CVSS (Common Vulnerability Scoring System) is an open standard for evaluating the severity of computer security vulnerabilities and providing a numerical score that reflects the severity.

What is CVSS?

CVSS is a standard framework for evaluating and communicating the severity of computer security vulnerabilities, providing a numerical score from 0.0 to 10.0 that reflects the vulnerability’s severity.

CVSS Versions

CVSS v1.0 (2005)

• Characteristics: First version of the standard
• Metrics: Basic evaluation metrics
• Application: Initial vulnerability evaluation
• Limitations: Limited metrics

CVSS v2.0 (2007)

• Characteristics: Improved version with more metrics
• Metrics: Expanded evaluation metrics
• Application: Standard vulnerability evaluation
• Improvements: More accuracy in evaluation

CVSS v3.0 (2015)

• Characteristics: Current version with refined metrics
• Metrics: Refined and expanded metrics
• Application: Modern vulnerability evaluation
• Improvements: Greater accuracy and detail

CVSS v3.1 (2019)

• Characteristics: Current version with minor improvements
• Metrics: Refined and clarified metrics
• Application: Current vulnerability evaluation
• Improvements: Clarifications and minor improvements

CVSS Structure

Base Metrics

• Definition: Intrinsic characteristics of the vulnerability
• Application: Environment-independent evaluation
• Temporality: Do not change over time
• Responsibility: Vulnerability assessor

Temporal Metrics

• Definition: Characteristics that change over time
• Application: Time-considering evaluation
• Temporality: Change over time
• Responsibility: Vulnerability assessor

Environmental Metrics

• Definition: Environment-specific characteristics
• Application: Environment-specific evaluation
• Temporality: Environment-specific
• Responsibility: End user

Base Metrics (CVSS v3.1)

Attack Vector (AV)

• Network (N): Vulnerability exploitable from network
• Adjacent (A): Vulnerability exploitable from adjacent network
• Local (L): Vulnerability exploitable locally
• Physical (P): Vulnerability exploitable physically

Attack Complexity (AC)

• Low (L): Special conditions not required
• High (H): Special conditions required

Privileges Required (PR)

• None (N): No privileges required
• Low (L): Basic privileges required
• High (H): Administrative privileges required

User Interaction (UI)

• None (N): No user interaction required
• Required (R): User interaction required

Scope (S)

• Unchanged (U): Vulnerability does not affect other components
• Changed (C): Vulnerability affects other components

Confidentiality (C)

• None (N): No loss of confidentiality
• Low (L): Limited loss of confidentiality
• High (H): Total loss of confidentiality

Integrity (I)

• None (N): No loss of integrity
• Low (L): Limited loss of integrity
• High (H): Total loss of integrity

Availability (A)

• None (N): No loss of availability
• Low (L): Limited loss of availability
• High (H): Total loss of availability

Temporal Metrics (CVSS v3.1)

Exploitability (E)

• Not Defined (X): Not defined
• Unproven (U): Not proven
• Proof of Concept (P): Proof of concept available
• Functional (F): Functional exploit available
• High (H): Exploit widely available

Remediation Level (RL)

• Not Defined (X): Not defined
• Official Fix (O): Official fix available
• Temporary Fix (T): Temporary fix available
• Workaround (W): Workaround available
• Unavailable (U): No fix available

Report Confidence (RC)

• Not Defined (X): Not defined
• Unknown (U): Unknown confidence
• Reasonable (R): Reasonable confidence
• Confirmed (C): Confirmed confidence

Environmental Metrics (CVSS v3.1)

Confidentiality Modifiers

• Not Defined (X): Not defined
• None (N): No loss of confidentiality
• Low (L): Limited loss of confidentiality
• High (H): Total loss of confidentiality

Integrity Modifiers

• Not Defined (X): Not defined
• None (N): No loss of integrity
• Low (L): Limited loss of integrity
• High (H): Total loss of integrity

Availability Modifiers

• Not Defined (X): Not defined
• None (N): No loss of availability
• Low (L): Limited loss of availability
• High (H): Total loss of availability

