Common Vulnerability Scoring System (CVSS)
The Common Vulnerability Scoring System (CVSS) is used to rate the severity and risk of computer system security.
CVSS is an open framework that consists of the following metric groups:
The base score severity range is 0 to 10 and represents the inherent characteristics of the vulnerability. The base score has the largest bearing on the final CVSS score, and can be further divided into the following sub-scores:
The impact sub-score represents metrics for confidentiality impact, integrity impact, and the availability impact of a successfully exploited vulnerability.
The exploitability sub-score represents metrics for Access Vector, Access Complexity, and Authentication, and measures how the vulnerability is accessed, the complexity of the attack, and the number of times an attacker must authenticate to successfully exploit a vulnerability.
The temporal score represents the characteristics of a vulnerability threat that change over time, and consists of the following metrics:
The availability of techniques or code that can be used to exploit the vulnerability, which changes over time.
The level of remediation that is available for a vulnerability.
The level of confidence in the existence of the vulnerability and the credibility of its technical details.
The environmental score represents characteristics of the vulnerability that are impacted by the user's environment. Configure the following environmental metrics to highlight the vulnerabilities of important or critical assets by applying higher environmental metrics. Apply the highest scores to the most important assets because losses that are associated with these assets have greater consequences for the organization.
Collateral Damage Potential (CDP)
The potential for loss of life or physical assets through the damage or theft of this asset, or the economic loss of productivity or revenue.
Target Distribution (TD)
The proportion of vulnerable systems in your user's environment.
Confidentiality Requirement (CR)
The level of impact to the loss of confidentiality when a vulnerability is exploited on this asset.
Integrity Requirement (IR)
This metric indicates the level of impact to the loss of integrity when a vulnerability is successfully exploited on this asset.
Availability Requirement (AR)
The level of impact to the asset's availability when a vulnerability is successfully exploited on this asset.