Abbreviation | CVSS |
---|---|
Status | Active |
First published | February 2005 |
Latest version | 4.0 |
Organization | Forum of Incident Response and Security Teams |
Domain | Information security |
Website | www |
The Common Vulnerability Scoring System (CVSS) is a technical standard for assessing the severity of vulnerabilities in computing systems. Scores are calculated based on a formula with several metrics that approximate ease and impact of an exploit. Scores range from 0 to 10, with 10 being the most severe. While many use only the CVSS Base score for determining severity, temporal and environmental scores also exist, to factor in availability of mitigations and how widespread vulnerable systems are within an organization, respectively.
The current version of CVSS (CVSSv4.0) was released in November 2023. [1]
CVSS is not intended to be used as a method for patch management prioritization, but is used like that regardless. [2]
Research by the National Infrastructure Advisory Council (NIAC) in 2003/2004 led to the launch of CVSS version 1 (CVSSv1) in February 2005, [3] with the goal of being "designed to provide open and universally standard severity ratings of software vulnerabilities". This initial draft had not been subject to peer review or review by other organizations. In April 2005, NIAC selected the Forum of Incident Response and Security Teams (FIRST) to become the custodian of CVSS for future development. [4] [5]
Feedback from vendors using CVSSv1 in production suggested there were "significant issues with the initial draft of CVSS". Work on CVSS version 2 (CVSSv2) began in April 2005 with the final specification being launched in June 2007. [6]
Further feedback resulted in work beginning on CVSS version 3 [7] in 2012, ending with CVSSv3.0 being released in June 2015. [8] [3]
The CVSS assessment measures three areas of concern:
A numerical score is generated for each of these metric groups. A vector string (or simply "vector" in CVSSv2) represents the values of all the metrics as a block of text.
Complete documentation for CVSSv2 is available from FIRST. [9] A summary is provided below.
The access vector (AV) shows how a vulnerability may be exploited.
Value | Description | Score |
---|---|---|
Local (L) | The attacker must either have physical access to the vulnerable system (e.g. firewire attacks) or a local account (e.g. a privilege escalation attack). | 0.395 |
Adjacent Network (A) | The attacker must have access to the broadcast or collision domain of the vulnerable system (e.g. ARP spoofing, Bluetooth attacks). | 0.646 |
Network (N) | The vulnerable interface is working at layer 3 or above of the OSI Network stack. These types of vulnerabilities are often described as remotely exploitable (e.g. a remote buffer overflow in a network service) | 1.0 |
The access complexity (AC) metric describes how easy or difficult it is to exploit the discovered vulnerability.
Value | Description | Score |
---|---|---|
High (H) | Specialised conditions exist, such as a race condition with a narrow window, or a requirement for social engineering methods that would be readily noticed by knowledgeable people. | 0.35 |
Medium (M) | There are some additional requirements for the attack, such as a limit on the origin of the attack, or a requirement for the vulnerable system to be running with an uncommon, non-default configuration. | 0.61 |
Low (L) | There are no special conditions for exploiting the vulnerability, such as when the system is available to large numbers of users, or the vulnerable configuration is ubiquitous. | 0.71 |
The authentication (Au) metric describes the number of times that an attacker must authenticate to a target to exploit it. It does not include (for example) authentication to a network in order to gain access. For locally exploitable vulnerabilities, this value should only be set to Single or Multiple if further authentication is required after initial access.
Value | Description | Score |
---|---|---|
Multiple (M) | Exploitation of the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time. | 0.45 |
Single (S) | The attacker must authenticate once in order to exploit the vulnerability. | 0.56 |
None (N) | There is no requirement for the attacker to authenticate. | 0.704 |
The confidentiality (C) metric describes the impact on the confidentiality of data processed by the system.
Value | Description | Score |
---|---|---|
None (N) | There is no impact on the confidentiality of the system. | 0.0 |
Partial (P) | There is considerable disclosure of information, but the scope of the loss is constrained such that not all of the data is available. | 0.275 |
Complete (C) | There is total information disclosure, providing access to any / all data on the system. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. | 0.660 |
The Integrity (I) metric describes the impact on the integrity of the exploited system.
Value | Description | Score |
---|---|---|
None (N) | There is no impact on the integrity of the system. | 0.0 |
Partial (P) | Modification of some data or system files is possible, but the scope of the modification is limited. | 0.275 |
Complete (C) | There is total loss of integrity; the attacker can modify any files or information on the target system. | 0.660 |
The availability (A) metric describes the impact on the availability of the target system. Attacks that consume network bandwidth, processor cycles, memory, or any other resources affect the availability of a system.
