CVE Announce - January 21, 2025 (opt-in newsletter from the CVE website)
Featured
· “CVE List Keyword Search” Now Available on CVE.ORG Website
· CVE Program Expands Partnership with Thales Group
· CVE Program’s 25th Anniversary Is Main Topic of “Below the Surface” Podcast
CVE Numbering Authorities (CNAs)
· 16 Additional Organizations Added as CNAs
Community
- New Call-for-Papers Deadline for “VulnCon 2025” – January 31, 2025
- CVE in the News
- Keeping Up with CVE
Featured
“CVE List Keyword Search” Now Available on CVE.ORG Website
The ability to search CVE Records by keyword is now available on CVE.ORG. Keywords may include a CVE ID (e.g., CVE-2024-1234), or one or more keywords separated by a space (e.g., authorization, SQL Injection, cross site scripting, etc.).
The new CVE List Keyword Search box—shown below—is located at the top of every page of the website. Please try the new CVE List keyword search and provide your feedback here.
Please note that this search is for the CVE List only. It will only search CVE Records. To search the overall website, use the “Site Search” located to the right of the CVE List search box.
Continuous Improvement
While Phase 1 brought CVE ID lookup to the new CVE.ORG website, Phase 2 of our search deployment brings keyword searching of the CVE List.
Users can now search by keywords with letters or numbers (e.g., vendor name, product name and version, vulnerability type, etc.), or by a CVE ID that must include all letters, numbers, and hyphens associated with the CVE ID, (e.g., CVE-2024-12345). Future phases will include adding the ability to search by special characters (e.g., dot (.), forward slash (/), etc. ), and other enhancements suggested by the community.
Community input is integral for our ability to continuously improve the search capability, so please provide your valuable feedback here.
It is important to note that the new keyword search capability may be temporarily unavailable when enhancements are added. During these times, the CVE List legacy search on CVE.MITRE.ORG will remain available for use as a fallback.
Search Tips
Enter keywords in the new keyword search box following the guidelines provided below.
By CVE ID:
- Must include only one CVE ID per search.
- CVE ID must include all letters, numbers, and hyphens associated with the CVE ID, e.g., CVE-2024-12345678.
- “CVE” may be entered as “cve”, “CVE”, or as a combination of uppercase and lowercase, as casing is ignored during search.
By Other Keyword(s):
- Must contain only alphanumeric characters, e.g., letters or numbers.
- May contain one or more keywords, separated by a space.
- Keywords may be entered in lowercase, uppercase, or a combination of both. Casing is ignored during search, e.g., the following variations are treated the same and would return the same results: Vulnerabilities, vulnerabilities, VULNERABILITIES.
Note: Newly published CVE Records are generally available to search within 30 minutes of publication.
Requesting Feedback
Thank you in advance for using the “CVE List Keyword Search” and providing your feedback, which will help us improve the capability for the community over time. The feedback form is available here.
Share this CVE article:
CVE Program Expands Partnership with Thales Group
The CVE® Program is expanding its partnership with Thales Group for managing the assignment of CVE Identifiers (CVE IDs) and publication of CVE Records for the CVE Program.
Thales Group is now designated as a Root for products and technologies of subsidiaries of Thales Group.
As a Root, Thales Group is responsible for ensuring the effective assignment of CVE IDs, implementing the CVE Program rules and guidelines, and managing the CVE Numbering Authorities (CNAs) under its care. It is also responsible for recruitment and onboarding of new CNAs and resolving disputes within its scope.
A CNA is an organization responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the vulnerability in the associated CVE Record. Each CNA has a specific scope of responsibility for vulnerability identification and publishing. There are currently 435 CNAs (433 CNAs and 2 CNA-LRs) from 40 countries and 1 no country affiliation actively participating in the CVE Program.
Currently, Google, JPCERT/CC, Red Hat, Spanish National Cybersecurity Institute (INCIBE), and Thales Group are Roots under the MITRE Top-Level Root. CISA ICS is a Root under the CISA Top-Level Root. Learn more about how the CVE Program is organized on the Structure page on the CVE website.
Share or comment on this CVE article on Medium:
https://medium.com/@cve_program/cve-program-expands-partnership-with-thales-group-6cb9d1d92e2e
CVE 25th Anniversary Is Main Topic of “Below the Surface” Podcast
The 25th anniversary of the Common Vulnerabilities and Exposures (CVE®) Program is the main topic of the “BTS #43 — CVE Turns 25” episode of Eclypsium’s “Below the Surface” podcast.
