significance and Meaning of a CVE Identifier Marked as "RESERVED"
March 16, 2017 | Share this article

A CVE Identifier (CVE ID) is marked as "RESERVED" when it has been reserved for use by a vendor or security researcher but the details of it are not yet populated by the requester.

A CVE ID can change from the RESERVED state to being populated at any time based on a number of factors both internal and external to MITRE.

An example of an internal factor could include the bulk assignment of CVE IDs to a CVE Numbering Authority (CNA). These CVE IDs are marked as RESERVED upon allocation to a CNA, before they are assigned to a specific vulnerability. An example of an external factor could include a vulnerability that have not yet been publicly disclosed, such as when the affected product vendor is still developing a mitigation.

It is also important to note that when a CVE ID is marked as RESERVED, it will not yet be available in the U.S. National Vulnerability Database (NVD). NVD is based-upon and fed by the CVE List.

However, once the CVE ID is populated with details and published on the CVE List on the CVE website, it will become available in NVD. As one of the final steps in the overall process, the NVD Common Vulnerability Scoring System (CVSS) scores for the CVE ID are assigned by the NIST NVD team.

Visit the CVE Identifiers section of the FAQs page for answers to other questions about CVE IDs. You may also contact us with any comments or concerns.

CVE Launches "@CVEannounce" Twitter Feed
March 16, 2017 | Share this article

Please follow our second Twitter account at https://twitter.com/CVEannounce/ to get the latest CVE news and announcements.

Minutes from CVE Board Teleconference Meetings on February 8 and February 22 Now Available
March 16, 2017 | Share this article

The CVE Board held teleconference meetings on February 8, 2017 and February 22, 2017. Read the February 8 or February 22 meeting minutes.

Flexera Software and Netgear Added as CVE Numbering Authorities (CNAs)
March 14, 2017 | Share this article

Two additional organizations are now CVE Numbering Authorities (CNAs): Flexera Software LLC for all Flexera products and vulnerabilities discovered by Secunia Research that are not covered by another CNA, and Netgear, Inc. for Netgear issues only.

CNAs are OS and product vendors, developers, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE IDs in the first public disclosure of the vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 52 organizations currently participate as CNAs: Adobe; Apache; Apple; BlackBerry; Brocade; Canonical; CERT/CC; Check Point; Cisco; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; F5; Flexera Software; Fortinet; FreeBSD; Google; HackerOne; HP; Hewlett Packard Enterprise; Huawei; IBM; ICS-CERT; Intel; ISC; JPCERT/CC; Juniper; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Netgear; Nvidia; Objective Development; OpenSSL; Oracle; Puppet; Qihoo 360; Rapid 7; Red Hat; Silicon Graphics; Symantec; Talos; TIBCO; VMware; and Yandex.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Qihoo 360 Added as CVE Numbering Authority (CNA)
March 9, 2017 | Share this article

Qihoo 360 Technology Co., Ltd. is now a CVE Numbering Authority (CNA) for 360 Safeguard, 360 Mobile Safe, and 360 Safe Router issues only.

CNAs are OS and product vendors, developers, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE IDs in the first public disclosure of the vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 50 organizations currently participate as CNAs: Adobe; Apache; Apple; BlackBerry; Brocade; Canonical; CERT/CC; Check Point; Cisco; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; F5; Fortinet; FreeBSD; Google; HackerOne; HP; Hewlett Packard Enterprise; Huawei; IBM; ICS-CERT; Intel; ISC; JPCERT/CC; Juniper; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Nvidia; Objective Development; OpenSSL; Oracle; Puppet; Qihoo 360; Rapid 7; Red Hat; Silicon Graphics; Symantec; Talos; TIBCO; VMware; and Yandex.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

CVE Launches New "CVE-CWE-CAPEC" Page on LinkedIn
March 9, 2017 | Share this article

The CVE Team has launched a "CVE-CWE-CAPEC page on LinkedIn" as an easy way for the community to comment on and share CVE Blog posts. Please stop by our new page and say hello. We very much look forward to hearing from you.

