CVSS entry ontology
Abstract
Attack vectors and severity assessment of the vulnerability
Table of contents
CVSS entry ontology: Overview back to ToC
This ontology has the following classes and properties.
Classes
Object Properties
Data Properties
- access complexity
- access vector
- attack complexity
- attack vector
- authentication
- author
- author
- author
- availability impact
- availability impact
- base score
- base score
- base severity
- confidentiality impact
- confidentiality impact
- db
- exploitability
- exploitability score
- id
- id
- id
- id
- impact score
- impact score
- integrity impact
- integrity impact
- obtain all privilege
- obtain other privilege
- obtain user privilege
- privileges required
- remediation level
- report confidence
- scope
- severity
- trust
- trust
- user interaction
- user interaction required
- value
- vector string
- vector string
- version
- version
Annotation Properties
CVSS entry ontology: Description back to ToC
This is a placeholder text for the description of your ontology. The description should include an explanation and a diagram explaining how the classes are related, examples of usage, etc.
Cross-reference for CVSS entry ontology classes, object properties and data properties back to ToC
This section provides details for each class and property defined by CVSS entry ontology.Classes
cvss v2c back to ToC or Class ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV2
CVSS data in V2 format
- has super-classes
- cvss c
- is in domain of
- access complexity dp, access vector dp, authentication dp, author dp, availability impact dp, base score dp, confidentiality impact dp, exploitability dp, exploitability score dp, id dp, impact score dp, integrity impact dp, obtain all privilege dp, obtain other privilege dp, obtain user privilege dp, remediation level dp, report confidence dp, severity dp, user interaction required dp, vector string dp, version dp
cvss v3c back to ToC or Class ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV3
CVSS data in V3 format
- has super-classes
- cvss c
- is in domain of
- attack complexity dp, attack vector dp, author dp, availability impact dp, base score dp, base severity dp, confidentiality impact dp, id dp, impact score dp, integrity impact dp, privileges required dp, scope dp, trust dp, user interaction dp, vector string dp, version dp
severityc back to ToC or Class ToC
IRI: https://www.variotdbs.pl/ref/cvss/severity
Severity of the vulnerability
sourcesc back to ToC or Class ToC
IRI: https://www.variotdbs.pl/ref/sources
Sources of the information (entries from external databases)
- is in domain of
- db dp, id dp
- is in range of
- has sources op
Object Properties
has sourcesop back to ToC or Object Property ToC
IRI: https://www.variotdbs.pl/ref/cvss#has_sources
- has range
- sources c
Data Properties
- access complexity
- access vector
- attack complexity
- attack vector
- authentication
- author
- author
- author
- availability impact
- availability impact
- base score
- base score
- base severity
- confidentiality impact
- confidentiality impact
- db
- exploitability
- exploitability score
- id
- id
- id
- id
- impact score
- impact score
- integrity impact
- integrity impact
- obtain all privilege
- obtain other privilege
- obtain user privilege
- privileges required
- remediation level
- report confidence
- scope
- severity
- trust
- trust
- user interaction
- user interaction required
- value
- vector string
- vector string
- version
- version
access complexitydp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#accessComplexity
This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system. For example, consider a buffer overflow in an Internet service: once the target system is located, the attacker can launch an exploit at will.
Other vulnerabilities, however, may require additional steps in order to be exploited. For example, a vulnerability in an email client is only exploited after the user downloads and opens a tainted attachment. The possible values for this metric are: HIGH, MEDIUM, LOW. The lower the required complexity, the higher the vulnerability score.
https://www.first.org/cvss/v2/guide#2-1-2-Access-Complexity-AC
access vectordp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#accessVector
This metric reflects how the vulnerability is exploited. The possible values for this metric are: LOCAL, ADJACENT NETWORK, NETWORK. The more remote an attacker can be to attack a host, the greater the vulnerability score.
attack complexitydp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#attackComplexity
This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. As described below, such conditions may require the collection of more information about the target, or computational exceptions. Importantly, the assessment of this metric excludes any requirements for user interaction in order to exploit the vulnerability (such conditions are captured in the User Interaction metric). If a specific configuration is required for an attack to succeed, the Base metrics should be scored assuming the vulnerable component is in that configuration. The Base Score is greatest for the least complex attacks. The list of possible values is: Low, High
https://www.first.org/cvss/v3.1/specification-document#2-1-2-Attack-Complexity-AC
attack vectordp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#attackVector
This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the Base Score) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater Base Score. The list of possible values is: Netwok, Adjacent, Local, Physical
https://www.first.org/cvss/v3.1/specification-document#2-1-1-Attack-Vector-AV
authenticationdp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#authentication
This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The possible values for this metric are: Multiple, Single, None. The fewer authentication instances that are required, the higher the vulnerability score.