As noted on the Below the Surface episode’s web page, in the episode podcast host Paul Asadoorian chats with CVE Program Lead Alec Summers and CVE Board member Lisa Olson about the “25th anniversary of the CVE Program, its evolution, and the importance of transparency in vulnerability management. They explore the history of CVE, the process of creating CVE Records, and the role of CNAs in ensuring accountability. The conversation also addresses challenges related to end-of-life software vulnerabilities and the need for maintaining the integrity of CVE Records in an ever-evolving cybersecurity landscape. In this conversation, the speakers discuss the complexities of managing and analyzing vulnerabilities in software, particularly focusing on the roles of CVE and CVSS in providing accurate and enriched data. They explore the challenges of combining vulnerabilities to assess cumulative risk, the importance of community engagement in improving CVE Records, and the evolving landscape of supply chain vulnerabilities. The discussion emphasizes the need for better data analysis methods, the significance of community involvement, and the ongoing efforts to enhance the quality and accessibility of vulnerability information.”
Listen to the full podcast episode here.
From left to right: Paul Asidorian (host), Alec Summers, and Lisa Olson
Share or comment on this CVE article on Medium:
CVE Numbering Authorities (CNAs)
16 Additional Organizations Added as CNAs
Since our last issue, sixteen (16) additional organizations from around the world have partnered with the program as CNAs:
- Automox Inc. – All products created by Automox (USA)
- Beckman Coulter Diagnostics – Beckman Coulter Diagnostics manufactured products and technologies only (USA)
- Beckman Coulter Life Sciences – Beckman Coulter Life Sciences manufactured products and technologies only (USA)
- Cepheid – Cepheid products (USA)
- Delinea, Inc. – Vulnerabilities in Delinea products or services listed on delinea.com, or vulnerabilities in third-party products or services discovered by or reported to Delinea, unless covered by the scope of another CNA (USA)
- Delta Electronics, Inc. – Delta Electronics products as listed on www.deltaww.com (Taiwan)
- GraphQL Java – GraphQL Java, Java DataLoader, GraphQL Java Extended Scalars, and GraphQL Java Extended Validation (Australia)
- Gridware Cybersecurity – Gridware software, services, and infrastructure issues, as well as vulnerabilities discovered by or reported to Gridware researchers that are not in another CNA’s scope (Australia)
- Neo4j – Neo4j products and Neo4j-maintained projects only, not including end-of-life components or products (Sweden)
- OceanBase – OceanBase products only, not including end-of-life components or products (China)
- Omnissa, LLC – All Omnissa products and services, including Workspace ONE and Horizon ()
- PTC Inc. – All currently supported PTC software products and cloud/SaaS services (USA)
- Radiometer Medical ApS – Radiometer products only (Denmark)
- Roche Diagnostics – Roche’s medical technology products (Switzerland)
- SOCRadar Cyber Intelligence Inc. – Vulnerabilities in SOCRadar products and services and vulnerabilities discovered by or reported to SOCRadar that are not in another CNA’s scope (USA)
- S21sec Cyber Solutions by Thales – Vulnerabilities discovered by S21sec that are not within another CNA’s scope (Spain)
CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
There are currently 435 CNAs (433 CNAs and 2 CNA-LRs) from 40 countries and 1 no country affiliation participating in the CVE Program. View the entire list of CNA partners on the CVE website.
The “CNA Enrichment Recognition List” for January 13, 2025, is now available with 236 CNAs listed. Published every two weeks on the CVE website, the list recognizes those CVE Numbering Authorities (CNAs) that are actively providing enhanced vulnerability data in their CVE Records. CNAs are added to the list if they provide Common Vulnerability Scoring System (CVSS) and Common Weakness Enumeration (CWE™) information 98% of the time or more within the two-week period of their last published CVE Record.
For more about the recognition list, see “Recognition for CNAs Actively Providing Vulnerability Data Enrichment for CVE Records.” To learn more about vulnerability information types like CVSS and CWE, see the CVE Record User Guide. View the most current CNA Enrichment Recognition List on the CVE website Metrics page here.
CNA Enrichment Recognition List for January 13, 2025, with 236 CNAs listed:
- 9front Systems
- Absolute Software
- Acronis International GmbH
- Adobe Systems Incorporated
- Advanced Micro Devices Inc.
- AlgoSec
- Alias Robotics S.L.
- Amazon
- AMI
- AppCheck Ltd.
- ARC Informatique
- Asea Brown Boveri Ltd.
- ASR Microelectronics Co., Ltd.
- Autodesk
- Automotive Security Research Group (ASRG)
- Avaya Inc.
- Axis Communications AB
- Baicells Technologies Co., Ltd.
- Baidu, Inc.
- Baxter Healthcare
- Becton, Dickinson and Company (BD)
- BeyondTrust Inc.
- Bitdefender
- Black Duck Software, Inc.
- BlackBerry
- Brocade Communications Systems, Inc.
