Go back

Exploit Intelligence 101

Common Vulnerability Scoring System (CVSS)

avatar
Tom Bain@tmbainjr1
101

This knowledgebase article will support a fundamental understanding of:

  • The Common Vulnerability Scoring System (CVSS) is a widely used framework for assessing the severity of software vulnerabilities.
  • Why assigning a numerical score to vulnerabilities provides a standardized way for organizations to assess risk, prioritize remediation efforts, and communicate the severity of vulnerabilities effectively.
  • The essential components of CVSS, focusing on the most widely implemented version, CVSS 3.1, while exploring its benefits, limitations, and evolution.

What Is CVSS?

With thousands of vulnerabilities disclosed annually, determining which to address first can be overwhelming. CVSS is one tool that organizations can use to help solve this problem by offering a consistent, objective framework to score vulnerabilities based on their potential impact and ease of exploitation, and other important factors.

Before CVSS, the lack of a standardized system often led to inconsistent assessments across vendors, security teams, and industries. CVSS ensures that vulnerabilities are evaluated using a common framework, making it easier to compare risks across systems.

The Core of CVSS: Base Scores

The Base Score is the cornerstone of the CVSS framework. It measures the intrinsic severity of a vulnerability, independent of temporal or environmental factors. The CVSS Base Score is calculated using a set of metrics that describe how the vulnerability can be exploited and its potential impact.

Key metrics of the CVSS Base Score include:

  • Attack Vector (AV): This metric describes how an attacker can exploit the vulnerability. A vulnerability exploitable remotely over a network scores higher than one requiring local access because the attack surface is broader, and offers greater exposure to threat actors.
  • Attack Complexity (AC): This captures the difficulty of successfully exploiting the vulnerability. If an exploit requires specific conditions or dependencies to be met, the complexity is high, resulting in a lower score.
  • Privileges Required (PR): This metric assesses whether an attacker needs elevated privileges to exploit the vulnerability. Vulnerabilities that can be exploited without any special permissions are scored higher.
  • User Interaction (UI): Exploits that require a user to take an action, such as clicking a link or opening a file, score lower than those that require no user interaction.
  • Scope (S): Scope measures whether the impact of exploitation is confined to the vulnerable component or extends beyond its security boundary. Vulnerabilities that can affect other systems or applications are scored higher.
  • Confidentiality (C), Integrity (I), and Availability (A): These metrics evaluate the impact of exploitation on data confidentiality, data integrity, and system availability, respectively. A vulnerability compromising all three dimensions scores higher.

Example CVSS Base Scores and Vectors

To generate a CVSS Base Score, these metrics are interpreted using a standardized algorithm in order to generate a score between 0.0 and 10.0, representing the inherent risk. This simple score can be used as a component in vulnerability prioritization.

That said, the individual metrics provide a good degree of context about a vulnerability, which is lost when the metrics are condensed to a simple score. In order to capture the deeper context behind the score, CVSS also defines a Vector String which incorporates all the metrics in a format that’s simple for humans and machines to interpret. Let’s look at a couple of examples.

For example, CVE-2024-9989 is an authentication bypass vulnerability in WordPress that makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, so long as they have access to the username. It can be exploited easily over the network without any special privileges or user interaction. This vulnerability has been assigned the following CVSS vector, which computes to a CVSS Base Score of 9.8:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Imagine that this vulnerability presented slightly differently, requiring the attacker to have access to an existing low-privilege user account, and requiring the attacker to perform a complicated cryptographic analysis in order to perform a successful exploit. These changes in Attack Complexity and Privileges Required result in a lower CVSS Base Score of 7.5, and modifications to the CVSS Vector:

CVSS:3.1/AV:N/**AC:H**/**PR:L**/UI:N/S:U/C:H/I:H/A:H

Temporal Scores: Adding Context Over Time

While Base Scores represent the intrinsic characteristics of a vulnerability, they don’t account for changing factors such as exploit availability or remediation efforts. This is where the CVSS Temporal Score comes in. Temporal Scores adjust the CVSS Base Score to reflect the current state of a vulnerability.

