Common Vulnerability Scoring System (CVSS)

What is CVSS Scoring

Cybersecurity is an all-encompassing state of protection from unauthorized use of electronic data. It is an endless cycle of identifying and mitigating threats and risks that endanger IT systems, information security, business reputation and more. Software and hardware vulnerabilities in particular prove an overwhelming challenge to keep up with. A method was needed to sort through the vulnerabilities and prioritize their remediation. 

The Common Vulnerability Scoring System is an open industry standard for assessing the severity of security vulnerabilities. CVSS, as it is more commonly known, assigns scores to each vulnerability according to their severity, allowing security responders to make decisions on how to prioritize their remediation efforts. This quantitative measure can be easily understood, even by non-technical audiences.

The numerical score assigned by the CVSS threat model can easily be converted into a qualitative representation- for example, Low, Medium, High and Critical. Run by the CVSS SIG (Special Interest Group), CVSS cybersecurity scoring is used globally and updated regularly. First released in February 2005, it has evolved significantly with the current version at CVSS v3.1, and plans are actively being developed for CVSS v4.0.

How Does CVSS Scoring Work?

It is important to note that CVSS is not a measure of risk. What the scoring does is take all the information about a vulnerability and let us use their calculator to arrive at an overall criticality score. (The equations of their calculator can be found at the end of this document.)

CVSS consists of three metric groups: 

• Base, 
• Temporal, and 
• Environmental. 

As explained by the National Vulnerability Database (https://nvd.nist.gov/vuln-metrics/cvss), the Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. Published CVSS scores are typically Base Metrics only.

A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability severity scores. 

Two common uses of CVSS are calculating the severity of vulnerabilities discovered on one’s systems and as a factor in prioritization of vulnerability remediation activities. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Start Free Trial Now

Start Free Trial Now

Learn more about Common Vulnerability Scoring System (CVSS)
Click Here

How is the Base Score Created?

CVSS Base Metrics have three sub-groupings –

1. Exploitability Metrics – Without considering any individual setup or other compensating controls, exploitability metrics are directly related to that which is vulnerable. The four components of exploitability metrics:

• Attack Vector – An attack vector serves as a representation of how much access is necessary for an attacker to take advantage of the vulnerability. For example, it is significantly more challenging to exploit a vulnerability that needs physical access to a target system than one that can be done remotely via the Internet.
  • It is measured by: (Network (N) / Adjacent (A) / Local (L) / Physical (P))
• Attack Complexity – This statistic describes the external circumstances that must occur for the vulnerability to be exploited. This most frequently refers to either necessary user engagement or certain target system setups.
  • The Attack Complexity metric is scored as either Low or High)
• Privileges Required – These are the privileges needed by the attacker to achieve a successful exploit.
  • It is measured by: (None (N) / Low (L) / High (H))
• User Interaction – The User Interaction metric indicates whether a user, besides the attacker himself, must take any action or take part in the vulnerability’s exploitation.
  • It is measure by: None (N) / Required (R)

2. Impact Metrics – This is a measurement of the impact to the C.I.A: 

• Confidentiality– The purpose of confidentiality is to ensure that only authorized users have access to the target data.
  • This is measured by High (H), Low (L), None (N).
• Integrity – Integrity is the concern of whether the private or sensitive data has been altered or manipulated in any way. Integrity has been upheld if there is no method for an attacker to change how accurate or complete the information is.
  • This is measured by High (H), Low (L), None (N).
• Availability – As needed, information must be available. Availability is adversely affected if an exploit makes information unavailable, such as through a system crash, ransomware or DDOS attack.
  • This is measured by High (H), Low (L), None (N).

3. Scope – A vulnerability in one system or component may or may not have a ripple effect on other systems or components, and this is what the scope metric is here to consider.

• This is measured by Changed (C) or Unchanged (U)

CVSS Qualitative Ratings for v3.0:

The CVSS Score Range. 

What is the NVD?

The US government’s NVD, National Vulnerability Database, includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics. This data enables automation of vulnerability management, security measurement, and compliance. 

NVD provides qualitative severity ratings of “Low”, “Medium”, and “High” and supports CVSS v2.0 and v3.0. 

The NVD CVSS Calculator 3.1

The calculator used to get the CVSS score uses threat intelligence, vulnerability characteristics, the effect of threats to your controls framework and the assets involved. The score is not perfect, but it is an excellent indicator for planning where and when to apply security resources for risk management.

A vulnerability’s various features, such as its impact and environmental durability through time, are covered by three metrics groups, Base, Temporal, and Environmental, from which a CVSS score is created. The purpose of this calculator is to work out the various scores and provide a breakdown of the CVSS. 

The calculator has evolved over time with various versions. The previous version v3.0 was replaced by v3.1 in June 2019. The scores and formula didn’t change but there was a focus on improving and clarifying the existing standard without introducing new metrics or metric values.

Example of CVSS Scoring

The equations for CVSS calculation can be found at the end of this document.

Most vulnerabilities will thankfully not reach a perfect score of 10. But let’s take a look at an infamous vulnerability that did sadly reach great heights in their CVSS score. The Apache Log4j created 3 main CVE’s. Here is the CVSS for CVE-2021-45046:

Severity CVSS Version 3.x

CVSS 3.x Severity and Metrics:

NIST: NVD

Base Score: 9.0 CRITICAL

Vector:  CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.

Note: NVD Analysts have published a CVSS score for this CVE based on publicly available information at the time of analysis. The CNA has not provided a score within the CVE List.

The Vector is broken down in the following way:

Vector:  CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

More about CVSS

CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. The official CVSS documentation can be found at https://www.first.org/cvss/.