Attack Vector:
This metric indicates how "close" the attacker needs to be to the object. Is physical access required or is the vulnerability vulnerable from the web? The score increases with increasing "distance".
The CVSS (Common Vulnerability Scoring System) describes the severity of vulnerabilities using defined metrics (e.g. attack vectors, complexity) and classifies them using a point system from 0 to 10.
One of the strengths of the CVSS is that it establishes a standard within IT for transporting and passing on important and essential information on vulnerabilities between different companies or within a company. The calculation formula and basis of the CVSS are publicly available, which means that anyone can understand and cross-check the assessment. And finally, the CVSS offers the possibility to prioritize weaknesses that exist in one's own company through the tripartite nature of its assessment.
The Common Vulnerability Scoring System was established in 2005 by the National Infrastructure Advisory Council (NIAC) working group, which is under the US Department of Homeland Security. Today, the Forum of Incident Response and Security Teams (FIRST) is responsible for the further development of the CVSS standard.
Companies such as Cisco, Microsoft, IBM, Apple or the CERT (Computer Emergency Response Team) are involved in the further development.
The CVSS is structured metrically and has a point system in which the so-called CVSS score can be uniformly evaluated in the range of 0,0 - 10,0 (slightly too critical). Version 3.1 (status: July 20.07.2020, XNUMX) of the CVSS is currently available.
The CVSS scoring system can be broken down into three main categories:
The most important thing about these categories is the determination of the vulnerability indicators. These can only be defined if each individual group has certain rules.
Describes whether and which conditions exist - over which the attacker has no influence - to exploit the vulnerability. A low score means that no special conditions or preparatory work have to be fulfilled.
Describes whether and which conditions exist - over which the attacker has no influence - to exploit the vulnerability. A low score means that no special conditions or preparatory work have to be fulfilled.
Does a user need to be encouraged to perform certain actions for the attack to be successful? For example, when a user first clicks on a link in a phishing mail click or perform an input in the context of the vulnerability, the value is set to "required".
This score describes whether the effects of the attack only lead to the vulnerable components being compromised or whether other systems could also be compromised.
This indicator shows how badly an attack affects confidentiality in terms of how much authorization is gained by exploiting the vulnerability. For example, an administrator's password might have been obtained.
Similarly, this metric describes the impact on data integrity. For example, if an attacker as a result of his Feat can change all files on the file server, the integrity of the data has been completely lost and accordingly the impact must be set to "high".
Describes the degree of loss of accessibility to a resource or service due to the vulnerability, i.e. whether it is impossible to work with it in the short, medium or long term.
Protection of Information from Unauthorized Disclosure
Attacker Chuck cannot see the confidential information that Alice transmits to Bob
Ensuring the accessibility and usability of information for authorized entities
Relevant information is permanently accessible and usable for Alice
Protection of information from modification, insertion, deletion, rearrangement, duplication or re-entry
Attacker Chuck cannot unnoticedly manipulate the information that Alice transmits to Bob
The Temporal Score of the CVSS is intended to give you a rough idea of how likely it is to be exploited in the wild, how reliably a vulnerability can be identified and what countermeasures are possible:
This indicator shows how likely it is that the vulnerability will be exploited, depending on the availability of the exploit code in the wild. Is the code found a proof of concept or already a full exploit kit?
This metric represents the quality and simplicity of available countermeasures, such as a workaround or vendor patch.
The CVSS Environmental Score is calculated from two categories:
The Security Requirements Subscore, which is based on a specific environment (e.g. a company or a department) through the three values of the Impact Score (confidentiality, integrity and availability) and a modified Base Score, which is also included in its evaluation, the evaluation included in the security requirements subscore.
By default, the Environmental Score is blank due to its specific nature, which factors an organization's circumstances and requirements into the impact of a vulnerability.
Severity | Base score range |
low | 0,0-3,9 |
Medium | 4,0-6,9 |
High | 7,0-10,0 |
severety | Base score range |
none | 0,0 |
low | 0,1-3,9 |
Medium | 4,0-6,9 |
High | 7,0-8,9 |
Critical | 9,0-10,0 |