CVSS entry ontology

CVSS data in V2 format

CVSS data in V3 format

Severity of the vulnerability

Sources of the information (entries from external databases)

This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system. For example, consider a buffer overflow in an Internet service: once the target system is located, the attacker can launch an exploit at will.

Other vulnerabilities, however, may require additional steps in order to be exploited. For example, a vulnerability in an email client is only exploited after the user downloads and opens a tainted attachment. The possible values for this metric are: HIGH, MEDIUM, LOW. The lower the required complexity, the higher the vulnerability score.

https://www.first.org/cvss/v2/guide#2-1-2-Access-Complexity-AC

This metric reflects how the vulnerability is exploited. The possible values for this metric are: LOCAL, ADJACENT NETWORK, NETWORK. The more remote an attacker can be to attack a host, the greater the vulnerability score.

https://www.first.org/cvss/v2/guide#2-1-1-Access-Vector-AV

This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. As described below, such conditions may require the collection of more information about the target, or computational exceptions. Importantly, the assessment of this metric excludes any requirements for user interaction in order to exploit the vulnerability (such conditions are captured in the User Interaction metric). If a specific configuration is required for an attack to succeed, the Base metrics should be scored assuming the vulnerable component is in that configuration. The Base Score is greatest for the least complex attacks. The list of possible values is: Low, High

https://www.first.org/cvss/v3.1/specification-document#2-1-2-Attack-Complexity-AC

This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the Base Score) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater Base Score. The list of possible values is: Netwok, Adjacent, Local, Physical

https://www.first.org/cvss/v3.1/specification-document#2-1-1-Attack-Vector-AV

This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The possible values for this metric are: Multiple, Single, None. The fewer authentication instances that are required, the higher the vulnerability score.

https://www.first.org/cvss/v2/guide#2-1-3-Authentication-Au

A person, a group of people or an organization who authored the CVSS

A person, a group of people or an organization who authored the CVSS

A person, a group of people or an organization who authored the severity assessment

This metric measures the impact to availability of a successfully exploited vulnerability. Availability refers to the accessibility of information resources. Attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system. The possible values for this metric are: NONE, PARTIAL, COMPLETE. Increased availability impact increases the vulnerability score.

https://www.first.org/cvss/v2/guide#2-1-6-Availability-Impact-A

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the impacted component, this metric refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component. The Base Score is greatest when the consequence to the impacted component is highest. The list of possible values is: High, Low, None

https://www.first.org/cvss/v3.1/specification-document#2-3-3-Availability-A

baseScore = round_to_1_decimal • (((0.6 • Impact) + (0.4 • Exploitability) - 1.5) • f(Impact))

https://www.first.org/cvss/v2/guide#3-2-1-Base-Equation

BaseScore =
If Impact \<= 0 0, else If Scope is Unchanged Roundup (Minimum [(Impact + Exploitability), 10]) If Scope is Changed Roundup (Minimum [1.08 • (Impact + Exploitability), 10])

https://www.first.org/cvss/v3.1/specification-document#7-1-Base-Metrics-Equations

All scores can be mapped to the qualitative ratings. None: 0.0, Low: 0.1 - 3.9, Medium: 4.0 - 6.9, High: 7.0 - 8.9, Critical: 9.0 - 10.0

https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale

This metric measures the impact on confidentiality of a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The possible values for this metric are: NONE, PARTIAL, COMPLETE. Increased confidentiality impact increases the vulnerability score.

https://www.first.org/cvss/v2/guide#2-1-4-Confidentiality-Impact-C

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The Base Score is greatest when the loss to the impacted component is highest. The list of possible values is: High, Low, None

https://www.first.org/cvss/v3.1/specification-document#2-3-1-Confidentiality-C

Name of the source database

This metric measures the current state of exploit techniques or code availability. Public availability of easy-to-use exploit code increases the number of potential attackers by including those who are unskilled, thereby increasing the severity of the vulnerability.

