reading about the recent vulnerabilities announced by Atlassian in articles such as this one,
https://www.helpnetsecurity.com/2024/01/16/cve-2023-22527/
prompted me to look into what makes it become a CVE and what is the process involved, as there were assumptions I had made about legal disclosure and I was mistaken.
Any security vulnerabilities that need patching should be registered with a CVE Numbering Authority (CNA), and they add it to the Common Vulnerabilities and Exposures (CVE) program and assign it an ID for easy tracking. The interesting thing though is that the vendor has total discretion over whether they assign it a CVE ID or not…..
Per section 7 of the CNA Rules, a vendor which received a report about a security vulnerability has full discretion in regards to it.[15] This can lead to a conflict of interest as a vendor may attempt to leave flaws unpatched by denying a CVE assignment at first place – a decision which Mitre can’t reverse.
https://en.m.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures
Some useful measures for CVEs impact are the CVSS, EPSS and KEV.
EPSS (Exploit Prediction Scoring System)rates likelihood a vulnerability is to be exploited in the real world as a percentage ranging from 0% to 100%
CVSS (Common Vulnerability Scoring System) rates the vulnerability Critical, High, Medium, Low.
Often CVSS and EPSS are combined as CVSS on its own doesnt help an organization assess risk and prioritize actions needed to mitigate it.
KEV(Known Exploited Vulnerabilities) catalog as name suggests, lists known exploitations of these vulnerabilities.
forkthis... 