The Common Vulnerability Scoring System (CVSS) is a standardized method of assessing the severity of a vulnerability based on a formula with multiple metrics that approximate the ease of exploitation and impact of an exploit. Scores range from 0 to 10, with 10 being the most severe.
Throughout Nodeware, you will see CVSS Score represented with the above pill design, where 9.8 is the calculated CVSS score and Critical is the severity level. More details on the severity level can be found later in this article.
In the single asset view, the findings are initially sorted by the CVSS score, with the highest severity vulnerabilities at the top.
CVSS Severity Levels
There are five severity levels in CVSS, and they include the following ranges:
CVSS Metrics
There are multiple metrics included in the formula for CVSS, that have been updated with each version. The current CVSS version is 4.0, released in November 2023. Nodeware utilizes and displays the latest available version for each vulnerability, the following example uses CVSS v3.1.
Below is a breakdown of the above metrics and their factors. The ratings that are listed are in order of low severity to high.
Exploitability Metrics
- Attack Vector (AV) - the level of access required to the target asset, whether physical access is required, or if it can be executed remotely across a network. Rated Physical, Local, Adjacent, Network
- Attack Complexity (AC) - how difficult the potential exploitation is, does it require a number of other factors to line up or additional information about the asset or the environment. Rated Low or High
- Privileges Required (PR) - Does the attacker need to be authenticated, and does it require a higher permissioned user (Administrator, root). Rated High, Low, None
- User Interaction (UI) - Does the attacker require an action from a user, like opening an attachment, or install a malicious application. Rated Required, None
Impact Score
- Confidentiality (C) - Does a successful exploit result in the disclosure of information, whether limited to a subset of data or unlimited in scope. Rated None, Partial, Complete
- Integrity (I) - Can system data or files be modified and to what extent. Rated None, Partial, Complete
- Availability (A) - Does exploiting this vulnerability impact the availability of the system for other processes and users. Rated None, Partial, Complete
Scope
- Does the vulnerable component allow an attacker to impact a different component? For example a SQL injection vulnerability in a browser application could impact the database server. If yes, then this is considered a "Changed" scope. Rated Unchanged, Changed
For more information about the CVSS specification, visit FIRST.org.
Comments
0 comments
Article is closed for comments.