Common Vulnerability Scoring System (CVSS)

The Common Vulnerability Scoring System (CVSS) is a standardized framework used to assess the severity of security vulnerabilities in software and systems. It provides a numerical score (ranging from 0.0 to 10.0) that represents the risk posed by a vulnerability. This helps organizations prioritize their response efforts based on the impact and exploitability of a given vulnerability.

---

CVSS Metrics and Scoring Components

CVSS consists of three primary metric groups that contribute to the overall score:

1. Base Score (Mandatory) – The Core Characteristics of the Vulnerability

The Base Score represents the intrinsic properties of a vulnerability that remain constant over time. It considers two factors:

• Exploitability Metrics (How easy is it to exploit?)

  • Attack Vector (AV): Can the attack be done remotely or requires physical access?

  • Attack Complexity (AC): Is the attack easy or requires special conditions?

  • Privileges Required (PR): Does the attacker need admin privileges?

  • User Interaction (UI): Does exploitation require user action?

  • Scope (S): Can the exploit affect other systems beyond the vulnerable component?

• Impact Metrics (How severe is the impact?)

  • Confidentiality (C): Does it expose sensitive data?

  • Integrity (I): Can data be altered or manipulated?

  • Availability (A): Does it disrupt or shut down services?

💡 Base Score Range:

• Low: 0.1 – 3.9

• Medium: 4.0 – 6.9

• High: 7.0 – 8.9

• Critical: 9.0 – 10.0

---

2. Temporal Score (Optional) – The Changing Nature of Threats

The Temporal Score adjusts the Base Score based on real-world factors that change over time, such as the availability of patches and exploit techniques.

• Exploit Code Maturity: Has the exploit been widely used or is it theoretical?

• Remediation Level: Are patches or workarounds available?

• Report Confidence: How reliable is the vulnerability report?

💡 Temporal scoring helps organizations assess the urgency of response.

---

3. Environmental Score (Optional) – The Impact on a Specific Organization

The Environmental Score tailors the Base Score based on how a vulnerability affects a particular organization.

• Modified Base Metrics: Organizations can adjust the impact ratings based on their own environment.

• Security Requirements: Defines how critical confidentiality, integrity, and availability are to the organization.

💡 Environmental scoring helps organizations prioritize vulnerabilities based on their unique infrastructure.

---

CVSS Score Calculation Example

Let’s say we have a vulnerability that:

• Can be exploited over the internet (AV: Network)

• Requires no special privileges (PR: None)

• Exposes sensitive data (C: High)

• Has a working exploit available

This could result in a Base Score of 9.8 (Critical). If a patch exists, the Temporal Score might lower it to 8.5 (High). If an organization considers it a minor risk due to compensating controls, the Environmental Score might bring it down to 7.2 (High).

---

Why CVSS Matters

• Standardized Scoring: Provides a universal method for evaluating vulnerabilities.

• Risk-Based Prioritization: Helps organizations focus on critical vulnerabilities first.

• Supports Patch Management: Helps teams determine whether to patch immediately or mitigate risks.

CVSS is widely used by security teams, vendors, and organizations to assess and prioritize vulnerability management efforts effectively.

Key Features of CVSS v3.1:

• Base Score: Measures the intrinsic characteristics of a vulnerability that remain constant over time.

  • Exploitability Metrics: Attack Vector, Attack Complexity, Privileges Required, User Interaction.

  • Impact Metrics: Confidentiality, Integrity, Availability.

• Temporal Score: Accounts for factors that change over time, such as exploit maturity and remediation.

• Environmental Score: Adjusts the score based on how an organization is impacted, considering security requirements.