CVSSv4: What's new?

Ashwani Paliwal
November 18, 2023

What is CVSS?

The Common Vulnerability Scoring System (CVSS) is a framework that provides a standardized way to assess and communicate the severity of security vulnerabilities. It was developed by FIRST (Forum of Incident Response and Security Teams), a globally recognized organization in the field of cybersecurity. CVSS has evolved over the years, with version 4.0 being the latest iteration.

What's new in CVSSv4?

The CVSS always consisted of three metrics: Base, Temporal, and Environment. However, the CVSS score is highly considered a Base score so, to stress that the CVSS is not just the base score the new nomenclature was adopted by the CVSSv4.

CVSS Nomenclature

New Base Metric: Attack Requirements

Problem: The "low" and "high" AC values do not take into account the large variations in conditions that are now compacted under the notion of "high" complexity. For instance, iterating an attack to win a race condition objectively requires a substantially larger exploit complexity than does evading security mitigation mechanisms like ASLR or encryption, but both conditions now result in the same "penalty" to the severity score.

This proposal seeks to remedy this by dividing the present AC definition into two metrics, named "Attack Complexity" (AC) and "Attack Requirements" (AT), which respectively convey the following:

Attack Complexity: This metric captures the complexity of the exploit engineering needed to get around or circumvent defensive or security-enhancing technologies. (Defense tactics)

Attack Requirements: Include the preconditions that the vulnerable component must meet in order for the attack to succeed.

New Metric Group: Supplemental Metrics Group

The Supplemental metric group is a brand-new, optional group of metrics that offers fresh metrics to define and gauge additional external characteristics of a vulnerability. The CVSS consumer chooses how to apply each metric in the Supplemental metric category. Depending on the setting each customer is in, this contextual information may be used differently. No measure will, within the parameters of its definition, have any influence on the final CVSS score (such as CVSS-BTE). The final risk analysis can then be affected more, less, or not at all depending on how important and/or effective each statistic, or set/combination of metrics, is assigned by organizations. Metrics and values will just highlight more external aspects of the vulnerability.

Supplemental metric group

Renamed and Simplified Threat Metrics

One of the first noticeable changes in CVSSv4.0 is the renaming of the "Temporal" metric from CVSSv3.1 to "Threat Metrics." This shift aligns the terminology more closely with its purpose, which is to capture factors related to the evolving threat landscape.

Furthermore, CVSSv4.0 bids farewell to the "Remediation Level (RL)" and "Report Confidence (RC)" metrics. While these metrics provided some valuable insights, their retirement streamlines the scoring process and focuses on the core aspects of vulnerability assessment.

In a similar vein, the "Exploit Code Maturity (E)" has been renamed to "Exploit Maturity (E)," making it more intuitive and aligning with the metric's function. The merger of "High (H)" and "Functional (F)" values from CVSSv3.1 into a single value of "Attacked (A)" in CVSSv4.0 simplifies the scoring process while maintaining accuracy.

Update to Base Metric: User Interaction (UI)

CVSSv4.0 enhances the User Interaction (UI) metric to provide a more nuanced assessment of user involvement in the compromise of a vulnerable component. In CVSSv3.1, this metric had binary values, either "None (N)" or "Required (R)." However, CVSSv4.0 introduces finer granularity, categorizing user interaction as either "Passive (P)" or "Active (A)." This update ensures a more accurate representation of the vulnerability's impact, particularly when it comes to the user's role in the exploit.

Retired Base Metric: Scope (S)

One significant change in CVSSv4.0 is the retirement of the Scope (S) metric that existed in CVSSv3.1. This decision stemmed from concerns about the clarity and consistent use of this metric among different product providers. To address this issue, CVSSv4.0 replaces the Scope metric with two sets of impact metrics:

Vulnerable System Impact: This assesses the impact on the vulnerable system and its elements, encompassing Confidentiality (VC), Integrity (VI), and Availability (VA).

Subsequent System(s) Impact: This evaluates the impact on systems beyond the initial vulnerable component, covering Confidentiality (SC), Integrity (SI), and Availability (SA).

This change ensures a more precise and consistent evaluation of the impact of vulnerabilities.

Additional Improvements and Guidance

Beyond these core changes, CVSSv4.0 also offers improved guidance for CVSS analysts to produce consistent scores. It includes recommendations for scoring vulnerabilities in software libraries, catering to the evolving nature of software development and security. Moreover, CVSSv4.0 is designed to support multiple CVSS scores for the same vulnerability when it affects various products, platforms, or operating systems. Additionally, it provides guidance for extending the CVSS framework to address the specific needs of different industry sectors, such as privacy and automotive security.

The new CVSSv4 Metric Group looks like:

CVSSv4 Metric group

CVSSv4 Calculator:

Final thoughts

CVSSv4.0 is a testament to the cybersecurity community's commitment to adapt to emerging threats and provide better tools for vulnerability management. It not only streamlines the scoring process but also ensures that the system remains robust and adaptable to the diverse challenges posed by vulnerabilities in the digital age. To explore these changes in greater detail, please refer to the official CVSSv4.0 specification document.

SecOps Solution is an award-winning agent-less Full-stack Vulnerability and Patch Management Platform that helps organizations identify, prioritize and remediate security vulnerabilities and misconfigurations in seconds.

To schedule a demo, just pick a slot that is most convenient for you.

Related Blogs