Value | Description | Score |
---|---|---|
None (N) | There is no impact on the availability of the system. | 0.0 |
Partial (P) | There is reduced performance or loss of some functionality. | 0.275 |
Complete (C) | There is total loss of availability of the attacked resource. | 0.660 |
These six metrics are used to calculate the exploitability and impact sub-scores of the vulnerability. These sub-scores are used to calculate the overall base score.
The metrics are concatenated to produce the CVSS Vector for the vulnerability.
A buffer overflow vulnerability affects web server software that allows a remote user to gain partial control of the system, including the ability to cause it to shut down:
Metric | Value | Description |
---|---|---|
Attack Vector | Network | The vulnerability may be accessed from any network that can access the target system — typically the whole of the internet. |
Attack Complexity | Low | There are no special requirements for access. |
Authentication | None | There is no requirement for authentication in order to exploit the vulnerability. |
Confidentiality | Partial | The attacker can read some files and data on the system. |
Integrity | Partial | The attacker can alter some files and data on the system. |
Availability | Complete | The attacker can cause the system and web service to become unavailable / unresponsive by shutting the system down. |
This would give an exploitability sub-score of 10, and an impact sub-score of 8.5, giving an overall base score of 9.0. The vector for the base score in this case would be AV:N/AC:L/Au:N/C:P/I:P/A:C. The score and vector are normally presented together to allow the recipient to fully understand the nature of the vulnerability and to calculate their own environmental score if necessary.
The value of temporal metrics change over the lifetime of the vulnerability, as exploits are developed, disclosed and automated and as mitigations and fixes are made available.
The exploitability (E) metric describes the current state of exploitation techniques or automated exploitation code.
Value | Description | Score |
---|---|---|
Unproven (U) | No exploit code is available, or the exploit is theoretical. | 0.85 |
Proof-of-concept (P) | Proof-of-concept exploit code or demonstration attacks are available, but not practical for widespread use. Not functional against all instances of the vulnerability. | 0.9 |
Functional (F) | Functional exploit code is available, and works in most situations where the vulnerability is present. | 0.95 |
High (H) | The vulnerability can be exploited by automated code, including mobile code (such as a worm or virus). | 1.0 |
Not Defined (ND) | This is a signal to ignore this score. | 1.0 |
The remediation level (RL) of a vulnerability allows the temporal score of a vulnerability to decrease as mitigations and official fixes are made available.
Value | Description | Score |
---|---|---|
Official Fix (O) | A complete vendor solution is available — either a patch or an upgrade. | 0.87 |
Temporary Fix (T) | There is an official but temporary fix / mitigation available from the vendor. | 0.90 |
Workaround (W) | There is an unofficial, non-vendor solution or mitigation available — perhaps developed or suggested by users of the affected product or another third party. | 0.95 |
Unavailable (U) | There is no solution available, or it is impossible to apply a suggested solution. This is the usual initial state of the remediation level when a vulnerability is identified. | 1.0 |
Not Defined (ND) | This is a signal to ignore this score. | 1.0 |
The report confidence (RC) of a vulnerability measures the level of confidence in the existence of the vulnerability and also the credibility of the technical details of the vulnerability.
Value | Description | Score |
---|---|---|
Unconfirmed (UC) | A single unconfirmed source, or multiple conflicting sources. Rumored vulnerability. | 0.9 |
Uncorroborated (UR) | Multiple sources that broadly agree — there may be a level of remaining uncertainty about the vulnerability | 0.95 |
Confirmed (C) | Acknowledged and confirmed by the vendor or manufacturer of the affected product. | 1.0 |
Not Defined (ND) | This is a signal to ignore this score. | 1.0 |
These three metrics are used in conjunction with the base score that has already been calculated to produce the temporal score for the vulnerability with its associated vector.
The formula used to calculate the temporal score is:
To continue with the example above, if the vendor was first informed of the vulnerability by a posting of proof-of-concept code to a mailing list, the initial temporal score would be calculated using the values shown below:
Metric | Value | Description |
---|---|---|
Exploitability | Proof-of-concept | Proof-of concept, non-automated code is provided to show basic exploit functionality. |
Remediation Level | Unavailable | The vendor has not yet had the opportunity to provide a mitigation or fix. |
Report Confidence | Unconfirmed | There has been a single report of the vulnerability. |
This would give a temporal score of 7.3, with a temporal vector of E:P/RL:U/RC:UC (or a full vector of AV:N/AC:L/Au:N/C:P/I:P/A:C/E:P/RL:U/RC:UC).
