Sign-up

CVSS entry ontology

Revision:
1.1
Authors:
https://www.en.nask.pl
Download serialization:
JSON-LD RDF/XML N-Triples TTL
License:
http://creativecommons.org/licenses/by-sa/4.0/
Visualization:
Visualize with WebVowl
Cite as:
https://www.en.nask.pl. CVSS entry ontology. Revision: 1.1.
Ontology Specification Draft

Abstract

Attack vectors and severity assessment of the vulnerability

CVSS entry ontology: Description back to ToC

This is a placeholder text for the description of your ontology. The description should include an explanation and a diagram explaining how the classes are related, examples of usage, etc.

Cross-reference for CVSS entry ontology classes, object properties and data properties back to ToC

This section provides details for each class and property defined by CVSS entry ontology.

Classes

cvss v2c back to ToC or Class ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV2

CVSS data in V2 format
has super-classes
cvss c
is in domain of
access complexity dp, access vector dp, authentication dp, author dp, availability impact dp, base score dp, confidentiality impact dp, exploitability dp, exploitability score dp, id dp, impact score dp, integrity impact dp, obtain all privilege dp, obtain other privilege dp, obtain user privilege dp, remediation level dp, report confidence dp, severity dp, user interaction required dp, vector string dp, version dp

cvss v3c back to ToC or Class ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV3

CVSS data in V3 format
has super-classes
cvss c
is in domain of
attack complexity dp, attack vector dp, author dp, availability impact dp, base score dp, base severity dp, confidentiality impact dp, id dp, impact score dp, integrity impact dp, privileges required dp, scope dp, trust dp, user interaction dp, vector string dp, version dp

severityc back to ToC or Class ToC

IRI: https://www.variotdbs.pl/ref/cvss/severity

Severity of the vulnerability
has super-classes
cvss c
is in domain of
author dp, id dp, trust dp, value dp

sourcesc back to ToC or Class ToC

IRI: https://www.variotdbs.pl/ref/sources

Sources of the information (entries from external databases)
is in domain of
db dp, id dp
is in range of
has sources op

Object Properties

has sourcesop back to ToC or Object Property ToC

IRI: https://www.variotdbs.pl/ref/cvss#has_sources

has range
sources c

Data Properties

access complexitydp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#accessComplexity

This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system. For example, consider a buffer overflow in an Internet service: once the target system is located, the attacker can launch an exploit at will. Other vulnerabilities, however, may require additional steps in order to be exploited. For example, a vulnerability in an email client is only exploited after the user downloads and opens a tainted attachment. The possible values for this metric are: HIGH, MEDIUM, LOW. The lower the required complexity, the higher the vulnerability score. https://www.first.org/cvss/v2/guide#2-1-2-Access-Complexity-AC
has domain
cvss v2 c
has range
string

access vectordp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#accessVector

This metric reflects how the vulnerability is exploited. The possible values for this metric are: LOCAL, ADJACENT NETWORK, NETWORK. The more remote an attacker can be to attack a host, the greater the vulnerability score. https://www.first.org/cvss/v2/guide#2-1-1-Access-Vector-AV
has domain
cvss v2 c
has range
string

attack complexitydp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#attackComplexity

This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. As described below, such conditions may require the collection of more information about the target, or computational exceptions. Importantly, the assessment of this metric excludes any requirements for user interaction in order to exploit the vulnerability (such conditions are captured in the User Interaction metric). If a specific configuration is required for an attack to succeed, the Base metrics should be scored assuming the vulnerable component is in that configuration. The Base Score is greatest for the least complex attacks. The list of possible values is: Low, High https://www.first.org/cvss/v3.1/specification-document#2-1-2-Attack-Complexity-AC
has domain
cvss v3 c
has range
string

attack vectordp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#attackVector

This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the Base Score) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater Base Score. The list of possible values is: Netwok, Adjacent, Local, Physical https://www.first.org/cvss/v3.1/specification-document#2-1-1-Attack-Vector-AV
has domain
cvss v3 c
has range
string

authenticationdp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#authentication

This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The possible values for this metric are: Multiple, Single, None. The fewer authentication instances that are required, the higher the vulnerability score. https://www.first.org/cvss/v2/guide#2-1-3-Authentication-Au
has domain
cvss v2 c
has range
string

authordp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#author

A person, a group of people or an organization who authored the CVSS
has domain
cvss v2 c
has range
string

authordp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#author

A person, a group of people or an organization who authored the CVSS
has domain
cvss v3 c
has range
string

authordp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/severity#author

A person, a group of people or an organization who authored the severity assessment
has domain
severity c
has range
string

availability impactdp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#availabilityImpact