authordp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#author
A person, a group of people or an organization who authored the CVSS
authordp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#author
A person, a group of people or an organization who authored the CVSS
authordp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/severity#author
A person, a group of people or an organization who authored the severity assessment
availability impactdp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#availabilityImpact
This metric measures the impact to availability of a successfully exploited vulnerability. Availability refers to the accessibility of information resources. Attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system. The possible values for this metric are: NONE, PARTIAL, COMPLETE. Increased availability impact increases the vulnerability score.
https://www.first.org/cvss/v2/guide#2-1-6-Availability-Impact-A
availability impactdp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#availabilityImpact
This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the impacted component, this metric refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component. The Base Score is greatest when the consequence to the impacted component is highest. The list of possible values is: High, Low, None
https://www.first.org/cvss/v3.1/specification-document#2-3-3-Availability-A
base scoredp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#baseScore
baseScore = round_to_1_decimal • (((0.6 • Impact) + (0.4 • Exploitability) - 1.5) • f(Impact))
- has domain
- cvss v2 c
- has range
base scoredp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#baseScore
BaseScore =
If Impact \<= 0 0, else
If Scope is Unchanged Roundup (Minimum [(Impact + Exploitability), 10])
If Scope is Changed Roundup (Minimum [1.08 • (Impact + Exploitability), 10])
https://www.first.org/cvss/v3.1/specification-document#7-1-Base-Metrics-Equations
- has domain
- cvss v3 c
- has range
base severitydp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#baseSeverity
All scores can be mapped to the qualitative ratings. None: 0.0, Low: 0.1 - 3.9, Medium: 4.0 - 6.9, High: 7.0 - 8.9, Critical: 9.0 - 10.0
https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale
confidentiality impactdp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#confidentialityImpact
This metric measures the impact on confidentiality of a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The possible values for this metric are: NONE, PARTIAL, COMPLETE. Increased confidentiality impact increases the vulnerability score.
https://www.first.org/cvss/v2/guide#2-1-4-Confidentiality-Impact-C
confidentiality impactdp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#confidentialityImpact
This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The Base Score is greatest when the loss to the impacted component is highest. The list of possible values is: High, Low, None
https://www.first.org/cvss/v3.1/specification-document#2-3-1-Confidentiality-C
dbdp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/sources#db
Name of the source database
exploitabilitydp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#exploitability
This metric measures the current state of exploit techniques or code availability. Public availability of easy-to-use exploit code increases the number of potential attackers by including those who are unskilled, thereby increasing the severity of the vulnerability.
Initially, real-world exploitation may only be theoretical. Publication of proof of concept code, functional exploit code, or sufficient technical details necessary to exploit the vulnerability may follow. Furthermore, the exploit code available may progress from a proof-of-concept demonstration to exploit code that is successful in exploiting the vulnerability consistently. In severe cases, it may be delivered as the payload of a network-based worm or virus. The possible values for this metric are: Unprove, Proof-of-concept (POC), Functional, High, Not Definied. The more easily a vulnerability can be exploited, the higher the vulnerability score.
exploitability scoredp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#exploitabilityScore
Exploitability = 20 • AccessVector • AccessComplexity • Authentication
- has domain
- cvss v2 c
- has range
iddp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#id
Identifier of the related vulnerability with given CVSS V2 in the external database
iddp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#id
Identifier of the related vulnerability with given CVSS V3 in the external database
iddp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/severity#id
Identifier of the related vulnerability with a given severity in the external database
iddp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/sources#id
Identifier in the source database
impact scoredp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#impactScore
Impact = 10.41 • (1-(1-ConfImpact) • (1-IntegImpact) • (1-AvailImpact))
- has domain
- cvss v2 c
- has range
impact scoredp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#impactScore
ISS = 1 - [ (1 - Confidentiality) • (1 - Integrity) • (1 - Availability) ]
Impact =
If Scope is Unchanged 6.42 • ISS
If Scope is Changed 7.52 • (ISS - 0.029) - 3.25 • (ISS - 0.02)^15
https://www.first.org/cvss/v3.1/specification-document#7-1-Base-Metrics-Equations
- has domain
- cvss v3 c
- has range
integrity impactdp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#integrityImpact
This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and guaranteed veracity of information. The possible values for this metric are: NONE, PARTIAL, COMPLETE. Increased integrity impact increases the vulnerability score.