If the vendor then confirms the vulnerability, then the score rises to 8.1, with a temporal vector of E:P/RL:U/RC:C
A temporary fix from the vendor would reduce the score back to 7.3 (E:P/RL:T/RC:C), while an official fix would reduce it further to 7.0 (E:P/RL:O/RC:C). As it is not possible to be confident that every affected system has been fixed or patched, the temporal score cannot reduce below a certain level based on the vendor's actions, and may increase if an automated exploit for the vulnerability is developed.
The environmental metrics use the base and current temporal score to assess the severity of a vulnerability in the context of the way that the vulnerable product or software is deployed. This measure is calculated subjectively, typically by affected parties.
The collateral damage potential (CDP) metric measures the potential loss or impact on either physical assets such as equipment (and lives), or the financial impact upon the affected organisation if the vulnerability is exploited.
Value | Description | Score |
---|---|---|
None (N) | No potential for loss of property, revenue or productivity | 0 |
Low (L) | Slight damage to assets, or minor loss of revenue or productivity | 0.1 |
Low-Medium (LM) | Moderate damage or loss | 0.3 |
Medium-High (MH) | Significant damage or loss | 0.4 |
High (H) | Catastrophic damage or loss | 0.5 |
Not Defined (ND) | This is a signal to ignore this score. | 0 |
The target distribution (TD) metric measures the proportion of vulnerable systems in the environment.
Value | Description | Score |
---|---|---|
None (N) | No target systems exist, or they only exist in laboratory settings | 0 |
Low (L) | 1–25% of systems at risk | 0.25 |
Medium (M) | 26–75% of systems at risk | 0.75 |
High (H) | 76–100% of systems at risk | 1.0 |
Not Defined (ND) | This is a signal to ignore this score. | 1.0 |
Three further metrics assess the specific security requirements for confidentiality (CR), integrity (IR) and availability (AR), allowing the environmental score to be fine-tuned according to the users' environment.
Value | Description | Score |
---|---|---|
Low (L) | Loss of (confidentiality / integrity / availability) is likely to have only a limited effect on the organisation. | 0.5 |
Medium (M) | Loss of (confidentiality / integrity / availability) is likely to have a serious effect on the organisation. | 1.0 |
High (H) | Loss of (confidentiality / integrity / availability) is likely to have a catastrophic effect on the organisation. | 1.51 |
Not Defined (ND) | This is a signal to ignore this score. | 1.0 |
The five environmental metrics are used in conjunction with the previously assessed base and temporal metrics to calculate the environmental score and to produce the associated environmental vector.
If the aforementioned vulnerable web server were used by a bank to provide online banking services, and a temporary fix was available from the vendor, then the environmental score could be assessed as:
Metric | Value | Description |
---|---|---|
Collateral Damage Potential | Medium-High | This value would depend on what information the attacker is able to access if a vulnerable system is exploited. In this case I am assuming that some personal banking information is available, therefore there is a significant reputational impact on the bank. |
Target Distribution | High | All of the bank's web servers run the vulnerable software. |
Confidentiality Requirement | High | Customers expect their banking information to be confidential. |
Integrity Requirement | High | Financial and personal information should not be changeable without authorization. |
Availability Requirement | Low | Unavailability of online banking services is likely to be an inconvenience for customers, but not catastrophic. |
This would give an environmental score of 8.2, and an environmental vector of CDP:MH/TD:H/CR:H/IR:H/AR:L. This score is within the range 7.0-10.0, and therefore constitutes a critical vulnerability in the context of the affected bank's business.
Several vendors and organizations expressed dissatisfaction with CVSSv2.
Risk Based Security, which manages the Open Source Vulnerability Database, and the Open Security Foundation jointly published a public letter to FIRST regarding the shortcomings and failures of CVSSv2. [10] The authors cited a lack of granularity in several metrics, which results in CVSS vectors and scores that do not properly distinguish vulnerabilities of different type and risk profiles. The CVSS scoring system was also noted as requiring too much knowledge of the exact impact of the vulnerability.
