Sign in Subscribe
3 min read

CVSS Scores Explained

Welcome to a short guide on CVSS Scores and how they work.A quick note: The math behind CVSS Scores isn't super important, but understanding what the metrics are and how they interact with each other is.

There are three different types of CVSS:

  • Base CVSS Score: This score is based on 8 key metrics that do not change. It is typically what you would see listed on a major CVSS website.
  • Temporal CVSS Score: This score builds off of the base score but will add metrics that change over time. The score reflects how vulnerabilities exist in the wild. It changes!
  • Environment CVSS Score: How the vulnerability affects and is affected by the surrounding environment. It is an modification of both the base score and temporal score.

Base Score

Exploitability

The exploitability metric is made up of the Attack Vector, Attack Complexity, Privileges Required, and User Interaction metrics.

Attack Vector

  • Physical - The attacker must have physical access to the device
  • Local - The attacker must have at least logical access to the device. It can also mean that they have access the local network or an adjacent network
  • Network - The vulnerability is remotely exploitable over the network.

Attack Complexity (High is bad)

High ⟷ Low

Privileges Required (Low is worse)

  • High - attacker needs admin/root privileges
  • Low - attacker needs basic privileges
  • None - attacker needs no privileges

User Interaction

Does the attacker need some user to take a particular action (i.e. open a file)?

  • Required
  • None

Impact Metric

The impact metric looks at what a vulnerability impacts. It uses the CIA Triad to measure it (Confidentiality, Integrity, Availability).

Confidentiality

  • None - no impact
  • Partial - access to some, but not all data
  • Complete - access to all data on system

Integrity

  • None - no impact
  • Partial - attacker can modify some information or all information in a limited way
  • Complete - attacker can modify all information at will

Availability

  • None - no impact
  • Partial - some degredation of performance
  • Complete - total loss of performance/uptime/shut down system

Scope (Unchanged is good)

Whether a vulnerability can affect systems outside of that which is immediately exploited.

  • Changed - can affect systems beyond the scope of the vulnerability
  • Unchanged - only affects resources managed by the security profile exploited

Temporal Metrics

These are temporary metrics that change regularly. They build off of the Base Score and act as modifiers to it. It is important to note that they can only positively impact the base score. The base score assumes that all temporal metrics are at their worst if they aren't defined.

Exploit Code Maturity

Is the code actually being exploited?

  • Unproven - The exploit is purely theoretical and has not been proven to work.
  • Proof-of-concept - Someone has proven that it can work, but it has not been seen in the wild.
  • Functional - It is very possible to exploit the code.
  • High - Uh, it is very, very possible or is actively being exploited.
  • Not defined - Not information to make a decision

Remediation Level

How easy is it to fix it?

  • Official Fix - Official fix offered by the vendor
  • Temporary fix - Temporary fix, once again offered by the vendor
  • Workaround - A way to remediate the issue by a 3rd party but not the vendor
  • Unavailable - Need I explain?
  • Not Defined - Not enough information out to make a decision

Report Confidence

How confident are you that you know what is actually causing the issue?

  • Unknown - There seems to be vulnerability, but it is not clear why or where it exists.
  • Reasonable - There are some details regarding why the issue arises, but there is still much unknown.
  • Confirmed - You know all the details.
  • Not Defined - Not enough information out to make a decision

Environmental Metrics

Environmental metrics are basically a Base Score that is modified to fit a company or organization's environment. There might be certain things that just don't matter for them. For example, if they know a device has only high privileges, they can change the "Privileges Required" metric to "high". Environmental metrics also adds the "Not Defined" option.

Environmental Metrics: RequirementsAnother thing Environmental Metrics add are "requirements". These are modifies that would modify the CIA Triad metrics in the Base Score. They basically communicate how important each of the CIA Triad components are for the data or systems being protected. For example, if the data is already publicly available, it wouldn't be important to keep it confidential.

Note that "medium" and "not defined" default to whatever the Base Score is.

Sources

https://www.youtube.com/watch?v=x3wAINJF7UEhttps://www.balbix.com/insights/temporal-cvss-scores/

Published by:

Jesse Kramer

Member discussion