What is Common Vulnerability Scoring System (CVSS)?

Thumbnail for article

The Common Vulnerability Scoring System (CVSS) was first created in 2005 to provide an open standard for rating the severity of vulnerabilities. It was led by the Forum of Incident Response and Security Teams (FIRST).

The second version of CVSS was released in 2007, and further development resulted in CVSS version 3 being released in 2015, followed by version 3.1 in 2019.

CVSS ranks vulnerabilities with a score between 0 and 10, with 10 being the most critical.

  • 0 = None
  • 0.1 - 3.9 = Low severity
  • 4.0 - 6.9 = Medium severity
  • 7 - 8.9 = High severity
  • 9 - 10 = Critical severity

CVSS is then categorized into three metric groups: the base group, the temporal group, and the environmental group.

  • Base Group: Represents the intrinsic properties of the vulnerability, including exploitability metrics and impact metrics.
  • Temporal Group: Describes the characteristics of the vulnerability that may change over time.
  • Environmental Group: Considers the characteristics of the vulnerability that may change based on the environment in which it is being assessed.

In most cases, only the base metric is provided in public databases, but the temporal and environmental scores can be supplemented based on specific environment information.

For example, the Heartbleed vulnerability has a base score of 7.5 out of 10, with an impact score of 3.6 and an exploitability score of 3.9. The base score does not take specific configurations or deployments into consideration, which may heavily affect the score.

When analyzing and prioritizing vulnerabilities in your own products, understanding CVSS can be a valuable tool in assessing the severity and potential impact of vulnerabilities.

Now that you have a basic understanding of CVSS, you can use it to analyze and prioritize the vulnerabilities in your own products.

The Components of CVSS and How They Work

The Common Vulnerability Scoring System (CVSS) is a framework used to assess the severity of vulnerabilities. It consists of several components that work together to provide a comprehensive rating of the potential impact of a vulnerability.

  1. Base Group: This group represents the intrinsic properties of the vulnerability, including exploitability and impact metrics. Exploitability metrics describe how difficult it is for an attacker to take advantage of the vulnerability, while impact metrics describe the consequences of a successful attack.
  2. Temporal Group: This group includes metrics that may change over time, such as the availability of a patch or the prevalence of exploits in the wild.
  3. Environmental Group: This group allows organizations to customize the score based on their specific environment, taking into account factors such as network architecture and security controls.

"CVSS provides a standardized method for rating vulnerabilities, allowing organizations to prioritize their response based on the potential impact."

When assessing a vulnerability using CVSS, the base group is typically the most relevant. However, organizations can also consider the temporal and environmental scores to tailor the rating to their specific circumstances. For example, the base score may be supplemented with additional information about patch availability or the presence of mitigating controls.

By understanding the different components of CVSS and how they work together, organizations can effectively analyze and prioritize vulnerabilities in their products and systems, ultimately enhancing their overall security posture.

You can test creating your own CVSS score using FIRST's CVSS Calculator

Applying CVSS in a Practical Example: Heartbleed Vulnerability

When analyzing the Heartbleed vulnerability using CVSS, we find that the base score is given a score of 7.5 out of 10. This score is calculated based on various metrics, including exploitability and impact. The impact score for Heartbleed is 3.6, and the exploitability score is 3.9.

It's important to note that while the base score is always provided in the CVSS, the temporal and environmental scores have to be calculated manually based on your specific environment information.

Now, let's delve into the specific application of CVSS in the case of Heartbleed:

  • Exploitability Metrics: This metric describes how difficult it is for a potential attacker to take advantage of the vulnerability. In the case of Heartbleed, the vulnerability is remotely exploitable, marking it as a network in the attack vector. The attack complexity is low, and the attacker does not require authorization before the attack.
  • Impact Metrics: This metric describes the consequences of a successful attack or exploit. For Heartbleed, the confidentiality impact is set to high, as the vulnerability allows an attacker to read potentially sensitive data. However, the vulnerability does not affect integrity or availability.

So, in a practical example like Heartbleed, CVSS provides a structured and standardized approach to assessing the severity of vulnerabilities. By understanding the various metrics and their implications, organizations can effectively analyze and prioritize vulnerabilities in their products.