UPDATED NOTICE: CVE Request Web Form – Outage Rescheduled to 9:30 p.m.-11:30 p.m. EDT on March 8
March 8, 2017 | Share this article

The previously announced scheduled maintenance outage time for today has changed. The CVE Request Web Form will now be temporarily unavailable from 9:30 p.m. until 11:30 p.m. Eastern time, Wednesday, March 8, 2017. Please disregard the times stated in the previous announcement.

This temporary outage affects requests to MITRE only. All other CVE Numbering Authorities (CNAs) can still be contacted during this time to request CVE IDs.

We apologize for any inconvenience. Please contact cve@mitre.org with any comments or concerns.

NOTICE: CVE Request Web Form – Outage from 8:00 p.m.-10:00 p.m. EDT on March 8
March 6, 2017 | Share this article

Due to scheduled maintenance, the CVE Request Web Form will be temporarily unavailable from 8:00 p.m. until 10:00 p.m. Eastern time on Wednesday, March 8, 2017.

This temporary outage affects requests to MITRE only. All other CVE Numbering Authorities (CNAs) can still be contacted during this time to request CVE IDs.

We apologize for any inconvenience. Please contact cve@mitre.org with any comments or concerns.

CVE Launches Twitter Feed of Newest CVE IDs
March 2, 2017 | Share this article

Please follow our new Twitter feed at https://twitter.com/CVEnew/ to get regular updates of the newest CVE IDs.

Drupal.org Added as CVE Numbering Authority (CNA)
February 28, 2017 | Share this article

Drupal.org is now a CVE Numbering Authority (CNA) for all issues for projects hosted under Drupal.org only.

CNAs are OS and product vendors, developers, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE IDs in the first public disclosure of the vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 49 organizations currently participate as CNAs: Adobe; Apache; Apple; BlackBerry; Brocade; Canonical; CERT/CC; Check Point; Cisco; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; Drupal.org; F5; Fortinet; FreeBSD; Google; HackerOne; HP; Hewlett Packard Enterprise; Huawei; IBM; ICS-CERT; Intel; ISC; JPCERT/CC; Juniper; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Nvidia; Objective Development; OpenSSL; Oracle; Puppet; Rapid 7; Red Hat; Silicon Graphics; Symantec; Talos; TIBCO; VMWare; and Yandex.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

"CVE-2005-4900" Is SHA-1 Collision Attack "SHAttered"
February 23, 2017 | Share this article

Researchers have published a practical method for crafting a file that shares a valid SHA-1 signature with another file. This vulnerability in SHA-1 was assigned CVE ID CVE-2005-4900 in 2016. The vulnerability described in this new research is the same as the vulnerability described in CVE-2005-4900, and this CVE ID can be used when referencing this vulnerability.

For more information on the results of this additional research, visit https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html or http://shattered.io/.

1 Product from Avatares Foundation Now Registered as Officially "CVE-Compatible"
February 23, 2017 | Share this article

cve compatible image

One additional cyber security product has achieved the final stage of MITRE's formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CVE-Compatible Products and Services page on the CVE website. A total of 152 products to-date have been recognized as officially compatible

The following product is now registered as officially "CVE-Compatible":
Avatares Foundation -
Pandora-CSF

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

NOTICE: CVE Request Web Form – Outage from 6:00 p.m.-7:00 p.m. EDT on February 21
February 17, 2017 | Share this article

Due to scheduled maintenance, the CVE Request Web Form will be temporarily unavailable from 6:00 p.m. until 7:00 p.m. Eastern time on Tuesday, February 21, 2017.

This temporary outage affects requests to MITRE only. All other CVE Numbering Authorities (CNAs) can still be contacted during this time to request CVE IDs.