Key metrics of the Temporal Score include:

  • Exploit Code Maturity (E): This metric evaluates whether exploit code is available and how reliable it is. Vulnerabilities with publicly available, functional exploit code score higher, as it makes it simpler for lower-skilled attackers to leverage the vulnerability.
  • Remediation Level (RL): Remediation Level highlights the status of a fix, if any, for the vulnerability. When a vulnerability is first discovered, there will be no solution available. Over time, vendors may release temporary workarounds, and eventually a patch or other permanent fix. Vulnerabilities with official, permanent fixes are scored lower than vulnerabilities with less reliable fixes.
  • Report Confidence (RC): The reliability of the vulnerability report is also considered. Verified vulnerabilities score higher than those based on unconfirmed or speculative reports.

Example Temporal Scoring

Returning to our CVE-2024-9989 example, once the vendor releases an official patch for the vulnerability, the Remediation Level is updated to reflect it, and the overall CVSS score (Base + Temporal) goes down from 9.8 to 9.4.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/**RL:O**

This dynamic adjustment helps organizations focus on the most pressing vulnerabilities as the situation evolves.

Environmental Metrics: Customizing for Your Environment

Every organization has unique systems, configurations, and priorities. The CVSS Environmental Score allows security teams to tailor the Base and Temporal Scores to their specific context. This customization ensures that vulnerabilities are assessed based on their actual impact on the organization’s environment.

Environmental metrics modify the Base Score by accounting for factors such as the criticality of the affected system or the sensitivity of the data it processes. For example, a vulnerability in a system storing sensitive customer information might receive a higher score in an organization with strict regulatory requirements.

Organizations may also modify the base metrics to reflect their own situation. This allows security teams to take into account their own local defensive countermeasures and other factors that might not be fully reflected in the Base Score metrics.

Example Environmental Scoring

Returning to our CVE-2024-9989 once more, let’s consider a specific organization. Our example organization uses WordPress only internally for publishing the results from the weekly departmental bowling tournament. This data has low importance from the perspective of confidentiality, integrity, and availability. It’s also not accessible from the outside, but instead requires a user to have access to the local network. These circumstances significantly reduce the risk of damage from an exploit of CVE-2024-9989, and the CVSS score (Base + Environmental) is reduced from 9.8 down to 6.6, with the following CVSS vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/**CR:L/IR:L/AR:L/MAV:L**

Limitations of CVSS

While CVSS is a powerful tool to assist in vulnerability prioritization and risk management, it is not without its limitations. As seen above, there is a great deal of complexity hidden behind what many think of as a simple numerical score.

A CVSS Base Score is derived from 8 different metrics, each requiring accurate data and judgment. Incorporating temporal and environmental factors adds 14 additional metrics, which can change over time. Misinterpretations or inconsistent application of these metrics can lead to misleading scores. Few vulnerability management solutions provide the flexibility to routinely manage all this data across a large enterprise environment.

In addition, keeping abreast of temporal and environmental developments that affect CVSS scoring is a daunting challenge. New exploits are released every day, sometimes for vulnerabilities that were originally disclosed months or years in the past. Vendor disclosures and public vulnerability databases fall out-of-date rapidly. Effective prioritization requires a good stream of exploit intelligence and effective tools for ingesting and operationalizing it.

Finally, the existence of multiple versions of CVSS, with varying levels of adoption, further complicates matters. CVSS 3.1 is widely supported in most environments today, but some tools and vendors still use earlier versions, leading to inconsistencies in scoring and prioritization.

The Evolution of CVSS: A Look at 4.0

CVSS 4.0 has also been released, and while it adds more nuance and context than previous versions, it also promises to introduce confusion as it is slowly adopted.

One of the most notable is support for vulnerability chaining, allowing for better representation of complex attack scenarios. Additionally, CVSS 4.0 refines metrics like Exploitability and introduces qualitative scoring (High, Medium, Low) as an alternative to numeric scores.

These updates aim to make CVSS more comprehensive while remaining practical for security teams. Although adoption of CVSS 4.0 will take time, it represents a step forward in addressing the evolving challenges of vulnerability management.

Conclusion

CVSS provides a standardized and consistent approach to assessing the severity of software vulnerabilities. The framework equips organizations with much of the context needed to prioritize their remediation efforts effectively. However, understanding its limitations is crucial to using it wisely. By supplementing CVSS scores with rich exploit intelligence and keeping abreast of its evolution, security professionals can better manage the complex landscape of vulnerabilities.

For more in-depth cybersecurity insights, visit VulnCheck’s Exploit Intelligence 101 Knowledge Base.

Get Started with VulnCheck
Schedule Demo