Initially, real-world exploitation may only be theoretical. Publication of proof of concept code, functional exploit code, or sufficient technical details necessary to exploit the vulnerability may follow. Furthermore, the exploit code available may progress from a proof-of-concept demonstration to exploit code that is successful in exploiting the vulnerability consistently. In severe cases, it may be delivered as the payload of a network-based worm or virus. The possible values for this metric are: Unprove, Proof-of-concept (POC), Functional, High, Not Definied. The more easily a vulnerability can be exploited, the higher the vulnerability score.

https://www.first.org/cvss/v2/guide#2-2-1-Exploitability-E

Exploitability = 20 • AccessVector • AccessComplexity • Authentication

https://www.first.org/cvss/v2/guide#3-2-1-Base-Equation

Identifier of the related vulnerability with given CVSS V2 in the external database

Identifier of the related vulnerability with given CVSS V3 in the external database

Identifier of the related vulnerability with a given severity in the external database

Identifier in the source database

Impact = 10.41 • (1-(1-ConfImpact) • (1-IntegImpact) • (1-AvailImpact))

https://www.first.org/cvss/v2/guide#3-2-1-Base-Equation

ISS = 1 - [ (1 - Confidentiality) • (1 - Integrity) • (1 - Availability) ] Impact =
If Scope is Unchanged 6.42 • ISS If Scope is Changed 7.52 • (ISS - 0.029) - 3.25 • (ISS - 0.02)^15

https://www.first.org/cvss/v3.1/specification-document#7-1-Base-Metrics-Equations

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and guaranteed veracity of information. The possible values for this metric are: NONE, PARTIAL, COMPLETE. Increased integrity impact increases the vulnerability score.

https://www.first.org/cvss/v2/guide#2-1-5-Integrity-Impact-I

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. The Base Score is greatest when the consequence to the impacted component is highest. The list of possible values is: High, Low, None

https://www.first.org/cvss/v3.1/specification-document#2-3-2-Integrity-I

Whether or not the vulnerability allows one to obtain all privileges

Whether or not the vulnerability allows one to obtain other privileges

Whether or not the vulnerability allows one to obtain user privileges

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. The Base Score is greatest if no privileges are required. The list of possible values is: None, Low, High

https://www.first.org/cvss/v3.1/specification-document#2-1-3-Privileges-Required-PR

The remediation level of a vulnerability is an important factor for prioritization. The typical vulnerability is unpatched when initially published. Workarounds or hotfixes may offer interim remediation until an official patch or upgrade is issued. Each of these respective stages adjusts the temporal score downwards, reflecting the decreasing urgency as remediation becomes final. The possible values for this metric are: OFFICIAL FIX, TEMPORARY FIX, WORKAROUND, UNAVAILABLE, NOT DEFINED. The less official and permanent a fix, the higher the vulnerability score is.

https://www.first.org/cvss/v2/guide#2-2-2-Remediation-Level-RL

This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details. Sometimes, only the existence of vulnerabilities are publicized, but without specific details. The vulnerability may later be corroborated and then confirmed through acknowledgement by the author or vendor of the affected technology. The urgency of a vulnerability is higher when a vulnerability is known to exist with certainty. This metric also suggests the level of technical knowledge available to would-be attackers. The possible values for this metric are: Unconfirmed, Uncorroborated, Confirmed, Not Definied. The more a vulnerability is validated by the vendor or other reputable sources, the higher the score.

https://www.first.org/cvss/v2/guide#2-2-3-Report-Confidence-RC

The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.

The Base Score is greatest when a scope change occurs. The list of possible values is: Unchanged, Changed

https://www.first.org/cvss/v3.1/specification-document#2-2-Scope-S

Qualitative rating of all the scores. Can be: low, medium or high

https://nvd.nist.gov/vuln-metrics/cvss

How much CVSS V3 information can be trusted

How much severity assessment can be trusted

This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The Base Score is greatest when no user interaction is required. The list of possible values is: None, Required

https://www.first.org/cvss/v3.1/specification-document#2-1-4-User-Interaction-UI

Whether or not user interaction is required

Level of the vulanerability's severity. On the scale provided by the source

Vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form.

Vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form.

CVSS version

CVSS version