This metric measures the impact to availability of a successfully exploited vulnerability. Availability refers to the accessibility of information resources. Attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system. The possible values for this metric are: NONE, PARTIAL, COMPLETE. Increased availability impact increases the vulnerability score. https://www.first.org/cvss/v2/guide#2-1-6-Availability-Impact-A
has domain
cvss v2 c
has range
string

availability impactdp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#availabilityImpact

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the impacted component, this metric refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component. The Base Score is greatest when the consequence to the impacted component is highest. The list of possible values is: High, Low, None https://www.first.org/cvss/v3.1/specification-document#2-3-3-Availability-A
has domain
cvss v3 c
has range
string

base scoredp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#baseScore

baseScore = round_to_1_decimal • (((0.6 • Impact) + (0.4 • Exploitability) - 1.5) • f(Impact)) https://www.first.org/cvss/v2/guide#3-2-1-Base-Equation
has domain
cvss v2 c
has range

base scoredp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#baseScore

BaseScore = If Impact \<= 0 0, else If Scope is Unchanged Roundup (Minimum [(Impact + Exploitability), 10]) If Scope is Changed Roundup (Minimum [1.08 • (Impact + Exploitability), 10]) https://www.first.org/cvss/v3.1/specification-document#7-1-Base-Metrics-Equations
has domain
cvss v3 c
has range

base severitydp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#baseSeverity

All scores can be mapped to the qualitative ratings. None: 0.0, Low: 0.1 - 3.9, Medium: 4.0 - 6.9, High: 7.0 - 8.9, Critical: 9.0 - 10.0 https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale
has domain
cvss v3 c
has range
string

confidentiality impactdp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#confidentialityImpact

This metric measures the impact on confidentiality of a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The possible values for this metric are: NONE, PARTIAL, COMPLETE. Increased confidentiality impact increases the vulnerability score. https://www.first.org/cvss/v2/guide#2-1-4-Confidentiality-Impact-C
has domain
cvss v2 c
has range
string

confidentiality impactdp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#confidentialityImpact

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The Base Score is greatest when the loss to the impacted component is highest. The list of possible values is: High, Low, None https://www.first.org/cvss/v3.1/specification-document#2-3-1-Confidentiality-C
has domain
cvss v3 c
has range
string

dbdp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/sources#db

Name of the source database
has domain
sources c
has range
string

exploitabilitydp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#exploitability

This metric measures the current state of exploit techniques or code availability. Public availability of easy-to-use exploit code increases the number of potential attackers by including those who are unskilled, thereby increasing the severity of the vulnerability. Initially, real-world exploitation may only be theoretical. Publication of proof of concept code, functional exploit code, or sufficient technical details necessary to exploit the vulnerability may follow. Furthermore, the exploit code available may progress from a proof-of-concept demonstration to exploit code that is successful in exploiting the vulnerability consistently. In severe cases, it may be delivered as the payload of a network-based worm or virus. The possible values for this metric are: Unprove, Proof-of-concept (POC), Functional, High, Not Definied. The more easily a vulnerability can be exploited, the higher the vulnerability score. https://www.first.org/cvss/v2/guide#2-2-1-Exploitability-E
has domain
cvss v2 c
has range
string

exploitability scoredp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#exploitabilityScore

Exploitability = 20 • AccessVector • AccessComplexity • Authentication https://www.first.org/cvss/v2/guide#3-2-1-Base-Equation
has domain
cvss v2 c
has range

iddp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#id

Identifier of the related vulnerability with given CVSS V2 in the external database
has domain
cvss v2 c
has range
string

iddp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#id

Identifier of the related vulnerability with given CVSS V3 in the external database
has domain
cvss v3 c
has range
string

iddp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/severity#id

Identifier of the related vulnerability with a given severity in the external database
has domain
severity c
has range
string

iddp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/sources#id

Identifier in the source database
has domain
sources c
has range
string

impact scoredp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#impactScore

Impact = 10.41 • (1-(1-ConfImpact) • (1-IntegImpact) • (1-AvailImpact)) https://www.first.org/cvss/v2/guide#3-2-1-Base-Equation
has domain
cvss v2 c
has range

impact scoredp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#impactScore

ISS = 1 - [ (1 - Confidentiality) • (1 - Integrity) • (1 - Availability) ] Impact = If Scope is Unchanged 6.42 • ISS If Scope is Changed 7.52 • (ISS - 0.029) - 3.25 • (ISS - 0.02)^15 https://www.first.org/cvss/v3.1/specification-document#7-1-Base-Metrics-Equations
has domain
cvss v3 c
has range

integrity impactdp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#integrityImpact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and guaranteed veracity of information. The possible values for this metric are: NONE, PARTIAL, COMPLETE. Increased integrity impact increases the vulnerability score. https://www.first.org/cvss/v2/guide#2-1-5-Integrity-Impact-I
has domain
cvss v2 c
has range
string

integrity impactdp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#integrityImpact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. The Base Score is greatest when the consequence to the impacted component is highest. The list of possible values is: High, Low, None https://www.first.org/cvss/v3.1/specification-document#2-3-2-Integrity-I
has domain
cvss v3 c
has range
string

obtain all privilegedp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#obtainAllPrivilege

