A security engineer sends you a Slack message: "CVE-2024-XXXXX just dropped, score 9.8 — are we affected?" Do you know how to find out? Reading a CVE report is a core IT skill. This guide walks you through every field, using the most famous CVE in recent history as a live example.
Where to find CVE reports
There are three primary sources:
- NVD (National Vulnerability Database) —
nvd.nist.gov— the most complete source. Contains CVSS scores, affected CPE configurations, references, and patch links. This is your first stop. - MITRE CVE List —
cve.mitre.org— the authoritative registry. Simpler than NVD, with the official description and references. Use this when NVD has not yet enriched a newly reserved CVE. - Vendor security advisories — Microsoft Security Response Center (MSRC), Red Hat Security Advisories, Apple Security Updates, etc. Vendors publish their own analysis with product-specific patch instructions. Always check these alongside NVD.
Anatomy of a CVE report
Every NVD CVE page has the same structure. Here is what each section means:
Full walkthrough: Log4Shell (CVE-2021-44228)
CVE ID
CVE-2021-44228 — assigned in 2021, disclosed publicly on 9 December 2021.
Description (simplified)
"Apache Log4j2 2.0-beta9 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled."
Translation: If your Java application uses Log4j to write log messages, and an attacker can get any text they control into a log message (a username field, a HTTP header, anything), they can make your server download and run their malicious code from the internet. No authentication needed.
CVSS Score
CRITICAL 10.0 — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Reading the vector: Network attack (AV:N), Low complexity (AC:L), No privileges required (PR:N), No user interaction (UI:N), Changed scope (S:C — the attack affects systems beyond the vulnerable component), High confidentiality impact (C:H), High integrity impact (I:H), High availability impact (A:H). Maximum score across every dimension.
CWE
CWE-917 — Improper Neutralisation of Special Elements used in an Expression Language Statement. The logging library interpreted user-controlled input as code (a JNDI lookup expression) instead of treating it as plain text.
Affected configurations
Apache Log4j2 versions 2.0-beta9 through 2.14.1. Note: Log4j 1.x is NOT affected by this CVE (it has different vulnerabilities). The fix was released in 2.15.0 (partial) and fully resolved in 2.16.0 and 2.17.0.
Key references
- Apache security advisory confirming the fix and affected versions
- LunaSec blog post (the first public technical analysis)
- GitHub proof-of-concept exploits (appeared within hours of disclosure)
- CISA emergency directive requiring federal agencies to patch within days
The hardest part of Log4Shell was not patching Log4j itself — it was finding all the places Log4j was used. Many organisations had no idea they had it because it was bundled inside other commercial products. This is why software bill of materials (SBOM) — a list of every library in your software — is now a compliance requirement for many industries.
Vendor advisories — why they matter
The NVD entry gives you the vulnerability; vendor advisories give you the fix. After finding a CVE that affects your software, always look up the vendor's specific advisory for:
- Exact affected versions — vendor version ranges sometimes differ slightly from NVD's CPE data
- Patch version to upgrade to — not just "upgrade", but specifically which version fixes it
- Workarounds — if you cannot patch immediately, vendors often document configuration changes that reduce exposure
- Indicators of compromise (IoCs) — some advisories include log signatures or network patterns that show whether you were already hit
The 5 questions to ask every time
When you read a CVE report, these five questions give you everything you need to make a decision:
- Do we run the affected software? Check your asset inventory against the CPE list. If no, you are done.
- Are we on a vulnerable version? Version ranges matter. 2.14.0 affected, 2.17.0 not. Check precisely.
- Is it reachable? Is the vulnerable service exposed to the internet, to internal users, or only to admins? Network exposure dramatically changes risk.
- Is there a patch? If yes, apply it. Check the vendor advisory for the specific patched version.
- Is it being actively exploited? Check the CISA KEV catalog. If yes, patch immediately — before anything else.
Tools that make CVE reading easier
- NVD search —
nvd.nist.gov/vuln/search— search by product name, vendor, or CVE ID - CISA KEV catalog —
cisa.gov/kev— daily-updated list of actively exploited CVEs - OpenCVE — free self-hosted dashboard for CVE monitoring with email alerts
- Vulners — aggregates NVD, vendor advisories, and exploit databases into one searchable interface
- GitHub Dependabot — automatically opens pull requests when a dependency has a CVE; shows the CVE ID and severity inline
- npm audit / pip-audit / cargo audit — command-line tools that scan your project dependencies for known CVEs
Frequently asked questions
What does "RESERVED" mean on a CVE page?
RESERVED means the CVE ID has been allocated but the details have not been published yet. This happens during the embargo period — when the vendor is working on a patch but has not disclosed the vulnerability publicly. The full details will appear once the patch is released.
Why do some CVEs have no CVSS score?
The NVD team scores CVEs after publication. Newly published CVEs sometimes show "NVD analysis not yet performed." The score usually appears within a few days. You can also check the vendor's own advisory, which often includes its own CVSS score.
Should I patch every CVE I find?
No — prioritise. Focus on Critical and High scores, especially those in the CISA KEV catalog. Medium and Low scores can go into your normal patch cycle. For systems that are isolated from the internet and from sensitive data, even high scores can sometimes wait for scheduled maintenance windows.
Keep learning on ITVedas
You now know how to find, read, and act on a CVE report. Explore the full CVE chapter for more guides on vulnerability management.
Back to CVE Chapter →