What is the CVSS?
The Common Vulnerability Scoring System (CVSS) is an open framework designed to represent the attributes and severity of software vulnerabilities in numerical scores ranging from 0 to 10, 10 being the most severe. CVSS scores are used by public and private organizations across the world to prioritize, manage, mitigate and patch vulnerabilities as they are published.
Evolving Vulnerability Assessment Needs
Over the past several years, as computing environments have evolved and become more complex, there has been a shift towards greater customization and user environment-specific risk assessment. This has necessitated changes in CVSS to allow for organizations using a wider set of risk factors (and organizational attributes) to make more accurate assessments of risk from specific vulnerabilities.
Beyond CVSS scores, businesses and public institutions may use risk assessment factors such as regulatory requirements, number of customers affected by specific vulnerabilities, the monetary impact of a potential breach, threats to human life, or the loss of reputation that could occur if a vulnerability were to be exploited.
Version 4.0 of CVSS
Version 4.0 of CVSS, published on November 1, 2023, introduces finer granularity into the system, enabling CVSS users to assess risk based on a wider set of factors – many of which are specific to the user environment. The revised version is also easier to understand with specific nomenclature changes, some new and some updated metrics, and improved scoring.
CVSS is owned and maintained by the Forum of Incident Response and Security Teams (FIRST) – a nonprofit organization created with the mission of helping computer security incident response teams across the world.
CVSS v4.0 Metric Groups
CVSS includes four metric groups: Base, Threat, Environmental, and Supplemental.
Base Metrics
Base metrics represent “the intrinsic qualities of a vulnerability that are constant over time and across user environments.” There are two types of Base metrics: Exploitability metrics and Impact metrics.
Exploitability Metrics
The Exploitability metrics convey the level of skill, technical knowhow and means needed to exploit a vulnerability. Specifically, these metrics delineate features of the “vulnerable system,” and include:
- Attack vector
- Attack complexity
- Attack requirements
- Privileges required
- User interaction
The “Attack Requirements” metric is new and denotes the system conditions that need to be met for the attack to happen. This was introduced to address the inadequacy of the “Attack Complexity” metric whose “high” and “low” values didn’t provide enough information about prerequisites.
The “User Interaction” metric has been updated and its possible values can now be either “Passive” or “Active”. In version 3.1, User Interaction could be either “None” or “Present”.
The “Scope” metric that existed in version 3.1 has been retired because it wasn’t clear and caused scoring inconsistencies.
Impact Metrics
The Impact metrics signify the immediate aftermath and repercussions of a successful exploit including the effects on the vulnerable system and/or the subsequent impact on “subsequent system (s)”. The metrics use the CIA triad to assess how the vulnerability impacts the Confidentiality, Availability and Integrity of the vulnerable system (application, Operating System, module, etc) and subsequent systems.
Threat Metrics
Threat metrics (earlier known as “Temporal” metrics) reflect the evolving traits of a vulnerability, including factors like the presence of proof-of-concept code or ongoing exploitation. A confirmation that the vulnerability remains unexploited and lacks publicly available proof-of-concept exploit code or instructions will result in a lower CVSS score. The “Exploit Code Maturity” metric under this group has been renamed “Exploit Maturity”.
Environmental Metrics
Environmental metrics capture the aspects of a vulnerability that are specific to a user’s environment, such as the presence of mitigations and how critical the vulnerable system is.
Supplemental Metrics (introduced in version 4.0)
Supplemental metrics have been added in version 4.0 to provide additional context to the characteristics of a vulnerability and include Safety, Automatability, Provider Urgency, Ease of Recovery, Value Density, and Response Effort.
The response to these metrics is left to the discretion of the CVSS consumer, enabling the use of an end-user risk analysis system to determine severity. These metrics are optional to use and do not affect the overall CVSS score.
Enumeration of Metrics (new nomenclature)
Before version 4.0, the scores users typically saw in vulnerability databases such as the National Vulnerability Database (NVD) were based on the Base Metrics alone. While there were three groups of CVSS metrics in version 3.1, only the Base Metric scores were usually represented.
The new nomenclature introduced in version 4.0 should facilitate holistic vulnerability scoring that takes into account multiple metrics.
- Base Scores are enumerated as CVSS-B
- Base and Threat Scores as CVSS-BT, and
- Base and Environmental Scores as CVSS-BE.
- Combined Base, Threat and Environmental metrics are represented as CVSS-BTE.
“In CVSS v4.0, Base, Threat, and Environmental metric values are always considered in the calculation of the final score. The absence of explicit Threat and/or Environmental metric selections will still result in a complete score using default (“Not Defined”) values.”
To learn more, take a look at the CVSS v4.0 Specification Document here.