- Canon EMEA
- Canon Inc.
- Carrier Global Corporation
- Cato Networks
- CERT.PL
- CERT@VDE
- Check Point Software Technologies Ltd.
- Checkmarx
- Checkmk GmbH
- Ciena Corporation
- cirosec GmbH
- Cisco Systems, Inc.
- ClickHouse, Inc.
- Cloudflare, Inc.
- Concrete CMS
- CyberArk Labs
- CyberDanube
- Dassault Systèmes
- Delinea, Inc.
- Dell EMC
- Dfinity Foundation
- DirectCyber
- Docker Inc.
- dotCMS LLC
- Dragos, Inc.
- Dutch Institute for Vulnerability Disclosure (DIVD)
- Eaton
- Eclipse Foundation
- ELAN Microelectronics Corp.
- Elastic
- EnterpriseDB Corporation
- Environmental Systems Research Institute, Inc. (Esri)
- Ericsson
- ESET, spol. s r.o.
- EU Agency for Cybersecurity (ENISA)
- Exodus Intelligence
- F5 Networks
- Fedora Project (Infrastructure Software)
- Flexera Software LLC
- Fluid Attacks
- Forcepoint
- Forescout Technologies
- ForgeRock, Inc.
- Fortinet, Inc.
- Fortra, LLC
- Gallagher Group Ltd
- GE Healthcare
- Genetec Inc.
- Gitea Limited
- GitHub (maintainer security advisories)
- GitHub Inc, (Products Only)
- GitLab Inc.
- Glyph & Cog, LLC
- Google LLC
- Grafana Labs
- Gridware Cybersecurity
- Hanwha Vision Co., Ltd.
- HashiCorp Inc.
- HCL Software
- HeroDevs
- HiddenLayer, Inc.
- Hillstone Networks Inc.
- Hitachi Energy
- Hitachi Vantara
- Hitachi, Ltd.
- Honeywell International Inc.
- HP Inc.
- Huawei Technologies
- HYPR Corp
- ICS-CERT
- Indian Computer Emergency Response Team (CERT-In)
- Intel Corporation
- Israel National Cyber Directorate
- Ivanti
- Jamf
- JetBrains s.r.o.
- JFROG
- Johnson Controls
- JPCERT/CC
- Juniper Networks, Inc.
- Kaspersky
- KNIME AG
- KrCERT/CC
- Kubernetes
- Lenovo Group Ltd.
- Lexmark International Inc.
- LG Electronics
- Liferay, Inc.
- Logitech
- M-Files Corporation
- ManageEngine
- Mattermost, Inc
- Mautic
- Microchip Technology
- Microsoft Corporation
- Milestone Systems A/S
- Mitsubishi Electric Corporation
- MongoDB
- Moxa Inc.
- N-able
- National Cyber Security Centre — Netherlands (NCSC-NL)
- National Cyber Security Centre Finland
- National Cyber Security Centre SK-CERT
- National Instruments
- NEC Corporation
- Netflix, Inc.
- Netskope
- NLnet Labs
- NortonLifeLock Inc
- Nozomi Networks Inc.
- Octopus Deploy
- Okta
- ONEKEY GmbH
- Open Design Alliance
- Open-Xchange
- OpenAnolis
- openEuler
- OpenHarmony
- OpenText (formerly Micro Focus)
- OPPO
- OTRS AG
- Palantir Technologies
- Palo Alto Networks
- Panasonic Holdings Corporation
- Pandora FMS
- PaperCut Software Pty Ltd
- Patchstack OÜ
- Payara
- Pegasystems
- Pentraze Cybersecurity
- Perforce
- PHP Group
- Ping Identity Corporation
- PlexTrac, Inc.
- PostgreSQL
- Progress Software Corporation
- Proofpoint Inc.
- Protect AI
- Pure Storage, Inc.
- Python Software Foundation
- QNAP Systems, Inc.
- Qualcomm, Inc.
- rami.io GmbH
- Rapid7, Inc.
- Real-Time Innovations, Inc.
- Robert Bosch GmbH
- SailPoint Technologies
- Samsung TV & Appliance
- SAP SE
- SBA Research gGmbH
- Schneider Electric SE
- Schweitzer Engineering Laboratories, Inc.
- Secomea
- Securin
- Security Risk Advisors
- ServiceNow
- SHENZHEN CoolKit Technology CO., LTD.
- SICK AG
- Siemens
- Silicon Labs
- Snow Software
- Snyk
- SoftIron
- SolarWinds
- Sonatype Inc.
- Sophos
- Spanish National Cybersecurity Institute, S.A.
- Splunk
- STAR Labs SG Pte. Ltd.
- Suse
- Switzerland National Cyber Security Centre (NCSC)
- Symantec — A Division of Broadcom
- Synaptics
- Synology Inc.