https://www.first.org/cvss/v2/guide#2-1-5-Integrity-Impact-I
integrity impactdp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#integrityImpact
This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. The Base Score is greatest when the consequence to the impacted component is highest. The list of possible values is: High, Low, None
https://www.first.org/cvss/v3.1/specification-document#2-3-2-Integrity-I
obtain all privilegedp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#obtainAllPrivilege
Whether or not the vulnerability allows one to obtain all privileges
obtain other privilegedp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#obtainOtherPrivilege
Whether or not the vulnerability allows one to obtain other privileges
obtain user privilegedp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#obtainUserPrivilege
Whether or not the vulnerability allows one to obtain user privileges
privileges requireddp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#privilegesRequired
This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. The Base Score is greatest if no privileges are required. The list of possible values is: None, Low, High
https://www.first.org/cvss/v3.1/specification-document#2-1-3-Privileges-Required-PR
remediation leveldp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#remediationLevel
The remediation level of a vulnerability is an important factor for prioritization. The typical vulnerability is unpatched when initially published. Workarounds or hotfixes may offer interim remediation until an official patch or upgrade is issued. Each of these respective stages adjusts the temporal score downwards, reflecting the decreasing urgency as remediation becomes final. The possible values for this metric are: OFFICIAL FIX, TEMPORARY FIX, WORKAROUND, UNAVAILABLE, NOT DEFINED. The less official and permanent a fix, the higher the vulnerability score is.
https://www.first.org/cvss/v2/guide#2-2-2-Remediation-Level-RL
report confidencedp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#reportConfidence
This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details. Sometimes, only the existence of vulnerabilities are publicized, but without specific details. The vulnerability may later be corroborated and then confirmed through acknowledgement by the author or vendor of the affected technology. The urgency of a vulnerability is higher when a vulnerability is known to exist with certainty. This metric also suggests the level of technical knowledge available to would-be attackers. The possible values for this metric are: Unconfirmed, Uncorroborated, Confirmed, Not Definied. The more a vulnerability is validated by the vendor or other reputable sources, the higher the score.
https://www.first.org/cvss/v2/guide#2-2-3-Report-Confidence-RC
scopedp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#scope
The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.
The Base Score is greatest when a scope change occurs. The list of possible values is: Unchanged, Changed
https://www.first.org/cvss/v3.1/specification-document#2-2-Scope-S
severitydp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#severity
Qualitative rating of all the scores. Can be: low, medium or high
- has domain
- cvss v2 c
trustdp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#trust
How much CVSS V3 information can be trusted
- has domain
- cvss v3 c
- has range
trustdp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/severity#trust
How much severity assessment can be trusted
- has domain
- severity c
- has range
user interactiondp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#userInteraction
This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The Base Score is greatest when no user interaction is required. The list of possible values is: None, Required
https://www.first.org/cvss/v3.1/specification-document#2-1-4-User-Interaction-UI
user interaction requireddp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#userInteractionRequired
Whether or not user interaction is required
valuedp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/severity#value
Level of the vulanerability's severity. On the scale provided by the source
vector stringdp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#vectorString
Vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form.
- has domain
- cvss v2 c
- has range
vector stringdp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#vectorString
Vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form.
- has domain
- cvss v3 c
- has range
versiondp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#version
CVSS version
versiondp back to ToC or Data Property ToC
IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#version
CVSS version
Annotation Properties
creatorap back to ToC or Annotation Property ToC
IRI: http://purl.org/dc/elements/1.1/creator
descriptionap back to ToC or Annotation Property ToC
IRI: http://purl.org/dc/elements/1.1/description
rightsap back to ToC or Annotation Property ToC
IRI: http://purl.org/dc/elements/1.1/rights
sourceap back to ToC or Annotation Property ToC
IRI: http://purl.org/dc/elements/1.1/source
titleap back to ToC or Annotation Property ToC
IRI: http://purl.org/dc/elements/1.1/title
Legend back to ToC
op: Object Properties
dp: Data Properties
References back to ToC
Add your references here. It is recommended to have them as a list.
Acknowledgments back to ToC
The authors would like to thank Silvio Peroni for developing LODE, a Live OWL Documentation Environment, which is used for representing the Cross Referencing Section of this document and Daniel Garijo for developing Widoco, the program used to create the template used in this documentation.