Security Glossary

CVSS (Common Vulnerability Scoring System)

A scoring system providing numerical ratings (0-10) for vulnerability severity based on attack characteristics and impact metrics.

CVSS (Common Vulnerability Scoring System) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS provides a numerical score (0-10) and qualitative rating to help prioritize remediation.

CVSS Score Ranges

0.0         None
0.1 - 3.9   Low
4.0 - 6.9   Medium
7.0 - 8.9   High
9.0 - 10.0  Critical

CVSS v3.1 Base Metrics

  • Attack Vector (AV): Network/Adjacent/Local/Physical
  • Attack Complexity (AC): Low/High
  • Privileges Required (PR): None/Low/High
  • User Interaction (UI): None/Required
  • Scope (S): Unchanged/Changed
  • Confidentiality (C): None/Low/High
  • Integrity (I): None/Low/High
  • Availability (A): None/Low/High

CVSS Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Score: 9.8 (Critical)

Breakdown:
- Network accessible (AV:N)
- Low complexity (AC:L)
- No privileges needed (PR:N)
- No user interaction (UI:N)
- Scope unchanged (S:U)
- High impact to CIA (C:H/I:H/A:H)

Score Types

  • Base: Intrinsic qualities (doesn't change)
  • Temporal: Factors that change over time (exploit availability)
  • Environmental: Organization-specific factors

CVSS 4.0 (November 2023)

CVSS 4.0 introduces significant changes:

  • New Attack Requirements (AT) metric replacing Attack Complexity
  • Renamed metric groups: Base, Threat (was Temporal), Environmental
  • New supplemental metrics: Automatable, Recovery, Value Density, Provider Urgency
  • Multiple scoring nomenclature: CVSS-B, CVSS-BT, CVSS-BE, CVSS-BTE
CVSS 4.0 Vector Example:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

See Also