- Talos
- TeamViewer Germany GmbH
- Teltonika Networks
- Temporal Technologies Inc.
- Tenable Network Security, Inc.
- Thales Group
- The Document Foundation
- The Missing Link Australia (TML)
- The Tcpdump Group
- TianoCore.org
- Tigera
- Toshiba Corporation
- TR-CERT (Computer Emergency Response Team of the Republic of Turkey)
- TWCERT/CC
- TXOne Networks, Inc.
- upKeeper Solutions
- Vivo Mobile Communication Technology Co.,LTD.
- VulDB
- VulnCheck
- VULSec Labs
- WatchGuard Technologies, Inc.
- Western Digital
- Wiz, Inc.
- Wordfence
- Xerox Corporation
- Xiaomi Technology Co Ltd
- Yandex N.V.
- Yokogawa Group
- Yugabyte, Inc.
- Zephyr Project
- Zero Day Initiative
- Zoom Video Communications, Inc.
- Zscaler, Inc.
- ZTE Corporation
- ZUSO Advanced Research Team (ZUSO ART)
- Zyxel Corporation
Share this CVE article:
Community
New Call-for-Papers Deadline for “VulnCon 2025” – January 31, 2025
The CVE Program and FIRST will co-host VulnCon 2025 at the McKimmon Center in Raleigh, North Carolina, USA, on April 7–10, 2025. The Call for Papers deadline has been extended until January 31, 2025. See details here.
Registration, both virtual and in-person, is open on this page on the FIRST website.
The purpose of the VulnCon — which is open to the public — is to collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken back to individual programs for action to benefit the vulnerability management ecosystem. A key goal of the conference is to understand what important stakeholders and programs are doing within the vulnerability management ecosystem and best determine how to benefit the ecosystem broadly.
Call for Papers (CFP) to Close on January 31
We are seeking session talks and training/workshops on the following topics:
- Vulnerability Metadata — including sessions focused on CVE, CVSS, CWE, CSAF, EPSS, SSVC, VEX, EoX, and others, including Working Group, SIG, and other foundation read-report-outs
- Managing Risk — including sessions on articulating and framing risk for stakeholders in the vulnerability ecosystem
- Vulnerability Management’s Intersection with Global Public Policy & Regulation — What are current and emerging trends in the global regulatory space
- PSIRT Service Framework — Introductory, intermediate, and advanced topics for product security teams and defenders
- “State of…” Operations, Tooling, and the craft of product security, incident response, and ecosystem vulnerability management
- Coordinated Vulnerability Disclosure — practices and challenges in sharing and reporting security vulnerabilities and exploits
VulnCon 2025 will have nearly 150 open speaking and/or training sessions available, so please consider submitting a session or education training to share with the ecosystem.
CFP Timeline
- Call for Papers Closes: January 31, 2025
- Acceptance Notifications: Notification waves completed by the week of February 17, 2025
- Acceptance Due Date: March 7, 2025
Speaker Privileges
To help keep registration fees reasonable for all, we do not offer special discounts for speakers or workshop presenters. There is no accommodation or travel support provided.
Submission Process
All proposals should be submitted via the “EasyChair” link on the FIRST website. You are welcome to submit multiple proposals.
Learn More About VulnCon 2025
For most up-to-date information, visit the CVE/FIRST VulnCon 2025 conference page hosted on the FIRST website. We look forward to seeing you at this annual community event!
Share or comment on this CVE article on Medium:
- Cloud Attackers Exploit Max-Critical Aviatrix RCE Flaw, Dark Reading
- Under the cloak of UEFI Secure Boot: Introducing CVE-2024-7344, WeLiveSecurity
- CISA: BeyondTrust flaw CVE-2024-12686 exploited in the wild, TechTarget SearchSecurity
- Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws, Bleeping Computer
- Fortinet Confirms Critical Zero-Day Vulnerability in Firewalls, Infosecurity Magazine
- CVE-2025-0282 and CVE-2025-0283: Critical Ivanti 0days Exploited in the Wild, Wiz Blog
- Moxa Alerts Users to High-Severity Vulnerabilities in Cellular and Secure Routers, The Hacker News
Follow us for the latest from CVE:
- X feed of the latest CVE Records
- X feed of news and announcements about CVE
- Mastodon feed of news and announcements about CVE
- Bluesky feed of news and announcements about CVE
- CVE Website News page
- CVE LinkedIn page
- CVE-CWE LinkedIn showcase page
- CVE Blog on Medium
- We Speak CVE Podcast
- CVEProject on GitHub
- CVE Program YouTube Channel
- CVE Announce Email Newsletter
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://www.cve.org/Media/News/NewsletterSignup. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
