What is CVSS and how is it calculated?

Introduction to CVSS

CVSS stands for Common Vulnerability Scoring System. It's a standardized, open-source framework for rating the severity of software vulnerabilities. CVSS produces a numerical score ranging from 0.0 to 10.0, where 0.0 indicates no vulnerability and 10.0 indicates maximum severity.

The CVSS score helps organizations prioritize vulnerability remediation by providing a standardized way to assess relative severity. Rather than each organization inventing its own severity ratings, CVSS enables consistent communication about vulnerability impact across vendors, security researchers, and organizations.

CVSS was developed by NIST (National Institute of Standards and Technology) and first released in 2005. The latest version, CVSS v3.1, was released in 2019 and is the standard currently used for new CVE assignments. CVSS v4.0 was released in 2023 and is gradually being adopted.

The CVSS Scoring Scale

CVSS scores fall into severity categories that help organizations quickly understand relative criticality:

0.0: No vulnerability or no impact

0.1-3.9 (Low): Vulnerabilities with limited impact. Typically require specific conditions, unlikely to cause widespread damage. Remediation can often be scheduled during regular maintenance windows.

4.0-6.9 (Medium): Vulnerabilities with moderate impact. May require specific conditions but could significantly affect system operation. Should be remediated within reasonable timeframes.

7.0-8.9 (High): Serious vulnerabilities likely to cause significant damage if exploited. Should be prioritized for remediation, typically within weeks.

9.0-10.0 (Critical): Severe vulnerabilities requiring immediate attention. Should be remediated as soon as possible, often within days or hours.

These categories enable quick severity assessment. A critical rating immediately signals the need for urgent action, while a low rating allows more flexible scheduling.

CVSS Base Score Metrics (Version 3.1)

CVSS v3.1 calculates severity using eight base metrics that describe the intrinsic characteristics of a vulnerability:

Attack Vector (AV): How the vulnerability is exploited.

• Network (N): Remote exploitation over the network without authentication. Most critical because it enables attacks from anywhere on the internet.
• Adjacent (A): Requires network access but limited to adjacent networks (same network segment). More restrictive than network.
• Local (L): Requires local access to the affected system. Attacker must have ability to execute code or access the system.
• Physical (P): Requires physical access to the system. Most restrictive.

Attack Complexity (AC): What conditions are required for exploitation.

• Low (L): Exploitation is straightforward with minimal additional conditions or specialized knowledge.
• High (H): Exploitation requires specific, uncommon conditions (specific software versions, rare configurations, timing attacks).

Privileges Required (PR): What privileges the attacker must have before exploiting the vulnerability.

• None (N): No privileges required. Any unauthenticated user can exploit.
• Low (L): Attacker needs limited privileges, like a regular user account.
• High (H): Attacker needs significant privileges, like administrator or root access.

User Interaction (UI): Whether another user must be involved.

• None (N): Vulnerability is exploitable without user interaction. Most critical because it doesn't require social engineering.
• Required (R): A user must perform an action (clicking a link, opening an attachment) to trigger exploitation.

Scope (S): Whether exploiting the vulnerability affects only the vulnerable component or impacts other components or systems.

• Unchanged (U): Vulnerability affects only the vulnerable component or application.
• Changed (C): Exploitation affects other components or the security context extends beyond the vulnerable component. For example, escaping a container to affect the host system.

Confidentiality Impact (C): Potential impact on data confidentiality.

• None (N): No information disclosure.
• Low (L): Limited loss of confidentiality. Highly sensitive information might be disclosed, but access is restricted or limited in scope.
• High (H): Complete loss of confidentiality. All information in the affected system is disclosed to the attacker.

Integrity Impact (I): Potential impact on data integrity.

• None (N): No integrity impact.
• Low (L): Limited ability to modify data. Attackers might alter minor data or have restrictions on what can be changed.
• High (H): Complete ability to modify data. Attackers can alter or delete all data without restrictions.

Availability Impact (A): Potential impact on system availability.

• None (N): No availability impact.
• Low (L): Limited denial of service. Performance degradation or intermittent unavailability.
• High (H): Complete denial of service. System becomes completely unavailable.

Example CVSS Scoring

Let's consider a real-world vulnerability and calculate its CVSS score:

Vulnerability: Remote code execution in a web application

• Attack Vector: Network (can be exploited remotely)
• Attack Complexity: Low (straightforward exploitation)
• Privileges Required: None (no authentication needed)
• User Interaction: None (no user interaction needed)
• Scope: Changed (code execution affects the entire system)
• Confidentiality Impact: High (attacker gains full system access)
• Integrity Impact: High (attacker can modify data)
• Availability Impact: High (attacker can disable the system)

This would result in a CVSS v3.1 base score of 9.8 (Critical) because:

• Network attack vector (most critical)
• No privileges or user interaction required
• Scope change allows impact beyond the vulnerable component
• High impact on all three impact categories (CIA)

In contrast, consider a local privilege escalation:

• Attack Vector: Local (requires local system access first)
• Attack Complexity: Low
• Privileges Required: Low (regular user can exploit)
• User Interaction: None
• Scope: Changed
• Confidentiality Impact: High
• Integrity Impact: High
• Availability Impact: High

This would score 8.8 (High) because the attack vector is local, requiring existing system access.

