Common Vulnerability Scoring System
1. Introduction
This article presents an open framework for scoring IT vulnerabilities— the Common Vulnerability Scoring System (CVSS) Version 2.0. It introduces metric groups, describes base metrics, vector, and scoring. Finally, an example is provided to understand how it works in practice.
Learn Vulnerability Management
2. Metric groups
There are three metric groups:
I. Base (used to describe the fundamental information about the vulnerability—its exploitability and impact).
II. Temporal (time is taken into account when severity of the vulnerability is assessed; for example, the severity decreases when the official patch is available).
This article is focused on base metrics. Please read A Complete Guide to the Common Vulnerability Scoring System Version 2.0 if you are interested in temporal and environmental metrics [1].
3. Base metrics
There are exploitability and impact metrics:
I. Exploitability
a) Access Vector (AV) describes how the vulnerability is exploited:
- Local (L)—exploited only locally
- Adjacent Network (A)—adjacent network access is required to exploit the vulnerability
The more remote the attack, the more severe the vulnerability.
b) Access Complexity (AC) describes how complex the attack is:
- High (H)—a series of steps needed to exploit the vulnerability
- Medium (M)—neither complicated nor easily exploitable
The lower the access complexity, the more severe the vulnerability.
c) Authentication (Au) describes the authentication needed to exploit the vulnerability:
- Multiple (M)—the attacker needs to authenticate at least two times
- Single (S)—one-time authentication
The lower the number of authentication instances, the more severe the vulnerability.
II. Impact
a) Confidentiality (C) describes the impact of the vulnerability on the confidentiality of the system:
- None (N)—no impact
- Partial (P)—data can be partially read
The more affected the confidentiality of the system is, the more severe the vulnerability.
+b) Integrity (I) describes an impact of the vulnerability on integrity of the system:
- None (N)—no impact
- Partial (P)—data can be partially modified
The more affected the integrity of the system is, the more severe the vulnerability.
c) Availability (A) describes an impact of the vulnerability on availability of the system:
- None (N)—no impact
- Partial (P)—interruptions in system's availability or reduced performance
The more affected availability of the system is, the more severe the vulnerability.
Please note the abbreviated metric names and values in parentheses. They are used in base vector description of the vulnerability (explained in the next section).
4. Base vector
Let's discuss the base vector. It is presented in the following form:
AV:[L,A,N]/AC:[H,M,L]/Au:[M,S,N]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C]
This is an abbreviated description of the vulnerability that brings information about its base metrics together with metric values. The brackets include possible metric values for given base metrics. The evaluator chooses one metric value for every base metric.
5. Scoring
The formulas for base score, exploitability, and impact subscores are given in A complete Guide to the Common Vulnerability Scoring System Version 2.0 [1]. However, there in no need to do the calculations manually. There is a Common Vulnerability Scoring System Version 2 Calculator available [2]. The only thing the evaluator has to do is assign metric values to metric names.
6. Severity level
The base score is dependent on exploitability and impact subscores; it ranges from 0 to 10, where 10 means the highest severity. However, CVSS v2 doesn't transform the score into a severity level. One can use, for example, the FortiGuard severity level to obtain this information [3]:
7. Putting all pieces together
An exemplary vulnerability in web application is provided to better understand how Common Vulnerability Scoring System Version 2.0 works in practice. Please keep in mind that this framework is not limited to web application vulnerabilities.
Cross-site request forgery in admin panel allows adding a new user and deleting an existing user or all users.
Let's analyze first the base metrics together with the resulting base vector:
Access Vector (AV): Network (N)
Access Complexity (AC): Medium (M)
Confidentiality (C): None (N)
Integrity (I): Partial (P)
Base vector: (AV:N/AC:M/Au:N/C:N/I:P/A:C)
Explanation: The admin has to visit the attacker's website for the vulnerability to be exploited. That's why the access complexity is medium. The website of the attacker is somewhere on the Internet. Thus the access vector is network. No authentication is required to exploit this vulnerability (the admin only has to visit the attacker's website). The attacker can delete all users, making the system unavailable for them. That's why the impact of the vulnerability on the system's availability is complete. Deleting all users doesn't delete all data in the system. Thus the impact on integrity is partial. Finally, there is no impact on the confidentiality of the system provided that added user doesn't have read permissions on default.
