CVSS Demystified: Part 2: Base Metrics

Continuing exploration of the CvSS, from Part 1: CVSS Demystified: Part 1
Let’s take a look at the base metrics.

There are eight base metrics. Let’s deep dive into each one.

  1. Attack Vector (AV)

This metric reflects the context of the possible exploitation of the vulnerability.

CVSS v3.1 Base Metric - Attack Vector

If an attack can manifest in more than one context, choose the value which is most “remote” (and consequently the highest base score).

2. Attack Complexity (AC)

Attack Complexity describes the existence of specific conditions for the attacker to exploit the vulnerability.

CVSS v3.1 Base Metric - Attack Complexity

3. Privileges Required (PR)

This metric indicates the privileges/permissions/entitlements/authorization level the attacker requires to launch the attack. If an attack can be launched at multiple entitlement levels, choose the one that requires the least privileges (and consequently the highest base score)

CVSS v3.1 Base Metric - Privileges Requied

4. User Interaction (UI)

This metric captures if, for successful exploitation, the attacker needs another user of the vulnerable system to perform an action.

CVSS v3.1 Base Metrics - User Interaction

5. Scope (S)

Determining the Scope requires us to define:

  • the Vulnerable Component: this is the component with vulnerability
  • the Impacted Component: this is the component that suffers the impact of the attack

Scope then captures if the component impacted is different from the component that is vulnerable. Privilege Escalation is a clear case of changed scope. Or exploiting a vulnerability on a web page to affect the backend database.

CVSSv3.1 Base Metrics - Scope

6. Confidentiality Impact (C)

This metric measures the level of data leakage from the system that was exploited.

CVSS v3.1 Base Metrics - Confidentiality Impact

7. Integrity Impact (I)

This metric measures the impact to data trustworthiness and veracity, following a successful attack.

CVSSv3.1 Base Metrics - Integrity Impact

8. Availability Impact (A)

This metric measures the loss of availability to the impacted system and component (and not just impact to the data, as the previous two metrics).

CVSS v3.1 Base Metrics - Availability Impact