Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

CVSS (Common Vulnerability Scoring System)

The Common Vulnerability Scoring System (CVSS) is a standardized framework for rating the severity of security vulnerabilities in software and hardware systems. It provides a numerical score that reflects the potential impact of a vulnerability, helping organizations prioritize their response and remediation efforts.

CVSS Impact Metrics

CVSS scores are calculated based on a set of metrics that assess various aspects of a vulnerability. These metrics are divided into three groups:

  1. Base Metrics: These metrics represent the intrinsic characteristics of a vulnerability that are constant over time and across user environments. They include:

    • Attack Vector (AV)
    • Attack Complexity (AC)
    • Privileges Required (PR)
    • User Interaction (UI)
    • Scope (S)
    • Confidentiality Impact (C)
    • Integrity Impact (I)
    • Availability Impact (A)

  2. Temporal Metrics: These metrics reflect characteristics of a vulnerability that may change over time but not across user environments. They include:

    • Exploit Code Maturity (E) - The probabilty of the vulnerability being exploited based on ease of exploitation.
    • Remediation Level (RL) - The level of remediation available for the vulnerability.
      • Official Fix: An official patch or update is available.
      • Temporary Fix: A temporary workaround is available.
      • Workaround: A non-official workaround is available.
      • Unavailable: No remediation is available.
      • Not defined: No information is available about remediation.
    • Report Confidence (RC) - The degree of confidence in the existence of the vulnerability.
      • Confirmed: The vulnerability has been confirmed by multiple sources.
      • Reasonable: The vulnerability is likely to exist based on available evidence.
      • Unknown: There is insufficient information to determine the existence of the vulnerability.
      • Not defined: No information is available about the vulnerability.

  3. Environmental Metrics: This metric group represents the significance of the vulnerability to an organization

    • Modified Base Metrics - Represents the metrics that can be altered if the organization deems it is a more significant risk.
      • Not Defined: The metric is not defined and the base metric value is used.
      • Low: The vulnerability would have a low impact to one of the elements of the CIA triad for the organization.
      • Medium: The vulnerability would have a medium impact to one of the elements of the CIA triad for the organization.
      • High: The vulnerability would have a high impact to one of the elements of the CIA triad for the organization.

CVSS Score Calculation

  • The CVSS score is calculated using a formula that combines the values of the base, temporal, and environmental metrics. The resulting score ranges from 0 to 10, with higher scores indicating more severe vulnerabilities.
  • The National Vulnerability Database (NVD) provides on online calculator here: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator