When discussing today's many vulnerabilities, people can use CVE to make sure that they refer to the same flaw. Suppose I were to tell you that I was hacked yesterday with a buffer-overflow attack in vendor XYZ's Web server. "Oh man!" you might respond, "I was hacked with a buffer overflow in XYZ's Web server as well. It must have been the same exploit!" With CVE, however, I can say, "I was hit with CVE-2007-1234." You might respond, "Oh, I got snagged by CVE-2007-5678." We could then rapidly conclude that while the issue was in the same software product, it was indeed a different vulnerability that we each suffered from. This consistent nomenclature is helpful in our business. Mitre has also started the Common Malware Enumeration project (CME), which aims to apply a consistent naming and numbering scheme to malware specimens.
The vast majority of vulnerabilities cataloged within the enumeration refer to software flaws in specific network service software and client-side applications. They focus on the exact vulnerabilities in particular products themselves, and not a description of the classes of vulnerabilities. That is, instead of explaining how buffer overflows generally work, CVE inventories thousands of examples of real buffer-overflow flaws. The list does include a significant number of application attacks, but only against specific applications, such as certain widely used ecommerce packages, enterprise resource planning (ERP) tools, database environments and groupware products. CVE doesn't focus on the description of Web application attacks, like cross-site scripting (XSS), SQL injection and session cloning. Instead, as you might expect, it includes specific examples of those kinds of vulnerabilities in widely used software, such as specific Apache modules, PHP scripts, commercial ecommerce software and so forth.
Here's the rub: a lot of Web application software is home-grown, with organizations rolling their own applications together to satisfy their business needs and serve their customers. Thus, it's not widely used software, and flaws in it are not included in the CVE. That's not Mitre's fault, though; the list keeps track of software vulnerabilities so that organizations deploying that software can be aware of their flaws. CVE, however, does not address general categories of flaws or vulnerabilities in company-specific Web applications.
This was first published in July 2007