The common vulnerability severity score (CVSS) is a framework used for communicating the severity of software vulnerabilities. Maintained by FIRST.Org, Inc., CVSS is an open framework that allows organizations, industries, and governments to look at the criticality of almost all known vulnerabilities reported. The security teams often use the CVSS score as part of the vulnerability management program that helps them compare the vulnerabilities and prioritize remediation of these. The CVSS score ranges on a scale of (0–10) with 10 representing vulnerabilities with the highest criticality. A CVSS score is also represented as a vector, i.e. as a compressed textual representation of the values used to derive the score.
CVSS primarily consists of three metric groups — Base, Temporal, and Environmental. The Base score is rated on a scale of 0–10, which can then be modified by the Temporal and the Environmental score. CVSS is a measure of security and not a risk that the organization faces due to vulnerability.
The Base score represents the characteristics of the vulnerabilities. These characteristics do not change over time. The public CVSS scores available by the NIST’s NVD reflect exclusively the Base scores. As such they do not account for real-world exploits as it does not consider the organization’s environment or the mitigation controls placed within it.
Regardless, the CVSS Base score is a good starting point to look at when comparing the vulnerabilities.
The Base metric consists of two sub-score metrics — Exploitability Metrics and Impact Metrics.
1.1 Exploitability Metrics:
The exploitability metrics look into the characteristics of the exploit. They are composed of the following scales.
A. Attack Vector:
This represents the context by which the vulnerability can be exploited. Classified into ‘Network’, ‘Adjacent Network’, ‘Local’, and ‘Physical’, the highest score is given to the exploits that occur remotely over the exploits that take place in a physical presence.
B. Attack Complexity:
This describes the conditions required for the attacker to exploit the vulnerability. Exploits with conditions that require access to a large amount of information about the target or its configuration settings are given a higher score over the exploits that require none.
C. Privileges Required:
This is to indicate the type of access privileges an attacker would require before an exploit. They are broadly categorized as None, Low, and High. An exploit that requires admin-related privileges is given a higher score than an exploit that requires no user authentication.
D. User Interaction:
This metric captures the requirement for a person, other than an attacker, to be present in the organization to execute the attack. An exploit that can occur autonomously, without the need for another person, is given a higher score over the exploit that requires a separate user to participate in the success of the attack.
E. Scope:
This represents the amount of impact the exploit can have over other components or subsystems, which are beyond its means or privileges. The exploits that can access and damage the underlying operating systems after exploiting the vulnerability in a software application are given a higher score over the exploits that can damage the software application and no further.
1.2 Impact Metrics:
A. Confidentiality Impact
This metric represents the confidentiality of the resource that was compromised as a result of the successful exploit of the vulnerability. Confidentiality refers to the amount of disclosure the
information resource holds. Exploit resources that are accessed only after authorized access are given higher scores over the ones that are targeted toward the publicly available resource.
B. Integrity Impact
This represents the integrity of the resource that was compromised as a result of the attack. Integrity refers to the trustworthiness of the information resource. A higher score is given to exploits that target resources that are integral to the organization’s functions
C. Availability Impact:
This represents the loss of availability on the component that was compromised as a result of the successful exploit. The availability could refer to the amount of accessibility lost. Exploits that take up high network bandwidth, processor cycles, or disk space are all given a higher score.
2.0 Temporal Metrics
The Temporal metrics rate the vulnerability concerning time. They indicate the current levels of the criticality of the vulnerability. They take into consideration organizational factors such as the availability of mitigation controls or patches for the vulnerability. It consists of three main sub-components:
A. Exploit code Maturity
This represents the current state of the exploit technique. If the exploit technique is easy and the exploit code is actively available, a higher score gets assigned to the vulnerability.
B. Remediation Level
This represents the level of fix that is available to the vulnerability. At the time the vulnerability gets reported, the organization may choose to work around it by using hotfixes or interim remediation until a final fix is sent out. The higher score represents the quality of the remediation in place so far. The score lowers as new fixes get implemented and the exploit is completely removed from the system.
C. Report Confidence
This represents the degree of confidence in the existence of the vulnerability. Sometimes the vulnerability gets reported without the specific details that are required to track the vulnerability. This metric represents if the vulnerability reported is relevant and suggests its credibility. A higher score represents the relevancy of the vulnerability reported.
3.0 Environmental Metrics
The Environmental score, as the name suggests, considers the factors that are related to the organization. It is based on the security requirements within the organization. It allows for the modification of the Base CVSS score based on the specifics of the organization.
In addition to the Base and Impact Metrics components, three prime subcomponents help consider the security requirement of the organization. Confidentiality Requirement, Integrity Requirement, and Availability Requirement. These requirements characterize the criticality of the resource in question. Assets with mission-critical data are given higher scores than those less important assets.
