Quick Tutorial: What are CVSS scores
CVSS, short for Common Vulnerability Scoring System, is a method of assigning a numerical value of range 1 to 10, to denote the severity of the vulnerability. The score helps cyber security professionals to assess the severity of the vulnerability. High the CVSS score, the more will be the severity. This blog helps you to understand the factors behind the calculation of the CVSS score.
CVSS score calculation metrics
CVSS score is calculated based on three metric groups – Basic, Temporal, and Environmental. Each component has further divided into different components.
(1) Basic Metric Group
It will represent the attribute of vulnerability.
| Exploitability Metrics | Impact Metrics |
| Attack Vector - Network (N), Adjacent (A), Local (L), and Physical (P) | Confidentiality Impact - High (H), Low (L), None (N) |
| Attack Complexity - Low (L), High (H) | Integrity Impact - High (H), Low (L), None (N) |
| Privileges Required - None (N), Low (L), High (H) | Availability Impact - High (H), Low (L), None (N) |
| User Interaction - None (N), Required (R) | Scope - Unchanged (U), Changed (C) |
| Scope - Unchanged (U), Changed (C) |
(2) Temporal Metric Group
As the name suggests, here components of vulnerability change over time.
| Exploit Code Maturity - Not Defined (X), High (H), Functional (F), Proof-of-Concept (P), Unproven (U) |
| Remediation Level - Not Defined (X), Unavailable (U), Workaround (W), Temporary Fix (T), Official Fix (O) |
| Report Confidence - Not Defined (X), Confirmed (C), Reasonable (R), Unknown (U) |
(3) Environment Metric Group
Environmental Metric group help in the modification of base CVSS based on different components.
| Confidentiality Requirement - Not Defined (X), High (H), Medium (M), Low (L) |
| Integrity Requirement - Not Defined (X), High (H), Medium (M), Low (L) |
| Availability Requirement - Not Defined (X), High (H), Medium (M), Low (L) |
| Modified Base Metrics - Modified Attack Vector (MAV), Modified Attack Complexity (MAC), Modified Privileges Required (MPR), Modified User Interaction (MUI), Modified Scope (MS), Modified Confidentiality (MC), Modified Integrity (MI), Modified Availability (MA) |
CVSS Qualitative Ratings
CVSS score is further classified based on Qualitative Ratings. This will help in assigning the severity into 5 different ratings.
| CVSS Score | Qualitative Rating |
| 0 | None |
| 0.1-3.9 | Low |
| 4.0-6.9 | Medium |
| 7.0-8.9 | High |
| 9.0-10 | Critical |
CVE format
CVE should be assigned in the below format:
CVE-[Full-Year]-[Sequential-Identifier]
Example -CVE for the popular Heartbleed vulnerability is CVE-2014-0160
Conclusion
This blog gives you a basic overview of CVSS scores based on the CVSS score calculation metrics. Just remember the factors behind the calculation of CVSS scores that help you in the understanding severity of the vulnerability.
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.
