I think the "best practices" way of expressing what you want, it to have the TTP be related to an Exploit_Target that describes the CVE, including its ID.
Also, notice that the ttp:ExploitType isn't fully specified - from the specs:
The ExploitType class is intended to be extended to enable the structured description of an exploit instance. However, no extension is provided by STIX
v 1.2.1; producers wanting to represent structured exploit instance information are encouraged to develop such an extension.
-----Original Message-----
From: cti@lists.oasis-open.org [
mailto:cti@lists.oasis-open.org] On Behalf Of Beth Pumo
Sent: Friday, February 05, 2016 3:52 PM
To: cti@lists.oasis-open.org
Subject: [cti] Public review comments from Kaiser Permanente for STIX V1.2.1
Comment on this area: STIX Part 5, TTP, Section 3.2.3.1 ExploitType Class: Should CVE_ID be included, considering CAPEC_ID is included for AttackPatternType?
Basically, the default extensions for similar classes include attributes for similar ID types. Example: the Exploit Target data model WeaknessType class contains CWE_ID. It should be useful to include an (optional) attribute for CVE numbers on Exploits,
if the CVE numbers are known.