Finally, the CVSS score can be calculated using the following equation
Base
The Base Score is a function of the Impact and Exploitability sub score equations. Where the Base score is defined as,
If (Impact sub score <= 0) 0 else,
Scope Unchanged4 𝑅𝑜𝑢𝑛𝑑𝑢𝑝(𝑀𝑖𝑛𝑖𝑚𝑢𝑚[(𝐼𝑚𝑝𝑎𝑐𝑡 + 𝐸𝑥𝑝𝑙𝑜𝑖𝑡𝑎𝑏𝑖𝑙𝑖𝑡𝑦), 10])
Scope Changed 𝑅𝑜𝑢𝑛𝑑𝑢𝑝(𝑀𝑖𝑛𝑖𝑚𝑢𝑚[1.08 × (𝐼𝑚𝑝𝑎𝑐𝑡 + 𝐸𝑥𝑝𝑙𝑜𝑖𝑡𝑎𝑏𝑖𝑙𝑖𝑡𝑦), 10])
and the Impact sub score (ISC) is defined as,
Scope Unchanged 6.42 × 𝐼𝑆𝐶Base
Scope Changed 7.52 × [𝐼𝑆𝐶𝐵𝑎𝑠𝑒 − 0.029] − 3.25 × [𝐼𝑆𝐶𝐵𝑎𝑠𝑒 − 0.02]15
Where,
𝐼𝑆𝐶𝐵𝑎𝑠𝑒 = 1 − [(1 − 𝐼𝑚𝑝𝑎𝑐𝑡𝐶𝑜𝑛𝑓) × (1 − 𝐼𝑚𝑝𝑎𝑐𝑡𝐼𝑛𝑡𝑒𝑔) × (1 − 𝐼𝑚𝑝𝑎𝑐𝑡𝐴𝑣𝑎𝑖𝑙)]
And the Exploitability sub score is,
8.22 × 𝐴𝑡𝑡𝑎𝑐𝑘𝑉𝑒𝑐𝑡𝑜𝑟 × 𝐴𝑡𝑡𝑎𝑐𝑘𝐶𝑜𝑚𝑝𝑙𝑒𝑥𝑖𝑡𝑦 × 𝑃𝑟𝑖𝑣𝑖𝑙𝑒𝑔𝑒𝑅𝑒𝑞𝑢𝑖𝑟𝑒𝑑 × 𝑈𝑠𝑒𝑟𝐼𝑛𝑡𝑒𝑟𝑎𝑐𝑡𝑖𝑜𝑛
Temporal
The Temporal score is defined as,
𝑅𝑜𝑢𝑛𝑑𝑢𝑝(𝐵𝑎𝑠𝑒𝑆𝑐𝑜𝑟𝑒 × 𝐸𝑥𝑝𝑙𝑜𝑖𝑡𝐶𝑜𝑑𝑒𝑀𝑎𝑡𝑢𝑟𝑖𝑡𝑦 × 𝑅𝑒𝑚𝑒𝑑𝑖𝑎𝑡𝑖𝑜𝑛𝐿𝑒𝑣𝑒𝑙 × 𝑅𝑒𝑝𝑜𝑟𝑡𝐶𝑜𝑛𝑓𝑖𝑑𝑒𝑛𝑐𝑒)
Environmental
The environmental score is defined as,
If (Modified Impact Sub score <= 0) 0 else,
If Modified Scope is Unchanged Round up(Round up (Minimum [ (M.Impact + M.Exploitability) ,10]) × Exploit Code Maturity × Remediation Level × Report Confidence)
If Modified Scope is Changed Round up(Round up (Minimum [1.08 × (M.Impact + M.Exploitability) ,10]) × Exploit Code Maturity × Remediation Level × Report Confidence)
And the modified Impact sub score is defined as,
If Modified Scope is Unchanged 6.42 × [𝐼𝑆𝐶𝑀𝑜𝑑𝑖𝑓𝑖𝑒𝑑]
If Modified Scope is Changed 7.52 × [𝐼𝑆𝐶𝑀𝑜𝑑𝑖𝑓𝑖𝑒𝑑 − 0.029]-3.25× [𝐼𝑆𝐶𝑀𝑜𝑑𝑖𝑓𝑖𝑒𝑑 × 0.9731 − 0.02] 13
Where,
𝐼𝑆𝐶𝑀𝑜𝑑𝑖𝑓𝑖𝑒𝑑 = 𝑀𝑖𝑛𝑖𝑚𝑢𝑚 [[1 − (1 − 𝑀. 𝐼𝐶𝑜𝑛𝑓 × 𝐶𝑅) × (1 − 𝑀. 𝐼𝐼𝑛𝑡𝑒𝑔 × 𝐼𝑅) × (1 − 𝑀. 𝐼𝐴𝑣𝑎𝑖𝑙 × 𝐴𝑅)], 0.915]
The Modified Exploitability sub score is,
8.22 × 𝑀. 𝐴𝑡𝑡𝑎𝑐𝑘𝑉𝑒𝑐𝑡𝑜𝑟 × 𝑀. 𝐴𝑡𝑡𝑎𝑐𝑘𝐶𝑜𝑚𝑝𝑙𝑒𝑥𝑖𝑡𝑦 × 𝑀. 𝑃𝑟𝑖𝑣𝑖𝑙𝑒𝑔𝑒𝑅𝑒𝑞𝑢𝑖𝑟𝑒𝑑 × 𝑀. 𝑈𝑠𝑒𝑟𝐼𝑛𝑡𝑒𝑟𝑎𝑐𝑡𝑖𝑜n
4 Where “Round up” is defined as the smallest number, specified to one decimal place, that is equal to or higher than its input. For example, Round up (4.02) is 4.1; and Round up (4.00) is 4.0.
CVSS Base and Temporal scores are represented as a numeric value and vector string.
Vector String:
The vector string is a textual representation of the metric values used to determine the score.
For example, the CVSS base vector string “AV:L/AC:L/Au:M/C:P/I:P/A:P” has these values:
AV: N indicates the Access Vector metric has a value of Local.
AC:L indicates the Access Complexity metric has a value of Low.
Au:S indicates the Authentication metric has a value of Multiple.
C:P indicates the Confidentiality Impact metric has a value of Partial.
I:P indicates the Integrity Impact metric has a value of Partial.
A:P indicates the Availability Impact metric has a value of Partial.
For example, CVE-2023–30545 has a base score of 6.5. It is a type of SQL injection attack. For more information, you can look at the NIST NVD website.
CVE-2023–30545: 6.5 Medium
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N