Score Calculation

Base Score

• Formula: Calculation based on base metrics
• Range: 0.0 to 10.0
• Application: Standard evaluation
• Responsibility: Vulnerability assessor

Temporal Score

• Formula: Calculation based on temporal metrics
• Range: 0.0 to 10.0
• Application: Temporal evaluation
• Responsibility: Vulnerability assessor

Environmental Score

• Formula: Calculation based on environmental metrics
• Range: 0.0 to 10.0
• Application: Environment-specific evaluation
• Responsibility: End user

Severity Levels

Critical (9.0 - 10.0)

• Characteristics: Critical vulnerabilities
• Impact: Severe impact on organization
• Priority: Maximum remediation priority
• Time: Immediate remediation required

High (7.0 - 8.9)

• Characteristics: High severity vulnerabilities
• Impact: Significant impact on organization
• Priority: High remediation priority
• Time: Urgent remediation required

Medium (4.0 - 6.9)

• Characteristics: Medium severity vulnerabilities
• Impact: Moderate impact on organization
• Priority: Medium remediation priority
• Time: Planned remediation required

Low (0.1 - 3.9)

• Characteristics: Low severity vulnerabilities
• Impact: Limited impact on organization
• Priority: Low remediation priority
• Time: Remediation when possible

None (0.0)

• Characteristics: No vulnerability
• Impact: No impact on organization
• Priority: No remediation priority
• Time: No remediation time required

CVSS Vector

Vector Format

• Format: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• Version: CVSS:3.1
• Metrics: AV, AC, PR, UI, S, C, I, A
• Values: N, L, H, R, U, C, P, F, X

Vector Example

• CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• AV:N: Network attack vector
• AC:L: Low attack complexity
• PR:N: No privileges required
• UI:N: No user interaction
• S:U: Unchanged scope
• C:H: Total loss of confidentiality
• I:H: Total loss of integrity
• A:H: Total loss of availability

Tools and Resources

Calculation Tools

• CVSS Calculator: Official CVSS calculator
• NVD CVSS Calculator: NVD calculator
• CVSS v3.1 Calculator: CVSS v3.1 calculator
• CVSS Vector Generator: CVSS vector generator

Additional Resources

• CVSS v3.1 Specification: Official specification
• CVSS v3.1 User Guide: User guide
• CVSS Examples: CVSS examples
• CVSS Best Practices: Best practices

Use Cases

Vulnerability Management

• Prioritization: Vulnerability prioritization
• Remediation: Remediation planning
• Communication: Severity communication
• Reporting: Status reporting

Risk Assessment

• Analysis: Risk analysis
• Mitigation: Mitigation planning
• Monitoring: Risk monitoring
• Update: Risk update

Compliance

• Audit: Security audits
• Reporting: Compliance reporting
• Certification: Security certifications
• Validation: Control validation

Best Practices

Evaluation

1. Consistency: Consistent evaluation
2. Accuracy: Accurate evaluation
3. Update: Regular update
4. Validation: Evaluation validation
5. Documentation: Evaluation documentation

Implementation

1. Tools: Use appropriate tools
2. Processes: Standardized processes
3. Training: Staff training
4. Monitoring: Continuous monitoring
5. Improvement: Continuous improvement

Related Concepts

• CVE - Vulnerability identifiers
• Vulnerability Assessment - Vulnerability assessment
• Risk Assessment - Assessment process
• Monitoring and Review - Continuous control
• Audits - Security verification
• CISO - Responsible management role
• NIST - Cybersecurity framework
• ISO 27001 - Management system

References

• CVSS v3.1 Specification
• CVSS v3.1 User Guide
• CVSS Calculator
• NVD CVSS Calculator
• CVSS Examples

Glossary

• CVSS: Common Vulnerability Scoring System
• CVE: Common Vulnerabilities and Exposures
• NVD: National Vulnerability Database
• AV: Attack Vector
• AC: Attack Complexity
• PR: Privileges Required
• UI: User Interaction
• S: Scope
• C: Confidentiality
• I: Integrity
• A: Availability