Common Vulnerability Scoring System


About CVSS:
The common vulnerability scoring system (CVSS) is open and free to industry for evaluating the seriousness of the software security vulnerabilities and is used in vulnerability management software. CVSS gives scores to vulnerabilities per the seriousness of the threat. Scores are computed considering several metrics. Scores are given between 0-10, with most severe score being 10.

FIRST.Org, Inc (FIRST) is a non-profit organization based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the scare was calculated.

How Beyond Security’s AVDS uses CVSS?

CVSS is made up of three major metric groups.

    1. Base metric group – The base metric group shows the qualities of vulnerability that are consistent over a period of time and among different user environments. It is further made up of two sets of metrics.

1.1. The exploitability metric – it shows how easily a vulnerability can be exploited. Referred to as “exploited component”.

1.2. The Impact metrics – shows the result of a successful exploitation of a vulnerability referred to as “impacted component”.

  1. Temporal metric group – the temporal metric group shows the characteristics of a potential threat or vulnerabilities that may change after sometime however may not change across users.
  2. The environmental metric group – the environmental metric group shows the characteristics of vulnerability that are important and unique to a specific user’s environment. Affected users calculate this measure usually.

Below each metric is discussed in detail

Base Metrics

1. Exploitability metric

1.1 Attack vector – shows how the vulnerability can be exploited.

Attack Vector
Value Description
Network (N) Attacker exploits vulnerability only through OSI layer 3 and are called “remotely exploitable”.
Adjacent (A) Attacker exploits vulnerability only through shared physical network.
Local (L) Attacker exploits the vulnerability locally or may depend on user interaction.
Physical (P) Vulnerable component must be physically touched or controlled by the attacker.

1.2 Attack complexity (AC) – This metric depicts the situations that are not under the attackers control and are required to exploit vulnerability.

Attack Complexity
Value Description
Low (L) Attacker can be successful more than once against the vulnerable component.
High (H) Attacker must be more prepared to execute a successful attack on the vulnerable component.

1.3 Privileges Required (PR) shows the amount of privileges the attacker must have to exploit the vulnerability successfully.

Privileges required
Value Description
None (N) The attacker doesn’t need access to files or setting to attack. Attacker is unauthorized.
Low (L) Attacker requires privileges to attack usually affects files and owned settings. Attacker has low authorization.
High (H) Attacker needs privileges that give them control and affects component wide files and settings.

1.4 User interaction (UI) it is a user oriented metric. It determines whether a separate user must be present or the attacker or alone exploit the vulnerability.

User Interaction
Value Description
None (N) Exploitations of vulnerability can be done without any interaction from any user.
Required (R) The user can do exploitation of vulnerability only after any action.

1.5 Scope scope refers to the group of privileges that are characterized by a computing authority when giving access to computing resources. These privileges are appointed based on a technique of approval and identification.

Value Description
Unchanged (U) The impacted component and the vulnerable component are the same. Resources affected are controlled by the same authority.
Changed (C) The impacted component and the vulnerable component are different. The same authority does not control resources affected.

2. Impact Metrics

2.1 Confidentiality Impact (C) this metrics limits access to information and reveals information only to authorized users. Also, prevents disclosure of information to unauthorized users.

Confidentially impact
Value Description
High (H) All resources of the impacted component are disclosed to the attacker due to total loss of confidentiality.
Low (L) Attacker can’t control the restricted information that is obtained. Some loss of confidentiality.
None (N) No loss of confidentiality.

2.2 Integrity impact (I) Measures the true nature of the information and how much it can be trusted. Successful exploitation of vulnerability is measured through impact to integrity.

Integrity Impact
Value Description
High (H) Total loss of integrity or protection. Attacker can alter any file.
Low (L) Attacker can modify a file but cannot control the consequences.
None (N) No loss of integrity.

2.3 Availability impact (A) Refers to how much information resources are accessible.

Availability Impact
Value Description
High (H) Attacker can deny full access to resources in the impacted component. Total loss of availability.
Low (L) Attacker cannot deny totally. Partial or full resources are available only for a certain period.
None (N) No loss of availability.

Temporal Metrics

1. Exploit code maturity (E) Exploit codes that are publicly available and are easy to use gives advantage to a potential attacker. This metric is based on the current state of techniques that measures the possibility of the vulnerability attack.

Exploit code maturity
Value Description
Not defined (X) The score will not be influenced if given this metric value.
High (H) Autonomous agents deliver exploit code on a regular basis and works in all situations.
Functional (F) If the vulnerability exists, the exploit code will work.
Proof-of-concept (P) Modifications are required to use such code by a professional attacker.
Unproven (U) No code is available.

2. Redemption level (RL) – The remediation level of a vulnerability is an imperative component for prioritization. The average weakness is unpatched when first distributed.

Redemption level
Value Description
Not defined (X) The score will not be influenced if given this metric value.
Unavailable (U) It is either impossible to apply or there is no solution.
Workaround (W) User provides their own solution unofficially.
Temporary fix (T) Temporary fix is available and is official.
Official fix (O) Official fix is available by the vendor.

3. Report confidence (RC) – At times only the presence of vulnerabilities is made public without giving specific details. This metric helps in measuring the credibility of the information and amount of confidence in the existence of the vulnerability.

Report confidence
Value Description
Not defined (X) The score will not be influenced if given this metric value.
Confirmed (C) Source code and reports are available in detail to verify the research independently.
Reasonable (R) Important details are published but there is no full access to source code to verify research independently.
Unknown (U) Reports indicate presence of vulnerability. Less confidence in reports that are available.

Environmental metrics

1. Security requirements (CR, IR, AR) – This metric helps in customization of CVSS score based on the affected IT to a user’s organization. Characterized as following:

  • Confidentiality (CR)
  • Integrity (IR)
  • Availability (AR)
Security requirements
Value Description
Not defined (X) The score will not be influenced if given this metric value.
High (H) Very serious consequences on the organization and associates due to loss of CR, IS, AR.
Medium (M) Serious consequences on the organization and associates due to loss of CR, IR, AR.
Low (L) Limited consequences on the organization and associates due to loss of CR, IR, AR.

2. Modified base metrics – It helps the adjustment of base metrics in accordance with the modification that is already present in the analyst’s environment.

Security requirements
Modified Base Metric Value
Modified Attack Vector (MAV) Same as base metrics above and not defined (default).
Modified Attack Complexity (MAC)
Modified Privileges Required (MPR)
Modified User Interaction (MUI)
Modified Scope (MS)
Modified Confidentiality (MC)
Modified Integrity (MI)
Modified Availability (MA)
Low (L) Limited consequences on the organization and associates due to loss of CR, IR, AR.
Company Profile
Beyond Security’s testing solutions accurately assess and manage security weaknesses in networks, applications, industrial systems and networked software. We help businesses and governments simplify the management of their network and application security, thus reducing their vulnerability to attack and data loss. Our product lines, AVDS (network and SCADA vulnerability management) and beSTORM (software security testing), will help you secure your network and applications, comply with your security policy requirements and exceed industry and government standards.