Temporal and Environmental Metrics

Beyond the base score, CVSS includes optional metrics that account for changing circumstances:

Temporal Metrics describe the current state of the vulnerability:

• Exploit Code Maturity: Whether functional exploit code is available (affects likelihood of exploitation)
• Remediation Level: Whether patches or workarounds are available (full fix, workaround, or unavailable)
• Report Confidence: How much evidence supports the vulnerability assessment (confirmed, reasonable, unconfirmed)

These metrics adjust the base score based on current circumstances. A vulnerability with working exploits available typically receives a higher temporal score than one without.

Environmental Metrics account for organizational factors:

• Confidentiality Requirement: How critical is the data confidentiality?
• Integrity Requirement: How critical is data integrity?
• Availability Requirement: How critical is system availability?

An organization might adjust a vulnerability's severity based on how critical the affected system is to their operations. A medium severity vulnerability in a critical payment system might warrant urgent patching, while the same vulnerability in a test environment might be deferred.

CVSS v4.0 Updates

CVSS v4.0 (released in 2023) refines the scoring system with additional metrics and improved accuracy:

• Vulnerable System Autonomy: Whether the system operates independently or as part of a larger infrastructure
• Vulnerable Component Type: Distinguishes between different types of vulnerable components (applications, OSes, etc.)
• Value Density: Whether the system holds single or multiple types of sensitive data
• Safety Impact: Whether the vulnerability could impact safety (important for industrial systems)
• Threat Intelligence: Information about active threats and exploits

These additions provide more nuanced severity assessment, particularly for industrial systems, cloud infrastructure, and emerging threat landscapes.

How Organizations Use CVSS Scores

In practice, CVSS scores drive vulnerability management decisions:

Prioritization: Organizations typically focus remediation efforts on high and critical severity vulnerabilities first. Medium severity vulnerabilities are remediated within defined timeframes, and low severity vulnerabilities are often addressed during regular maintenance.

Service level agreements: Many organizations define SLAs based on CVSS severity:

• Critical: Remediate within 1-7 days
• High: Remediate within 1-4 weeks
• Medium: Remediate within 1-3 months
• Low: Remediate within 1-6 months

Compliance requirements: Security compliance standards (HIPAA, PCI-DSS, etc.) often reference CVSS scores when defining vulnerability management expectations.

Risk assessment: CVSS scores are incorporated into broader risk assessment frameworks alongside factors like asset criticality, threat intelligence, and organizational risk tolerance.

Limitations of CVSS

While valuable, CVSS has limitations:

Doesn't account for business context: A low severity vulnerability in a critical system might warrant more urgent attention than a high severity vulnerability in a non-critical system. CVSS alone doesn't capture this context.

Static assessment: CVSS base scores don't change as threats evolve. A vulnerability disclosed years ago and widely exploited might have a similar base score to a freshly disclosed vulnerability with no known exploits.

Complexity in scoring: Determining appropriate metric values requires expertise. Different assessors might score the same vulnerability differently.

Doesn't address exploit availability: While CVSS includes temporal metrics for this, many organizations rely only on base scores, missing information about whether working exploits are available.

Binary yes/no for impact: CVSS metrics are typically binary (e.g., "local" vs. "network"), but real-world exploitation often falls on a spectrum.

Using CVSS Effectively

To maximize CVSS utility:

1. Use CVSS alongside other factors: Combine CVSS scores with asset criticality, threat intelligence, and business impact assessment.

2. Review temporal metrics: Don't rely only on base scores. Check whether exploits are available or patches exist.

3. Understand the metrics: Learn what each metric means. A 7.0 from low attack vector differs from a 7.0 from network attack vector.

4. Stay informed on scoring changes: CVSS scoring can change if more information becomes available about a vulnerability.

5. Document your vulnerability prioritization approach: Define how you'll use CVSS scores in your organization's vulnerability management process.

Conclusion

CVSS is a standardized, scientific approach to vulnerability severity assessment. By scoring vulnerabilities on eight base metrics (attack vector, attack complexity, privileges required, user interaction, scope, confidentiality impact, integrity impact, availability impact), CVSS enables organizations to consistently prioritize remediation efforts. While CVSS doesn't capture all factors that influence vulnerability impact, it provides a valuable, widely-understood common language for discussing vulnerability severity that helps drive efficient, prioritized vulnerability management across organizations.