Oracle introduced the new metric value of "Partial+" for Confidentiality, Integrity, and Availability, to fill perceived gaps in the description between Partial and Complete in the official CVSS specifications. [11]
To address some of these criticisms, development of CVSS version 3 was started in 2012. The final specification was named CVSSv3.0 and released in June 2015. In addition to a Specification Document, a User Guide and Examples document were also released. [12]
Several metrics were changed, added, and removed. The numerical formulas were updated to incorporate the new metrics while retaining the existing scoring range of 0-10. Textual severity ratings of None (0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0) [13] were defined, similar to the categories NVD defined for CVSSv2 that were not part of that standard. [14]
In the Base vector, the new metrics User Interaction (UI) and Privileges Required (PR) were added to help distinguish vulnerabilities that required user interaction or user or administrator privileges to be exploited. Previously, these concepts were part of the Access Vector metric of CVSSv2. UI can take the values None or Required; attacks that do not require logging in as a user are considered more severe. PR can take the values None, Low, or High; similarly, attacks requiring fewer privileges are more severe.
The Base vector also saw the introduction of the new Scope (S) metric, which was designed to make clear which vulnerabilities may be exploited and then used to attack other parts of a system or network. These new metrics allow the Base vector to more clearly express the type of vulnerability being evaluated.
The Confidentiality, Integrity, and Availability (C, I, A) metrics were updated to have scores consisting of None, Low, or High, rather than the None, Partial, and Complete of CVSSv2. This allows more flexibility in determining the impact of a vulnerability on CIA metrics.
Access Complexity was renamed Attack Complexity (AC) to make clear that access privileges were moved to a separate metric. This metric now describes how repeatable exploit of this vulnerability may be; AC is High if the attacker requires perfect timing or other circumstances (other than user interaction, which is also a separate metric) which may not be easily duplicated on future attempts.
Attack Vector (AV) saw the inclusion of a new metric value of Physical (P), to describe vulnerabilities that require physical access to the device or system to perform.
The Temporal metrics were essentially unchanged from CVSSv2.
The Environmental metrics of CVSSv2 were completely removed and replaced with essentially a second Base score, known as the Modified vector. The Modified Base is intended to reflect differences within an organization or company compared to the world as a whole. New metrics to capture the importance of Confidentiality, Integrity, and Availability to a specific environment were added.
In a blog post in September 2015, the CERT Coordination Center discussed limitations of CVSSv2 and CVSSv3.0 for use in scoring vulnerabilities in emerging technology systems such as the Internet of Things. [15]
A minor update to CVSS was released on June 17, 2019. The goal of CVSSv3.1 was to clarify and improve upon the existing CVSSv3.0 standard without introducing new metrics or metric values, allowing for frictionless adoption of the new standard by both scoring providers and scoring consumers alike. Usability was a prime consideration when making improvements to the CVSS standard. Several changes being made in CVSSv3.1 are to improve the clarity of concepts introduced in CVSSv3.0, and thereby improve the overall ease of use of the standard.
FIRST has used input from industry subject-matter experts to continue to enhance and refine CVSS to be more and more applicable to the vulnerabilities, products, and platforms being developed over the past 15 years and beyond. The primary goal of CVSS is to provide a deterministic and repeatable way to score the severity of a vulnerability across many different constituencies, allowing consumers of CVSS to use this score as input to a larger decision matrix of risk, remediation, and mitigation specific to their particular environment and risk tolerance.
Updates to the CVSSv3.1 specification include clarification of the definitions and explanation of existing base metrics such as Attack Vector, Privileges Required, Scope, and Security Requirements. A new standard method of extending CVSS, called the CVSS Extensions Framework, was also defined, allowing a scoring provider to include additional metrics and metric groups while retaining the official Base, Temporal, and Environmental Metrics. The additional metrics allow industry sectors such as privacy, safety, automotive, healthcare, etc., to score factors that are outside the core CVSS standard. Finally, the CVSS Glossary of Terms has been expanded and refined to cover all terms used throughout the CVSSv3.1 documentation.
Version 4.0 was officially released in November 2023, [1] and is available at FIRST. [16] Among several clarifications, the most notable changes are the new base metric Attack Requirements which complement the metric Attack Complexity with an assessment what conditions at the target side are needed to exploit a vulnerability. Further, the Impact metrics are split into impact on the vulnerable system itself and impact on subsequent systems (this replaces the Scope metric from prior versions).
The base metrics are now as follows.
Additionally to these base metrics, there are optional metrics regarding public availability of an exploit, environment specific thread modelling, system recovery, and others.
Assume there is an SQL-Injection in an online web shop. The database user of the online shop software only has read access to the database. Further the injection is in a view of the shop which is only visible to registered customers. The CVSS 4.0 base vector is as follows.
