CVSS Demystified: Part 1


CVSS v3.1 Framework

What is CVSS?

CVSS, or the Common Vulnerability Scoring System, is a vendor-agnostic, industry open standard that indicates the severity (not the risk) of a vulnerability. It is maintained by FIRST – the Forum of Incident Response and Security Teams.

Why is it needed?

Knowing the severity of a vulnerability helps in quantifying the urgency of the response required and the priority for its remediation. This makes CVSS an integral part of vulnerability management, threat assessments, and incident response.

What are the Metrics of the CVSS Framework?

The CVSS has three metric buckets:

  • The Base Metric
  • The Temporal Metric
  • The Environmental Metric

What is the Base Metric?

The Base Metric measures the intrinsic characteristics of a vulnerability. These remain constant over time and assume the worst-case impact.

There are eight of them in CVSS 3.1: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality, Integrity, and Availability.

What is the Temporal Metric?

The Temporal Metric measures the current state of the vulnerability, and this score changes over the lifetime of the vulnerability. This metric takes to account exploit techniques, availability of exploit code, the existence of patches or workarounds, and the confidence that one has in the existing description of a vulnerability.

There are three of them in CVSS 3.1: Exploit Code Maturity, Remediation Level, and Report Confidence.

What is the Environmental Metric?

The Environmental Metric allows a security analyst to consider the context of their own environment while determining the impact of the vulnerability. Further, following a fix/workaround, the analyst can recalculate the severity of the vulnerability by modifying the original base metric characteristics.

There are eleven factors that make up this metric. Three of them help determine the severity of the vulnerability to your specific use case: Confidentiality Requirement, Integrity Requirement, and Availability Requirement.

The remaining eight help in re-calculating the score following remediation: Modified Attack Vector, Modified Attack Complexity, Modified Privileges Required, Modified User Interaction, Modified Scope, Modified Confidentiality, Modified Integrity, and Modified Availability.

What are the CVSS score ranges?

CVSS v31 Score Range

Where can I calculate the CVSS score of a vulnerability?

First.org hosts the calculator for CVSS 3.1 here: https://www.first.org/cvss/calculator/3.1