Continuing exploration of the CvSS, from Part 1: CVSS Demystified: Part 1
Let’s take a look at the base metrics.
There are eight base metrics. Let’s deep dive into each one.
- Attack Vector (AV)
This metric reflects the context of the possible exploitation of the vulnerability.
If an attack can manifest in more than one context, choose the value which is most “remote” (and consequently the highest base score).
2. Attack Complexity (AC)
Attack Complexity describes the existence of specific conditions for the attacker to exploit the vulnerability.
3. Privileges Required (PR)
This metric indicates the privileges/permissions/entitlements/authorization level the attacker requires to launch the attack. If an attack can be launched at multiple entitlement levels, choose the one that requires the least privileges (and consequently the highest base score)
4. User Interaction (UI)
This metric captures if, for successful exploitation, the attacker needs another user of the vulnerable system to perform an action.
5. Scope (S)
Determining the Scope requires us to define:
- the Vulnerable Component: this is the component with vulnerability
- the Impacted Component: this is the component that suffers the impact of the attack
Scope then captures if the component impacted is different from the component that is vulnerable. Privilege Escalation is a clear case of changed scope. Or exploiting a vulnerability on a web page to affect the backend database.
6. Confidentiality Impact (C)
This metric measures the level of data leakage from the system that was exploited.
7. Integrity Impact (I)
This metric measures the impact to data trustworthiness and veracity, following a successful attack.
8. Availability Impact (A)
This metric measures the loss of availability to the impacted system and component (and not just impact to the data, as the previous two metrics).