Let's use the Common Vulnerability Scoring System Version 2 Calculator to obtain the subscores (exploitability and impact) and base score [2]:
Exploitability subscore: 8.6
Impact subscore: 7.8
Let's transform the score into a severity level according to FortiGuard severity levels [3]:
FortiGuard severity level: High
8. Summary
This article described an open framework for scoring IT vulnerabilities—Common Vulnerability Scoring System (CVSS) Version 2.0. Base metrics, vector and scoring were presented. An exemplary way of transforming CVSS v2 scores into severity levels was described (FortiGuard severity levels). Finally, an example was discussed to see how all these pieces work in practice.
References
[1] A Complete Guide to the Common Vulnerability Scoring System Version 2.0
http://www.first.org/cvss/cvss-guide.html (access date: 8 July 2013)
[2] Common Vulnerability Scoring System Version 2 Calculator
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 (access date: 8 July 2013)
[3] FortiGuard Severity Levels
Learn Vulnerability Management
http://www.fortiguard.com/static/intrusion/severity.html (access date: 8 July 2013)
Learn Vulnerability Management
Build your vulnerability assessment and management skills with dozens of courses. What you'll learn- Vulnerability scanning
- Classifying and prioritizing
- Patching and mitigating
- Building a program
- And more
In this Series
- Common Vulnerability Scoring System
- The most popular binary exploitation techniques
- Roadmap for performing an Active Directory assessment
- The importance of asset visibility in the detection and remediation of vulnerabilities
- Digium Phones Under Attack and how web shells can be really dangerous
- vSingle is abusing GitHub to communicate with the C2 server
- The most dangerous vulnerabilities exploited in 2022
- Follina — Microsoft Office code execution vulnerability
- Spring4Shell vulnerability details and mitigations
- How criminals are taking advantage of Log4shell vulnerability
- Microsoft Autodiscover protocol leaking credentials: How it works
- How to write a vulnerability report
- How to report a security vulnerability to an organization
- PrintNightmare CVE vulnerability walkthrough
- Top 30 most exploited software vulnerabilities being used today
- The real dangers of vulnerable IoT devices
- How criminals leverage a Firefox fake extension to target Gmail accounts
- How criminals have abused a Microsoft Exchange flaw in the wild
- How to discover open RDP ports with Shodan
- Time to patch: Vulnerabilities exploited in under five minutes?
- Whitespace obfuscation: PHP malware, web shells and steganography
- New Sudo flaw used to root on any standard Linux installation
- Turla Crutch backdoor: analysis and recommendations
- Volodya/BuggiCorp Windows exploit developer: What you need to know
- AWS APIs abuse: Watch out for these vulnerable APIs
- How to reserve a CVE: From vulnerability discovery to disclosure
- SonicWall firewall VPN vulnerability (CVE-2020-5135): Overview and technical walkthrough
- Top 25 vulnerabilities exploited by Chinese nation-state hackers (NSA advisory)
- Zerologon CVE-2020-1472: Technical overview and walkthrough
- Unpatched address bar spoofing vulnerability impacts major mobile browsers
- Software vulnerability patching best practices: Patch everything, even if vendors downplay risks
- What is a vulnerability disclosure policy (VDP)?
- Common vulnerability assessment types
- Common security threats discovered through vulnerability assessments
- Android vulnerability allows attackers to spoof any phone number
- Malicious Docker images: How to detect vulnerabilities and mitigate risk
- Apache Guacamole Remote Desktop Protocol (RDP) vulnerabilities: What you need to know
- Linux vulnerabilities: How unpatched servers lead to persistent backdoors
- Tesla Model 3 vulnerability: What you need to know about the web browser bug
- How to identify and prevent firmware vulnerabilities
- Will CVSS v3 change everything? Understanding the new glossary
- URGENT/11 vulnerability
- 32 hardware and firmware vulnerabilities
- The Zero Day Initiative
- CVE-2018-11776 RCE Flaw in Apache Struts Could Be Root Cause of Clamorous Hacks
- XML vulnerabilities are still attractive targets for attackers
- Broadpwn Wi-Fi Vulnerability: How to Detect & Mitigate
- Mobile Systems Vulnerabilities
- 10 Security Vulnerabilities That Broke the World Wide Web in 2016
- Most Exploited Vulnerabilities: by Whom, When, and How
- Exploiting CVE-2015-8562 (A New Joomla! RCE)
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Vulnerabilities
Vulnerabilities
