Quick Tutorial: What are CVSS scores

CVSS, short for Common Vulnerability Scoring System, is a method of assigning a numerical value of range 1 to 10, to denote the severity of the vulnerability. The score helps cyber security professionals to assess the severity of the vulnerability. High the CVSS score, the more will be the severity. This blog helps you to understand the factors behind the calculation of the CVSS score.

CVSS score calculation metrics

CVSS score is calculated based on three metric groups – Basic, Temporal, and Environmental. Each component has further divided into different components.

(1) Basic Metric Group

It will represent the attribute of vulnerability.

Exploitability MetricsImpact Metrics
Attack Vector - Network (N), Adjacent (A), Local (L), and Physical (P) Confidentiality Impact - High (H), Low (L), None (N)
Attack Complexity - Low (L), High (H)Integrity Impact - High (H), Low (L), None (N)
Privileges Required - None (N), Low (L), High (H)Availability Impact - High (H), Low (L), None (N)
User Interaction - None (N), Required (R)Scope - Unchanged (U), Changed (C)
Scope - Unchanged (U), Changed (C)

(2) Temporal Metric Group

As the name suggests, here components of vulnerability change over time.

Exploit Code Maturity - Not Defined (X), High (H), Functional (F), Proof-of-Concept (P), Unproven (U)
Remediation Level - Not Defined (X), Unavailable (U), Workaround (W), Temporary Fix (T), Official Fix (O)
Report Confidence - Not Defined (X), Confirmed (C), Reasonable (R), Unknown (U)

(3) Environment Metric Group

Environmental Metric group help in modification of base CVSS based on different components.

Confidentiality Requirement - Not Defined (X), High (H), Medium (M), Low (L)
Integrity Requirement - Not Defined (X), High (H), Medium (M), Low (L)
Availability Requirement - Not Defined (X), High (H), Medium (M), Low (L)
Modified Base Metrics - Modified Attack Vector (MAV), Modified Attack Complexity (MAC), Modified Privileges Required (MPR), Modified User Interaction (MUI), Modified Scope (MS), Modified Confidentiality (MC), Modified Integrity (MI), Modified Availability (MA)

CVSS Qualitative Ratings

CVSS score is further classified based on Qualitative Ratings. This will help in assigning the severity into 5 different ratings.

CVSS ScoreQualitative Rating
0None
0.1-3.9Low
4.0-6.9Medium
7.0-8.9High
9.0-10Critical

CVE format

CVE should be assigned in the below format:

CVE-[Full-Year]-[Sequential-Identifier]

Example -CVE for the popular Heartbleed vulnerability is CVE-2014-0160

Conclusion

This blog gives you a basic overview of CVSS scores based on the CVSS score calculation metrics. Just remember the factors behind the calculation of CVSS scores that help you in the understanding severity of the vulnerability.

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published.