A CVE, short for Common Vulnerabilities and Exposures, is a known security vulnerability in software and hardware that is part of a publicly disclosed list of vulnerabilities. Understanding CVEs and their impact on your projects is essential for maintaining secure runtime environments.
In this document:
When a vulnerability is discovered in a software system, a Common Vulnerabilities and Exposures (CVE) identification number is created by the National Institute of Standards and Technology (NIST) and stored in the National Vulnerability Database (NVD). Each suspected vulnerability is reviewed by a CVE Numbering Authority (CNA), and if it contains a valid threat to the affected software, it is published under a unique identifier.
CVE identifiers are composed of the prefix “CVE” followed by an ID number (e.g., CVE-2024-12345). This identifier is used consistently across public databases, security advisories, and documentation to refer to the same vulnerability. Note that not all vulnerabilities are reported to a CNA, so some vulnerabilities may not have a CVE-ID.
CVEs are most often the result of flaws or weaknesses in software that can be exploited to gain unauthorized access, steal data, or otherwise compromise the integrity of a system. In most cases, these vulnerabilities are not intentional. For specific examples of common vulnerability causes, OWASP maintains an annual top 10 causes of vulnerabilities in web applications.
Common reasons why CVEs occur include:
Each CVE is associated with a severity rating that indicates the level of threat it poses. In the ActiveState Platform, CVEs are color-coded for easy identification: gray/purple for “low”, yellow for “medium”, orange for “high”, and red for “critical”.
The severity of each threat is assessed using the Common Vulnerability Scoring System (CVSS), which categorizes vulnerabilities as:
It’s important to note that the CVSS is NOT a risk assessment. The severity rating indicates the potential impact of a vulnerability, but the actual risk to your specific project depends on factors such as:
Managing CVEs effectively requires a systematic approach with three key steps. Creating a successful project may involve managing some risks, as not every listed vulnerability means your project is insecure. A thoughtful triage process helps you focus resources on the vulnerabilities that pose genuine risks to your specific environment.
The first step is to assess, or view, the CVEs in your current project. This should be done on a recurring basis (weekly, monthly, quarterly, etc.). Due to the evolving nature of software development, older packages and language versions may develop new vulnerabilities even if no changes have been made. Once a vulnerability is reported and assigned a CVE-ID, a previously secure package or language will now have a listed vulnerability.
After assessing the vulnerabilities, you need to triage the risk. We recommend starting with “Critical” severity vulnerabilities. Your triage group (or person) should:
Relevancy considerations include:
After triaging the risk, you can make a more informed decision about whether remediation is necessary.
The final step is deciding whether to remediate or acknowledge the vulnerability:
The ActiveState Platform can shorten the lengthy vulnerability remediation process of investigating, rebuilding, retesting, and updating runtime environments. The Platform lets you find, fix, and automatically rebuild secure runtimes in minutes by easily updating your project language version or packages, decreasing the Mean Time To Remediation (MTTR) from days to hours.
For detailed instructions on how to view and remediate CVEs in your ActiveState projects, see the documentation on viewing vulnerabilities and using the Organization Security Dashboard.