CVSS Scoring

Learn CVSS scoring and how it’s used to assess the severity of vulnerabilities.

Common Vulnerability Scoring System (CVSS)

The Common Vulnerability Scoring System (CVSS), is a standardized system designed to provide an open framework for communicating the characteristics and impacts of IT vulnerabilities. Simply put, a CVSS score tells us how dangerous a discovered vulnerability is. The higher the score, the more dangerous the discovered vulnerability is.

CVSS scoring is structured around three metric groups:

  • Base score: This score captures the intrinsic qualities of a vulnerability. Elements considered include:

    • Attack vector (AV): This describes how the vulnerability is exploited (e.g., over the network or locally).

    • Attack complexity (AC): This indicates how complex it is to exploit the vulnerability.

    • User interaction (UI): This specifies if user interaction is needed to exploit the vulnerability.

    • Scope (S): This determines if the exploit will affect other resources beyond the vulnerable component.

    • Confidentiality, integrity, and availability impact (C/I/A): These detail how the vulnerability affects the integrity, availability, and confidentiality of the system’s data and functionality.

  • Temporal score: This score varies over time and considers the following:

    • Exploitability (E): This describes how mature the exploit for the vulnerability is.

    • Remediation level (RL): This describes the availability of fixes.

    • Report confidence (RC): This indicates the degree of confidence in the existence of the vulnerability and its attributes.

  • Environmental score: This score tailors the CVSS vector to specific environments, capturing the vulnerability’s severity in a particular organization or system.

Interpreting CVSS scores

Vulnerabilities are scored on a scale from 0 to 10:

  • 0.0: No risk

  • 0.1–3.9: Low severity

  • 4.0–6.9: Medium severity

  • 7.0–8.9: High severity

  • 9.0–10.0: Critical severity

What is CVE?

Common Vulnerabilities and Exposures (CVE), is a standard identifier for publicly known vulnerabilities. CVE entries are used in various cybersecurity products and services from around the world.

Get hands-on with 1400+ tech skills courses.