What is the CVSS scoring system?
The Common Vulnerability Scoring System (aka CVSS) is an open industry standard for assessing the severity of computer system security vulnerabilities. The CVSS provides a numerical (0-10) representation of the severity of an information security vulnerability. CVSS scores are commonly used by Information security (InfoSec) teams as part of a vulnerability management program to provide a point of comparison between vulnerabilities and to prioritize remediation of vulnerabilities.
What is the difference between CVSSv2 and CVSSv3?
Authors of CVSSv3 worked to introduce scoring changes that more accurately reflected the reality of vulnerabilities encountered in the wild. The three major metric groups – Base, Temporal, and Environmental each remained the same, but with changes within both the Base and the Environmental groups.
In the Base group, several changes were made:
- Confidentiality, Integrity, and Availability metrics were each changed to have scoring parameters of None, Low, or High.
- The Attack Vector metric added the Physical (P) value, which indicates a vulnerability where the adversary must have physical access to a system in order to exploit the vulnerability.
- A new metric, User Interaction (UI), was added. This metric indicates whether or not the cooperation of a legitimate user is needed to conduct an exploit.
- Another new metric, Privileges Required (PR) was added to indicate that administrative or other escalated privileges on the target machine must be achieved in order to successfully exploit the system.
In the Environmental group, the biggest change was that the environmental metrics in v2 were completely replaced with what’s known as a Modified Base Score. Essentially, each of the Base metrics may be modified by the organization to reflect differences between their situation and environment vs others.
Holm Security severity levels:
- 0: Info
- 0,1–2,0: Low
- 2,1–5,0: Medium
- 5,1–8,0: High
- 8,1–10: Critical
What does Holm Security support?
Holm Security support both CVSSv2 and CVSSv3
Why some CVEs are missing the CVSS v3 score?
-CVSS v3.0 was first released in June 2015 which means all previously disclosed Vulnerabilities only have CVSS v2.
-In June 2019 The CVSS v3.1 was released which means CVEs disclosed between 2015 and 2019 can only have a v3.0 score.
-All CVEs after June 2019 are having v3.1 scores
Insight into main changes to CVSS 3.1 compared to CVSS 3.0
Version 3.1 focuses on clarifying and improving the existing standard. The most significant modifications are explained below:
CVSS measures severity, not risk
This version highlights that the CVSS is designed to measure the severity of a vulnerability and, therefore, must not be used as the only tool to assess risk. The CVSS v3.1 specification document now clearly states that the CVSS Base Score represents only the intrinsic characteristics of a vulnerability that are constant over time and are common to different user environments. To carry out a systematic risk analysis, this base score must be complemented with a contextual analysis taking advantage of the temporal and environmental metrics, and with other external factors not considered by the CVSS as exposure and threat.
Changes in Attack Vector and Modified Attack Vector
The descriptions of the values (Network, Adjacent, Local and Physical) of the Attack Vector (AV) metric are reformulated to make them more familiar to CVSS suppliers and general consumers, avoiding references to the OSI model. A guide section for the use of this metric is also included when resources are behind a firewall.
The value Adjacent (A) of the Attack Vector (AV) metric, of the Base Score group of metrics, as defined in CVSS 3.0 caused ambiguity in the case of logically adjacent or trusted networks (MPLS, VPN, etc.). To address this inaccuracy, the definition of Adjacent is extended, including these limited-access networks.
Please read more about the CVSS versions here (external link):