The common vulnerability scoring system (CVSS) is a way to assign scores to vulnerabilities on the basis of their principal characteristics. This score indicates the severity of a vulnerability and on that basis, it can be categorized into low, medium, high, and critical severity which can be used by the organization to prioritize the vulnerabilities present in the system.

CVSS has two versions of the scoring system CVSS2 and CVSS3, the cvss2 was released in the year 2007 and had a scoring range of 0 - 10 with three severity levels low, medium, and high whereas cvss3 was launched in the year 2015 having a scoring range of 0 - 10 with 5 severity levels none, low, medium, high, and critical. The Base, Temporal, and Environmental metric groups all remained the same. However, there were some changes within the Base and Environmental groups to find out the accurate scores of the vulnerability. 

How CVSS works

The CVSS score ranges from 0.0 to 10.0, where 1.0 is considered as least severe and 10.0 is the most severe. Mapping of CVSS score with qualitative ratings:

Base Score range          Severity

0.0                                               None

0.1 – 3.9                                   Low

4.0 – 6.9                                  Medium

7.0 – 8.9                                   High

9.0 – 10.0                               Critical

CVSS Score Metrics

A CVSS score is derived from three sets of metrics Base, Terminal, and Environmental. These three metrics cover the different characteristics of a vulnerability, its impact, and environmental tolerance over time. 

          1. Base Metrics

The base metrics represent the base score ranging from 0 - 10 and the inherent characteristics of a vulnerability that is, these characteristics don’t change over time. It is made up of two sets of Metrics:

Exploitability Metrics:

• Attack vector: This metric measures how the vulnerability can be exploited, whether remotely or locally.
• Attack complexity: This metric measures the level of skill required to exploit the vulnerability.
• Privileges required: This metric measures the level of privileges required to exploit the vulnerability.
• User interaction: This metric measures whether user interaction is required to exploit the vulnerability.
• Scope: It measures the extent of the vulnerability's impact on the system.

Impact Metrics:

• Confidentiality impact: This metric measures the potential impact of a vulnerability on the confidentiality of information. It takes into account the degree of sensitivity of the information that could be disclosed if the vulnerability is exploited.
• Integrity Impact: This metric measures the potential impact of a vulnerability on the integrity of information. It takes into account the degree of trustworthiness of the information that could be modified if the vulnerability is exploited.
• Availability Impact: This metric measures the potential impact of a vulnerability on the availability of information or resources. It takes into account the degree of impact that the exploitation of the vulnerability would have on the availability of the system.

          2. Temporal Metrics

The temporal Metrics represent the characteristics of a vulnerability that change over time. Additionally, it contains the Report Confidence metric, which measures the degree of assurance in the existence of the vulnerability. It consists of three metrics groups:

• Exploit code maturity: This metric measures the level of maturity of exploit code for the vulnerability.
• Remediation Level: This metric measures the availability of a fix or workaround for the vulnerability.
• Report Confidence: It measures the confidence level of the vulnerability report.

          3. Environmental Metrics

The environmental metrics represent the characteristics of a vulnerability that are relevant and have an impact on a particular user’s environment. Environmental metrics categories include:

• Collateral damage potential: This metric measures the potential impact of the vulnerability on other systems.
• Confidentiality requirement
• Integrity requirement
• Availability requirement

For example, consider a vulnerability having a CVSS score of 6.5 and having a vector:

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:R/CR:H/IR:H/AR:L/MAV: X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI: X/MA:X

The above vector value indicates:

AV: L - (Attack Vector) It means that the vulnerability is exploitable by local access.

AC: L - (Attack complexity) This vector value indicates that a specialized access condition does not exist.

PR: L - (Privileges required) It indicates that the attacker is authorized with privileges that provide basic user capabilities.

UI: N - (User interaction) The vulnerable system can be exploited without interaction from any user.

S: U - (Scope) An exploited vulnerability can only affect resources managed by the same authority.

C: H - (Confidentiality impact) There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker.

I: H - (Integrity impact) There is a total loss of integrity.

A: H - (Availability impact) Loss of availability means the attacker is able to fully deny access to resources in the impacted component.

E: U - (Exploit code maturity) No exploit code is available, or an exploit is entirely theoretical.

RL: O - (Remediation Level) A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.

RC: R - (Report Confidence) Reasonable confidence exists, however, that the big is reproducible and at least one impact is able to be verified.

CR: H - (Confidentiality requirement) Loss of confidentiality is likely to have a catastrophic adverse effect on the organization.

IR: H - (Integrity requirement) Loss of integrity is likely to have a catastrophic adverse effect on the organization.

AR: L - (Availability requirement) Loss of availability is likely to have a limited adverse effect on the organization.

Why CVSS is outdated?

Most cybersecurity companies use CVSS to prioritize their vulnerability but it is not the best and most accurate metric and due to this they waste the majority of their time on vulnerability which is not that risky. This problem can be solved by using the EPSS scoring system as it reduces the 85% of efforts of the security team compared to the CVSS scoring system while obtaining the same result. You can learn more about the EPSS scoring system in our next blog.

SecOps Solution is an award-winning agent-less Full-stack Vulnerability and Patch Management Platform that helps organizations identify, prioritize and remediate security vulnerabilities and misconfigurations in seconds.

To schedule a demo, just pick a slot that is most convenient for you.