Whether or not the vulnerability allows one to obtain all privileges
has domain
cvss v2 c
has range
boolean

obtain other privilegedp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#obtainOtherPrivilege

Whether or not the vulnerability allows one to obtain other privileges
has domain
cvss v2 c
has range
boolean

obtain user privilegedp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#obtainUserPrivilege

Whether or not the vulnerability allows one to obtain user privileges
has domain
cvss v2 c
has range
boolean

privileges requireddp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#privilegesRequired

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. The Base Score is greatest if no privileges are required. The list of possible values is: None, Low, High https://www.first.org/cvss/v3.1/specification-document#2-1-3-Privileges-Required-PR
has domain
cvss v3 c
has range
string

remediation leveldp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#remediationLevel

The remediation level of a vulnerability is an important factor for prioritization. The typical vulnerability is unpatched when initially published. Workarounds or hotfixes may offer interim remediation until an official patch or upgrade is issued. Each of these respective stages adjusts the temporal score downwards, reflecting the decreasing urgency as remediation becomes final. The possible values for this metric are: OFFICIAL FIX, TEMPORARY FIX, WORKAROUND, UNAVAILABLE, NOT DEFINED. The less official and permanent a fix, the higher the vulnerability score is. https://www.first.org/cvss/v2/guide#2-2-2-Remediation-Level-RL
has domain
cvss v2 c
has range
string

report confidencedp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#reportConfidence

This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details. Sometimes, only the existence of vulnerabilities are publicized, but without specific details. The vulnerability may later be corroborated and then confirmed through acknowledgement by the author or vendor of the affected technology. The urgency of a vulnerability is higher when a vulnerability is known to exist with certainty. This metric also suggests the level of technical knowledge available to would-be attackers. The possible values for this metric are: Unconfirmed, Uncorroborated, Confirmed, Not Definied. The more a vulnerability is validated by the vendor or other reputable sources, the higher the score. https://www.first.org/cvss/v2/guide#2-2-3-Report-Confidence-RC
has domain
cvss v2 c
has range
string

scopedp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#scope

The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope. The Base Score is greatest when a scope change occurs. The list of possible values is: Unchanged, Changed https://www.first.org/cvss/v3.1/specification-document#2-2-Scope-S
has domain
cvss v3 c
has range
string

severitydp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#severity

Qualitative rating of all the scores. Can be: low, medium or high https://nvd.nist.gov/vuln-metrics/cvss
has domain
cvss v2 c

trustdp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#trust

How much CVSS V3 information can be trusted
has domain
cvss v3 c
has range

trustdp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/severity#trust

How much severity assessment can be trusted
has domain
severity c
has range

user interactiondp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#userInteraction

This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The Base Score is greatest when no user interaction is required. The list of possible values is: None, Required https://www.first.org/cvss/v3.1/specification-document#2-1-4-User-Interaction-UI
has domain
cvss v3 c
has range
string

user interaction requireddp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#userInteractionRequired

Whether or not user interaction is required
has domain
cvss v2 c
has range
boolean

valuedp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/severity#value

Level of the vulanerability's severity. On the scale provided by the source
has domain
severity c
has range
string

vector stringdp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#vectorString

Vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form.
has domain
cvss v2 c
has range

vector stringdp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#vectorString

Vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form.
has domain
cvss v3 c
has range

versiondp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV2#version

CVSS version
has domain
cvss v2 c
has range
string

versiondp back to ToC or Data Property ToC

IRI: https://www.variotdbs.pl/ref/cvss/cvssV3#version

CVSS version
has domain
cvss v3 c
has range
string

Annotation Properties

creatorap back to ToC or Annotation Property ToC

IRI: http://purl.org/dc/elements/1.1/creator

descriptionap back to ToC or Annotation Property ToC

IRI: http://purl.org/dc/elements/1.1/description

rightsap back to ToC or Annotation Property ToC

IRI: http://purl.org/dc/elements/1.1/rights

sourceap back to ToC or Annotation Property ToC

IRI: http://purl.org/dc/elements/1.1/source

titleap back to ToC or Annotation Property ToC

IRI: http://purl.org/dc/elements/1.1/title

Legend back to ToC

c: Classes
op: Object Properties
dp: Data Properties

References back to ToC

Add your references here. It is recommended to have them as a list.

Acknowledgments back to ToC

The authors would like to thank Silvio Peroni for developing LODE, a Live OWL Documentation Environment, which is used for representing the Cross Referencing Section of this document and Daniel Garijo for developing Widoco, the program used to create the template used in this documentation.