CVSS (Common Vulnerability Scoring System) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS provides a numerical score (0-10) and qualitative rating to help prioritize remediation.
CVSS Score Ranges
0.0 None
0.1 - 3.9 Low
4.0 - 6.9 Medium
7.0 - 8.9 High
9.0 - 10.0 Critical
CVSS v3.1 Base Metrics
- Attack Vector (AV): Network/Adjacent/Local/Physical
- Attack Complexity (AC): Low/High
- Privileges Required (PR): None/Low/High
- User Interaction (UI): None/Required
- Scope (S): Unchanged/Changed
- Confidentiality (C): None/Low/High
- Integrity (I): None/Low/High
- Availability (A): None/Low/High
CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Score: 9.8 (Critical)
Breakdown:
- Network accessible (AV:N)
- Low complexity (AC:L)
- No privileges needed (PR:N)
- No user interaction (UI:N)
- Scope unchanged (S:U)
- High impact to CIA (C:H/I:H/A:H)
Score Types
- Base: Intrinsic qualities (doesn't change)
- Temporal: Factors that change over time (exploit availability)
- Environmental: Organization-specific factors
CVSS 4.0 (November 2023)
CVSS 4.0 introduces significant changes:
- New Attack Requirements (AT) metric replacing Attack Complexity
- Renamed metric groups: Base, Threat (was Temporal), Environmental
- New supplemental metrics: Automatable, Recovery, Value Density, Provider Urgency
- Multiple scoring nomenclature: CVSS-B, CVSS-BT, CVSS-BE, CVSS-BTE
CVSS 4.0 Vector Example:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
See Also