CVSS Metrics

---

CVSS metrics generate a score from 0 to 10 based on the intrinsic characteristics of the vulnerability (base), the environment in which the exposure occurs, and the changing characteristics of the vulnerability over time (temporal).

• based on CVSS v4.0

Metric Categories

CVSS scoring system consists of several metrics used to calculate a given vulnerability’s risk level and grouped into three categories:

• Impact
  • The potential damage or harm caused by the vulnerability
  • includes: C, I, A
• Exploitability
  • The ease and likelihood of exploiting a vulnerability
  • includes: AV, AC, PR, UI
• Remediation
  • The cost and effort required to fix the vulnerability

Metric Groups

Base

Base group describes the basic characteristics of the vulnerability that are constant over time and across user environments.

• does not include temporal or environmental metrics
• metrics include:
  • Attack Vector (AV)
    • Values:
      • Network (N)
      • Adjacent network (A)
      • Local (L)
      • Physical (P)
  • Attack Complexity (AC)
    • Values:
      • None (N)
      • Low (L)
      • High (H)
  • Privileges Required (PR)
    • Values:
      • None (N)
        • guest
      • Low (L)
        • standard user
      • High (H)
        • administrator
  • User Interaction (UI)
    • Values:
      • None (N)
      • Required (R)
  • Scope (S)
    • captures whether a vulnerability in one component impacts resources in component beyond its security scope
    • Values:
      • Unchanged (U)
      • Changed (C)
  • Impact metrics:
    • Confidentiality Impact (C)
    • Integrity Impact (I)
    • Availability Impact (A)
    • all rated as:
      • None (N)
      • Low (L)
      • High (H)
      • Critical (C)

Temporal

The Temporal metrics adjust the Base score based on factors that change over time, such as Exploit Code Maturity (the availability and maturity of exploit code), Remediation Level (the availability of a patch or workaround), and Report Confidence (the certainty that the vulnerability is real).

• has three metrics:
  • Exploit Code Maturity (E)
    • measures the likelihood of the vulnerability being attacked
    • typically based on the current state of exploit techniques, exploit code availability, or active exploitation
    • possible ratings:
      • Not Defined (X)
      • High (H)
      • Functional (F)
      • Proof of Concept (P)
      • Unproven (U)
  • Remediation Level
    • can be:
      • Not Defined (X)
      • Unavailable (U)
      • Workaround (W)
      • Temporary Fix (T)
      • Official Fix (O)
  • Report Confidence
    • indicates how confident we are in the details of the vulnerability
    • can be:
      • Not Defined (X)
      • Confirmed (C)
      • Reasonable (R)
      • Unknown (U)

Environmental

The Environmental metric group allows an organization to customize the score based on its specific environment, considering factors such as the importance of the affected asset (Asset Criticality) and the presence of mitigating controls.

• four metrics:
  • Modified Base Metrics
  • Confidentiality Requirement
  • Integrity Requirement
  • Availability Requirement