CVE and CWE

Khanna Ji
Tera Guru

Can anybody explain me the difference between CVE (Common Vulnerability and exposures) & CWE (Common Weakness Enumeration) ? Also please one example of each which will help me to understand them easily.

1 ACCEPTED SOLUTION

Chris McDevitt
ServiceNow Employee
ServiceNow Employee

Think of Common Weakness Enumeration (CWE) as a way to categorize or group software "weakness and vulnerabilities" together. Another way to look at it is a classification system for software design flaws. For example, a design flaw may be classified as a "Development Concept" then "Data Processing Errors" and finally arriving at CWE-116: Improper Encoding or Escaping of Output.

Common Vulnerabilities and Exposures (CVE) on the other hand are used to specifically identify a real-world issue with software. A CVE identifies a weakness that organizations need to evaluate for remediation to prevent bad actors from exploiting it. Typically, a vulnerability scanner will identify a weakness and tag it with its related CVE number. Often vulnerability scanners will also have their own proprietary way of identifying and classifying vulnerabilities. The CVE creates a common framework for vulnerability reference across vendors.

Let's look at CVE-2016-0778. This vulnerability description is:

"The (1) roaming_read and (2) roaming_write functions in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2, when certain proxy and forward options are enabled, do not properly maintain connection file descriptors, which allows remote servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact by requesting many forwardings."

As you can see it identifies the specific software (OpenSSH) and the versions (5.x - 7.1) that have the issue. If we look a little deeper, this CVE will reference its CWE category: CWE-119 Buffer Errors.

 

If this helps, please mark it as correct so others can benefit from our conversation. 

View solution in original post

5 REPLIES 5

Veer MS
Kilo Guru

Hi swathi,

 

Please follow the below link for the solution.

 

https://community.synopsys.com/s/article/CWE-vs-CVE

 

mark it as correct or helpful if i have answered your question.

 

Thanks

Veer

This one was the worst response, don't you think I googled before posting the question?

jonathanwalker
ServiceNow Employee
ServiceNow Employee

Hey Swathi,

   A CVE is a vulnerability ID specific to one software flaw.  IE:  Java version 5.7 is vulnerable to xyz.

A CWE is a category of vulnerability like CWE-639 "Authorization Bypass Through User-Controlled Key"

A CVE can have an associated CWE, but also, vulnerability scanners can find vulnerabilities that do not have a published CVE, but would still categorized them under a CWE.  Or a penetration tester could find a flaw in custom software code, & that could also be categorized by a CWE.

Hope that helps.

Thanks!

Chris McDevitt
ServiceNow Employee
ServiceNow Employee

Think of Common Weakness Enumeration (CWE) as a way to categorize or group software "weakness and vulnerabilities" together. Another way to look at it is a classification system for software design flaws. For example, a design flaw may be classified as a "Development Concept" then "Data Processing Errors" and finally arriving at CWE-116: Improper Encoding or Escaping of Output.

Common Vulnerabilities and Exposures (CVE) on the other hand are used to specifically identify a real-world issue with software. A CVE identifies a weakness that organizations need to evaluate for remediation to prevent bad actors from exploiting it. Typically, a vulnerability scanner will identify a weakness and tag it with its related CVE number. Often vulnerability scanners will also have their own proprietary way of identifying and classifying vulnerabilities. The CVE creates a common framework for vulnerability reference across vendors.

Let's look at CVE-2016-0778. This vulnerability description is:

"The (1) roaming_read and (2) roaming_write functions in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2, when certain proxy and forward options are enabled, do not properly maintain connection file descriptors, which allows remote servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact by requesting many forwardings."

As you can see it identifies the specific software (OpenSSH) and the versions (5.x - 7.1) that have the issue. If we look a little deeper, this CVE will reference its CWE category: CWE-119 Buffer Errors.

 

If this helps, please mark it as correct so others can benefit from our conversation.