CVE Database
The CVE Database provides access to comprehensive information about Common Vulnerabilities and Exposures (CVEs). This searchable database is synchronized from the National Vulnerability Database (NVD) and contains detailed information about security vulnerabilities that may affect software in your environment.
Accessing the CVE Database
- Navigate to SAM in the main menu
- Under Vulnerability Management, click CVE Database
Understanding the CVE Database
Summary Statistics
The top of the page displays key metrics about the CVE database:
| Metric | Description |
|---|---|
| Total CVEs | Complete count of CVEs in the database |
| Critical | Number of CVEs with CVSS score 9.0-10.0 |
| High | Number of CVEs with CVSS score 7.0-8.9 |
| Medium | Number of CVEs with CVSS score 4.0-6.9 |
| Known Exploits | CVEs with confirmed exploit code available |
Search and Filters
Use the search bar and filters to find specific vulnerabilities:
- Search: Enter a CVE ID (e.g., "CVE-2024-1234") or keywords from the description
- Severity: Filter by severity level (Critical, High, Medium, Low)
- Known Exploit: Filter to show only vulnerabilities with confirmed exploits
Reading CVE Entries
Each CVE entry in the table displays:
| Column | Description |
|---|---|
| CVE ID | Unique identifier in format CVE-YYYY-NNNNN |
| Score | CVSS score from 0.0 to 10.0 |
| Severity | Color-coded severity badge |
| Description | Brief explanation of the vulnerability |
| Published | Date the CVE was first published |
| Exploit | Indicator if exploit code is known to exist |
| CPEs | Number of affected products/platforms |
| Actions | View full details |
CVSS Scoring
The Common Vulnerability Scoring System (CVSS) provides a standardized way to measure severity:
| Score Range | Severity | Action Required |
|---|---|---|
| 9.0 - 10.0 | 🔴 Critical | Immediate remediation required |
| 7.0 - 8.9 | 🟠 High | Remediate within days |
| 4.0 - 6.9 | 🟡 Medium | Plan remediation |
| 0.1 - 3.9 | 🟢 Low | Remediate as resources permit |
Viewing CVE Details
Click on any CVE ID or the action button to view complete details:
Vulnerability Information
- Full Description: Detailed explanation of the security issue
- Attack Vector: How the vulnerability can be exploited (Network, Local, etc.)
- Attack Complexity: Difficulty of exploitation
- Privileges Required: Access level needed to exploit
- User Interaction: Whether user action is needed
Affected Products
- List of software products and versions affected
- CPE identifiers for each affected product
- Version ranges that are vulnerable
References
- Links to vendor advisories
- Patch information
- Security bulletins
- Research papers or blog posts
CVSS Vector
The CVSS vector string breaks down the scoring:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
| Component | Meaning | Values |
|---|---|---|
| AV | Attack Vector | Network, Adjacent, Local, Physical |
| AC | Attack Complexity | Low, High |
| PR | Privileges Required | None, Low, High |
| UI | User Interaction | None, Required |
| S | Scope | Unchanged, Changed |
| C | Confidentiality Impact | None, Low, High |
| I | Integrity Impact | None, Low, High |
| A | Availability Impact | None, Low, High |
Using the CVE Database
Research Vulnerabilities
Before deploying new software or updates, search for known vulnerabilities:
- Search by software name or vendor
- Review severity levels and descriptions
- Check if patches are available
Investigate Alerts
When security tools flag potential issues:
- Search for the specific CVE ID
- Understand the attack vector and impact
- Determine if your environment is affected
Compliance Reporting
For security audits and compliance:
- Search for CVEs affecting critical systems
- Export findings for documentation
- Track remediation progress
Data Freshness
The CVE database is synchronized from the National Vulnerability Database. The Refresh button allows you to manually trigger synchronization to ensure you have the latest vulnerability data.
CVE data is sourced from NIST's National Vulnerability Database (NVD), which aggregates vulnerability information from multiple sources including software vendors, security researchers, and CERT coordination centers.
Related Topics
- Active Vulnerabilities - Managing vulnerabilities in your environment
- CPE Dictionary - Understanding software identification
- KB-CVE Mappings - Windows patch mapping