This results in the vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:L
Versions of CVSS have been adopted as the primary method for quantifying the severity of vulnerabilities by a wide range of organizations and companies, including:
In computer security, an attack vector is a specific path, method, or scenario that can be exploited to break into an IT system, thus compromising its security. The term was derived from the corresponding notion of vector in biology. An attack vector may be exploited manually, automatically, or through a combination of manual and automatic activity.
Code injection is a class of computer security exploit in which vulnerable computer programs or system processes fail to correctly handle external data, such as user input, leading to the program misinterpreting the data as a command that should be executed. An attacker using this method "injects" code into the program while it is running. Successful exploitation of a code injection vulnerability can result in data breaches, access to restricted or critical computer systems, and the spread of malware.
Vulnerabilities are flaws in a computer system that weaken the overall security of the system.
The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in software or hardware allowing arbitrary code execution. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. The ability to trigger arbitrary code execution over a network is often referred to as remote code execution.
KDE Wallet Manager (KWallet) is free and open-source password management software written in C++ for UNIX-style operating systems. KDE Wallet Manager runs on a Linux-based OS and Its main feature is storing encrypted passwords in KDE Wallets. The main feature of KDE wallet manager (KWallet) is to collect user's credentials such as passwords or IDs and encrypt them through Blowfish symmetric block cipher algorithm or GNU Privacy Guard encryption.
SAINT is computer software used for scanning computer networks for security vulnerabilities, and exploiting found vulnerabilities.
The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics. NVD supports the Information Security Automation Program (ISAP). NVD is managed by the U.S. government agency the National Institute of Standards and Technology (NIST).
Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.
A vulnerability database (VDB) is a platform aimed at collecting, maintaining, and disseminating information about discovered computer security vulnerabilities. The database will customarily describe the identified vulnerability, assess the potential impact on affected systems, and any workarounds or updates to mitigate the issue. A VDB will assign a unique identifier to each vulnerability cataloged such as a number or alphanumeric designation. Information in the database can be made available via web pages, exports, or API. A VDB can provide the information for free, for pay, or a combination thereof.
The Common Weakness Enumeration (CWE) is a category system for hardware and software weaknesses and vulnerabilities. It is sustained by a community project with the goals of understanding flaws in software and hardware and creating automated tools that can be used to identify, fix, and prevent those flaws. The project is sponsored by the office of the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), which is operated by The MITRE Corporation, with support from US-CERT and the National Cyber Security Division of the U.S. Department of Homeland Security.
In computer security a countermeasure is an action, device, procedure, or technique that reduces a threat, vulnerability, or attack, eliminating or preventing it by minimizing the harm it can cause. It can also include discovering and reporting vunerabilities so that corrective action can be taken.
In computer security, a threat is a potential negative action or event enabled by a vulnerability that results in an unwanted impact to a computer system or application.
Kiteworks, formerly known as Accellion, Inc., is an American technology company that secures sensitive content communications over channels such as email, file share, file transfer, managed file transfer, web forms, and application programming interfaces. The company was founded in 1999 in Singapore and is now based in San Mateo, California.
Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." The understanding of social and environmental vulnerability, as a methodological approach, involves the analysis of the risks and assets of disadvantaged groups, such as the elderly. The approach of vulnerability in itself brings great expectations of social policy and gerontological planning. Types of vulnerability include social, cognitive, environmental, emotional or military.
A cyberattack occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content.
Rowhammer is a computer security exploit that takes advantage of an unintended and undesirable side effect in dynamic random-access memory (DRAM) in which memory cells interact electrically between themselves by leaking their charges, possibly changing the contents of nearby memory rows that were not addressed in the original memory access. This circumvention of the isolation between DRAM memory cells results from the high cell density in modern DRAM, and can be triggered by specially crafted memory access patterns that rapidly activate the same memory rows numerous times.
Operational technology (OT) is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events. The term has become established to demonstrate the technological and functional differences between traditional information technology (IT) systems and industrial control systems environment, the so-called "IT in the non-carpeted areas".
Log4Shell (CVE-2021-44228) is a zero-day vulnerability reported in November 2021 in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.
WinShock is computer exploit that exploits a vulnerability in the Windows secure channel (SChannel) module and allows for remote code execution. The exploit was discovered in May 2014 by IBM, who also helped patch the exploit. The exploit was present and undetected in Windows software for 19 years, affecting every Windows version from Windows 95 to Windows 8.1
MITRE and CERT/CC both bring distinct but important value. Based on those proposals, the Working Group strongly suggests that these organizations work under the umbrella provided by Global FIRST for the CVSS.