We apologize for any inconvenience. Please contact cve@mitre.org with any comments or concerns.

NOTICE: CVE Request Web Form – Outage from 8:00 p.m.-10:00 p.m. EDT on February 15
February 14, 2017 | Share this article

Due to scheduled maintenance, the CVE Request Web Form will be temporarily unavailable from 8:00 p.m. until 10:00 p.m. Eastern time on Wednesday, February 15, 2017.

This temporary outage affects requests to MITRE only. All other CVE Numbering Authorities (CNAs) can still be contacted during this time to request CVE IDs.

We apologize for any inconvenience. Please contact cve@mitre.org with any comments or concerns.

Minutes from CVE Board Teleconference Meeting on January 25 Now Available
February 10, 2017 | Share this article

The CVE Board held a teleconference meeting on January 25, 2017. Read the meeting minutes.

Minutes from CVE Board Teleconference Meeting on January 11 Now Available
February 2, 2017 | Share this article

The CVE Board held a teleconference meeting on January 11, 2017. Read the meeting minutes.

New CVE Board Member from Black Duck Software
January 26, 2017 | Share this article

William Cox of Black Duck Software, Inc. has joined the CVE Board.

Read the full announcement and welcome message in the CVE Board email discussion list archive.

TIBCO Software Added as CVE Numbering Authority (CNA)
January 19, 2017 | Share this article

TIBCO Software, Inc. is now a CVE Numbering Authority (CNA) for TIBCO, Talarian, Spotfire, Data Synapse, Foresight, Kabira, Proginet, LogLogic, StreamBase, JasperSoft, and Mashery issues only.

CNAs are OS and product vendors, developers, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE ID numbers in the first public disclosure of the vulnerabilities.

CNAs are the main method for requesting a CVE ID number. The following 48 organizations currently participate as CNAs: Adobe; Apache; Apple; BlackBerry; Brocade; Canonical; CERT/CC; Check Point; Cisco; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; F5; Fortinet; FreeBSD; Google; HackerOne; HP; Hewlett Packard Enterprise; Huawei; IBM; ICS-CERT; Intel; ISC; JPCERT/CC; Juniper; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Nvidia; Objective Development; OpenSSL; Oracle; Puppet; Rapid 7; Red Hat; Silicon Graphics; Symantec; Talos; TIBCO; VMWare; and Yandex.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Researcher Reservation Guidelines Document Now Available
January 12, 2017 | Share this article

The Researcher Reservation Guidelines document is now available on the CVE website. This document provides step-by-step guidelines on how to reserve a CVE ID(s) before publicizing a new vulnerability so that CVE IDs can be included in the initial public announcement of the vulnerability and can be used to track vulnerabilities.

CVE Updates Its Definition of "Vulnerability"
January 12, 2017 | Share this article

CVE has updated its definition of the term vulnerability as follows: "A 'vulnerability' is a weakness in the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that, when exploited, results in a negative impact to confidentiality, integrity, OR availability. Mitigation of the vulnerabilities in this context typically involves coding changes, but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety)."

Visit the Terminology page for additional information. You may also contact us with any comments or concerns.

FOCUS ON: The Significance and Meaning of the Year Portion of a CVE Identifier
January 12, 2017 | Share this article

CVE Identifiers (CVE IDs) have the format CVE-YYYY-NNNNN. The YYYY portion is the year that the CVE ID was assigned OR the year the vulnerability was made public (if before the CVE ID was assigned).

The year portion is not used to indicate when the vulnerability was discovered, but only when it was made public or assigned.

Examples:

NOTE: Neither the date when a vulnerability was introduced into a product, or the date when a vulnerability was fixed in a product, factor into what year is indicated in the CVE ID assigned to that vulnerability.

Visit the CVE Identifiers section of the FAQs page for answers to other questions about CVE IDs. You may also contact us with any comments or concerns.

Page Last Updated or Reviewed: March 23, 2017