Common Vulnerability Scoring System(CVSS)

CVSS is an open framework maintained by the?Forum of Incident Response and Security Teams?(FIRST). The Common Vulnerability Scoring System (CVSS) is used to rate the severity and risk of computer system security.

CVSS uses a numerical score to represent the severity of a vulnerability, ranging from 0 to 10. The score is calculated based on a set of metrics that assess the exploitability and impact of the vulnerability.

CVSS is consists of the following metric groups:

Base Score: This represents the intrinsic qualities of a vulnerability. It includes metrics such as the attack vector, attack complexity, privileges required, user interaction, and the scope of the impact.

Temporal Score: This reflects the characteristics of a vulnerability over time. It includes metrics such as the exploitability, remediation level, and the report confidence.

Environmental Score: This considers the impact of a vulnerability in a specific environment. It includes metrics related to the confidentiality, integrity, and availability impacts on the affected system.

The combination of these three scores provides a comprehensive assessment of the overall severity of a vulnerability.

Below is reference for CVSS score calculator.

https://www.first.org/cvss/calculator/3.0

CVSS Versions:

CVSS V1

CVSS V2

CVSS 3.0

CVSS 3.1

CVSS 4.0 (Latest)

Latest version CVSS 4.0 officially released in November, 2023.

what’s new in CVSS V4?

1. User interaction?– The options have been expanded from Required/None to Active/Passive/None.
2. Attack Requirements?– A new base metric that gets the value “Present” if there is a pre-attack configuration or deployment needed for successful exploitation.
3. Scope → vulnerable system and subsequent system?– The “Scope” feature from CVSS v3.1 was retired in v4. Instead, new features were added to indicate the possible impact scope of the vulnerability exploitation: Vulnerable System Confidentiality (VC), Integrity (VI), Availability (VA) and Subsequent System(s) Confidentiality (SC), Integrity (SI), Availability (SA)
4. Temporal Score → Threat Metrics –?The temporal score in v3 had the same score in most of the cases (official fix with confirmed confidence). The new Threat Metric in v4 includes only the exploit maturity in the wild, with values of Attacked/POC/Unreported (intelligence is unknown whether there’s in the wild exploitation)/Not Defined (clear intelligence that no exploitation was found in the wild)
5. Supplemental Metrics?– These metrics are new in v4 and provide the ability to define new metrics that describe and measure additional external elements? of a vulnerability. Organizations can use these metrics? to take additional actions if they so choose, if they seem? to be significant in their environment. All Supplemental Metrics are optional.
6. More granularity in the environmental and modifiable parameters?–? This provides organizations with more options to adjust scores to their needs and internal priorities. The safety metric in the Environmental metrics can serve OT/ICS/IoT.
7. New?nomenclature?– In view of the new metrics categories, the following abbreviations have been applied:

• CVSS-B: CVSS Base Score?
• CVSS-BT: CVSS Base + Threat Score?
• CVSS-BE: CVSS Base + Environmental Score?
• CVSS-BTE: CVSS Base + Threat + Environmental Score