How to use CVSS 3.1?

Common Vulnerability Scoring System(CVSS) is a numerical representation of the severity of a software vulnerability on a scale of 0-10. The final CVSS score is determined by the sub-categories from the 8 categories of options. This is a simplified version of the specification document by FirstOrg.

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible.

NetworkRemotely Exploitable via the Internet.
AdjacentAttack via same shared physical or logical network. Example: Wi-Fi, Local IP subnet, Bluetooth
LocalLocal access to system via keyboard, console or remotely like SSH or relies on user interaction such as Social Engineering.
PhysicalRequires physical interaction with the vulnerable component.

Attack Complexity

This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability.

LowThe exploit do not rely on special conditions or configurations on a target environment.
HighA successful attack depends on conditions beyond the attacker’s control. Example: knowledge on target environment and configuration is required, mitigation techniques should be bypassed

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

NoneAttacker is an unauthenticated/unauthorized user.
LowAttacker is an authenticated/authorized with low level privileges.
HighAttacker is an authenticated/authorized with highest level of privileges. Example: administrator

User Interaction

This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. Here, user is a target or an authorized personnel associated with a target.

NoneThe vulnerable system can be exploited without interaction from any user.
Required Requires a user to take some action before the vulnerability can be exploited. Example: opening a link or a file

Scope

This metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.

ChangedAn exploited vulnerability can only affect resources managed by the same security authority. Example: HTML Injection (the code runs in the context of the web application)
UnchangedAn exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. Example: Remote Command Execution on a web application (the command is executed on the web server)

Confidentiality

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

HighTotal loss of confidentiality. Example: plain-text password
LowSome loss of confidentiality. Example: hashed password
NoneNo loss of confidentiality.

Integrity

This metric measures the impact to integrity (trustworthiness and veracity of information) of a successfully exploited vulnerability.

HighTotal loss of integrity. Example: all files can be modified
LowSome loss of integrity. Example: limited modification of files
NoneNo loss of integrity.

Availability

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

HighTotal loss of availability. Example: permanent service interruption (repeated exploitation do not count as High)
LowSome loss of availability. Example: temporary service interruption
NoneNo loss of availability.

Lastly, CVSS score is always debatable and different in different people’s mind.

References:

https://www.first.org/cvss/specification-document

Leave a Reply

Your email address will not be published.