News & Events

Right-click and copy a URL to share an article. Send feedback about this page to cve@mitre.org.

"CVE-2005-4900" Is SHA-1 Collision Attack "SHAttered"
February 23, 2017 | Share this article

Researchers have published a practical method for crafting a file that shares a valid SHA-1 signature with another file. This vulnerability in SHA-1 was assigned CVE ID CVE-2005-4900 in 2016. The vulnerability described in this new research is the same as the vulnerability described in CVE-2005-4900, and this CVE ID can be used when referencing this vulnerability.

For more information on the results of this additional research, visit https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html or http://shattered.io/.

1 Product from Avatares Foundation Now Registered as Officially "CVE-Compatible"
February 23, 2017 | Share this article

cve compatible image

One additional cyber security product has achieved the final stage of MITRE's formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CVE-Compatible Products and Services page on the CVE website. A total of 152 products to-date have been recognized as officially compatible

The following product is now registered as officially "CVE-Compatible":
Avatares Foundation -
Pandora-CSF

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

NOTICE: CVE Request Web Form – Outage from 6:00 p.m.-7:00 p.m. EDT on February 21
February 17, 2017 | Share this article

Due to scheduled maintenance, the CVE Request Web Form will be temporarily unavailable from 6:00 p.m. until 7:00 p.m. Eastern time on Tuesday, February 21, 2017.

This temporary outage affects requests to MITRE only. All other CVE Numbering Authorities (CNAs) can still be contacted during this time to request CVE IDs.

We apologize for any inconvenience. Please contact cve@mitre.org with any comments or concerns.

NOTICE: CVE Request Web Form – Outage from 8:00 p.m.-10:00 p.m. EDT on February 15
February 14, 2017 | Share this article

Due to scheduled maintenance, the CVE Request Web Form will be temporarily unavailable from 8:00 p.m. until 10:00 p.m. Eastern time on Wednesday, February 15, 2017.

This temporary outage affects requests to MITRE only. All other CVE Numbering Authorities (CNAs) can still be contacted during this time to request CVE IDs.

We apologize for any inconvenience. Please contact cve@mitre.org with any comments or concerns.

Minutes from CVE Board Teleconference Meeting on January 25 Now Available
February 10, 2017 | Share this article

The CVE Board held a teleconference meeting on January 25, 2017. Read the meeting minutes.

Minutes from CVE Board Teleconference Meeting on January 11 Now Available
February 2, 2017 | Share this article

The CVE Board held a teleconference meeting on January 11, 2017. Read the meeting minutes.

New CVE Board Member from Black Duck Software
January 26, 2017 | Share this article

William Cox of Black Duck Software, Inc. has joined the CVE Board.

Read the full announcement and welcome message in the CVE Board email discussion list archive.

TIBCO Software Added as CVE Numbering Authority (CNA)
January 19, 2017 | Share this article

TIBCO Software, Inc. is now a CVE Numbering Authority (CNA) for TIBCO, Talarian, Spotfire, Data Synapse, Foresight, Kabira, Proginet, LogLogic, StreamBase, JasperSoft, and Mashery issues only.

CNAs are OS and product vendors, developers, security researchers, and research organizations that assign CVE IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE ID numbers in the first public disclosure of the vulnerabilities.

CNAs are the main method for requesting a CVE ID number. The following 48 organizations currently participate as CNAs: Adobe; Apache; Apple; BlackBerry; Brocade; CERT/CC; Check Point; Cisco; Debian GNU/Linux; Dell EMC; Distributed Weakness Filing Project; F5; Fortinet; FreeBSD; Google; HackerOne; HP; Hewlett Packard Enterprise; Huawei; IBM; ICS-CERT; Intel; ICS-CERT; ISC; JPCERT/CC; Juniper; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (primary CNA); Mozilla; Nvidia; Objective Development; OpenSSL; Oracle; Puppet; Rapid 7; Red Hat; Silicon Graphics; Symantec; Talos; TIBCO; Ubuntu Linux; VMWare; and Yandex.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Researcher Reservation Guidelines Document Now Available
January 12, 2017 | Share this article

The Researcher Reservation Guidelines document is now available on the CVE website. This document provides step-by-step guidelines on how to reserve a CVE ID(s) before publicizing a new vulnerability so that CVE IDs can be included in the initial public announcement of the vulnerability and can be used to track vulnerabilities.

CVE Updates Its Definition of "Vulnerability"
January 12, 2017 | Share this article

CVE has updated its definition of the term vulnerability as follows: "A 'vulnerability' is a weakness in the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that, when exploited, results in a negative impact to confidentiality, integrity, OR availability. Mitigation of the vulnerabilities in this context typically involves coding changes, but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety)."

Visit the Terminology page for additional information. You may also contact us with any comments or concerns.

FOCUS ON: The Significance and Meaning of the Year Portion of a CVE Identifier
January 12, 2017 | Share this article

CVE Identifiers (CVE IDs) have the format CVE-YYYY-NNNNN. The YYYY portion is the year that the CVE ID was assigned OR the year the vulnerability was made public (if before the CVE ID was assigned).

The year portion is not used to indicate when the vulnerability was discovered, but only when it was made public or assigned.

Examples:

NOTE: Neither the date when a vulnerability was introduced into a product, or the date when a vulnerability was fixed in a product, factor into what year is indicated in the CVE ID assigned to that vulnerability.

Visit the CVE Identifiers section of the FAQs page for answers to other questions about CVE IDs. You may also contact us with any comments or concerns.

Page Last Updated or Reviewed: February 23, 2017