The Common Vulnerability Scoring System (CVSS) is a public framework for rating the severity of security vulnerabilities in software. It is application and vendor neutral, enabling an organization to score its IT vulnerabilities across a wide range of software products -- from operating systems and databases to web applications -- using the same scoring framework.
Why do organizations adopt CVSS?
Historically, vendors used their own methods for scoring software vulnerabilities, often without detailing how their scores were calculated. This created a conundrum for system admins: should they fix a vulnerability with a severity of "high" first, or one with a rating of 5? To address this problem, the US National Infrastructure Assurance Council (NIAC) developed CVSS to simplify the generation of consistent scores that could accurately reflect the severity and impact of vulnerabilities to a specific IT environment.
Being an open framework, organizations have full access to the parameters used to generate scores enabling everyone to have a clear understanding of the rationale and differences behind any vulnerability scores. This makes it easier for security teams to gauge the impact of the vulnerabilities on their systems and prioritize which vulnerabilities to fix first. CVSS can also help organizations to meet the security requirements of various standards: For example, the presence of un-patched vulnerabilities with a CVSS score of 4.0 or higher has an adverse impact on PCI compliance.
CVSS has been widely adopted and is used by the Department of Homeland Security (DHS), Computer Emergency Response Team (CERT) and many others. Organizations such as Cisco, Qualys, Oracle and SAP generate CVSS scores to communicate the severity of vulnerabilities found in their products. Software developers can also use CVSS scores to prioritize security tests to ensure known serious vulnerabilities are removed or mitigated during development.
History of CVSS
The CVSS was introduced in 2005 by NIAC, but the international Forum for Incident Response and Security Teams (FIRST) now owns and manages it. FIRST sponsors and supports the Common Vulnerability Scoring System-Special Interest Group (CVSS-SIG), which is made up of various organizations and individuals who help promote and refine the framework. CVSS-SIG provided most of the research and feedback on the initial design of CVSS and helped test and refine the formulas used in later versions.
CVSS v2 was released in 2007 and was seen as a significant improvement over the original version, reducing inconsistencies, providing additional granularity and more accurately reflecting the true properties of IT vulnerabilities despite the wide variety of vulnerability types. CVSS 3.0 was released in June 2015 and introduced scoring changes that more accurately reflected the reality of vulnerabilities encountered in the wild, such as the privileges required to exploit a vulnerability and the opportunities it gives an attacker who successfully uses it. The most recent version is 3.1, released in June 2019.
A CVSS score is a derived from scores in three metrics groups, Base, Temporal and Environmental, that cover the different characteristics of a vulnerability, including its impact and environmental endurance over time. The Base group is made up of six categories, the Temporal group of three values, and the Environmental group is made up of five categories.
The Base score is the metric most relied upon by enterprises and deals with the inherent characteristics of a vulnerability, that is, the ones that don't change over time or due to a user's environment, such as the degree to which a vulnerability could compromise the confidentiality, integrity or availability (CIA) of the system. It is made up of two sets of metrics.
First are the Exploitability metrics:
- Attack vector
- Attack complexity
- Privileges required
- User interaction
Second are the Impact metrics:
- Confidentiality impact
- Integrity impact
- Availability impact
The Temporal score measures aspects of the vulnerability according to its current status as a known vulnerability, so represents the properties of the vulnerability that do change over time, such as the release of an official patch. It also includes the Report Confidence metric, which measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details demonstrating that a vulnerability is both real and exploitable. These metrics can decrease or increase the base score, for example if a patch or workaround becomes available, or the vulnerability is validated by the vendor.
The complete list of Temporal values is:
- Exploit code maturity
- Remediation level
- Report confidence
The Environmental metrics enable an organization to refine the Base score to its own environment by measuring the severity of the vulnerability adjusted for its impact on individual systems. These metrics provide real context for vulnerabilities within an organization as the business criticality of the asset, identification of mitigating controls and use of the asset in question can all be considered.
The full list of Environmental metric categories includes:
- Collateral damage potential
- Target distribution
- Confidentiality requirement
- Integrity requirement
- Availability requirement
How scoring works
A CVSS score can be between 0.0 and 10.0, with 10.0 being the most severe. To help convey CVSS scores to less technical stakeholders, FIRST maps CVSS scores to the following qualitative ratings:
0.0 = None
0.1-3.9 = Low
4.0-6.9 = Medium
7.0-8.9 = High
9.0 - 10.0 = Critical
The Base score is mandatory while the Temporal score is optional, and both are provided by the vendor or analyst. The Environmental Group score is calculated by the end user and is also optional.
The only requirement for categorizing a vulnerability with a CVSS score is the completion of the Base score components -- the Exploitability subscore, the Impact subscore and the Scope subscore. These scores are used to calculate the overall base score using a formula that weights each subscore.
The Temporal score is calculated by multiplying the Base score by the three metrics within the Temporal metric, while the Environment score is a more complex calculation with the five metrics being used to recompute the Base and Temporal scores to give a more accurate evaluation of the severity of a vulnerability in the context of the way that the vulnerable component is deployed.
CVSS vs. CVE
CVSS is not a vulnerability classification system like CVE (Common Vulnerabilities and Exposures), which is a unique identifier for each vulnerability listed in the NIST NVD (National Vulnerability Database).
CVE identifiers are in the format CVE-[4 Digit Year]-[Sequential Identifier]. So, for example, the CVE for the Heartbleed vulnerability is: CVE-2014-0160. CVE does however use CVSS to provide an indication of the severity of each CVE and FIRST's qualitative ratings based on the CVSS base score are provided for each CVE vulnerability.
Publicly available CVSS scores are Base scores only, so they represent the severity of a vulnerability, but not whether a vulnerability poses a risk to a specific IT environment. A CVSS calculator is required to calculate the Temporal and Environmental scores for an organization's own environment. There are free CVSS calculators provided by FIRST, NIST and CISCO, while ImmuniWeb has an online calculator to calculate a CVSSv3 Base Score for vulnerabilities in web applications.