4 minute read

CVSS

Table of Contents

Definition

Common Vulnerabiltiy Scoring System (CVSS) is a framework used to assess the severity and impact of security vulnerabiltiy. The CVSS assigns a numerical value from 0 to 10 with higher scores indicating a more severe vulnerabiltiy. The CVSS is based on various metrics such as exploitability of the vulneraability, potential impact on confidentiality and availability of the affected system.
Different organizations might have there own template for calculating CVSS but the National Institute of Standards and Technology (NIST)’s National Vulnerabiltiy Databse (NVD) has a standard CVSS calculator which could be found here \

Discussing The Base Score Metrics

There are mainly two sub categories in the Base Score Metrics: Exploitability Metrics and Impact Metrics Under the two sub categories there are different metrices which will be explained below.

Attack Vector (AV):

This measures the way an attacker can exploit a vulnerability and gain access to a target system. Simply put, the more remote the attacker can exploit a system the higher the value. Network (N): This means the vulnerability can be exploited remotely over a network connection.
Adjacent Network (A): This signifies that the attacker needs to have access to the same network.
Local (L): This means the attacker requires local acces i.e physical access.
In this case we can say that (N) contributes to a higher CVSS score.

Attack Complexity (AC)

This measures the level of expertise, resources, and conditions needed for an attacker to successfully carry out an exploit. Low (L): This means that exploiting the vulnerability is straightforward and requires minimal or no specialized knowledge or resources such as public exploit tools. High (H): This means that exploiting the vulnerability is highly complex and typically requires advanced skills, extensive knowledge, or significant resources. In this case (L) would contribute to a higher CVSS score.

Privileges Required (PR)

This measures the level of privilege required for the attacker to exploit the vulnerability.
None (N): No privileges are required to exploit the vulnerability.
Low (L): The attacker requires some privileges.
High (H): The attacker requires elevated privileges, such as administrative or root access.
In this case (N) contributes to a higher CVSS score.

User Interaction (UI)

The UI metric evaluates whether a successful exploitation of a vulnerability requires interaction from a user or if it can be accomplished without any user involvement. None (N): The vulnerability can be exploited without any user interaction. This means that an attacker can exploit the vulnerability remotely or automatically without relying on user actions. Required (R): The vulnerability can only be exploited if a user interacts with the system or application. In this case (N) would contribute to a higher CVSS score.

Scope (S)

The scope metrics has been added to the new CVSS 3.0. It evaluates whether an exploit of a software impacts other system. Unchanged(S:U): An exploit can only affect the specific system. Changed(S:C) An exploit can affect other systems. In this case (S:C) would contribute to a higher CVSS score.

Confidentiality Impact (C)

This assesses the potential impact of a vulnerability on the confidentiality of information. None (N): The vulnerability does not have any impact on the confidentiality of information. Low (L): The vulnerability may result in a limited impact on the confidentiality of information. High (H): The vulnerability has a significant impact on the confidentiality of information. In this case (H) would contribute to a higher CVSS score.

Integrity Impact (I)

This assesses the potential impact of a vulnerability on the integrity of information or data. None (N): It means that even if the vulnerability is successfully exploited, it will not result in any unauthorized modification or tampering of data. Low (L): The vulnerability may result in a limited impact on the integrity of information.
High (H): The vulnerability has a significant impact on the integrity of information.
In this case (H) would contribute to a higher CVSS score.

Availability Impact (A)

This assesses evaluates the degree to which the exploitation of a vulnerability can disrupt or prevent the normal functioning or availability of a system, None (N): The vulnerability does not have any impact on the availability of the system or resource.
Low (L): The vulnerability may result in a limited impact on the availability of the system or resource.
High (H): The vulnerability has a significant impact on the availability of the system or resource.
In this case (H) would contribute to a higher CVSS score.

Reference: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

Updated: