Skip to main content
Oximy
Security

CVSS

Common Vulnerability Scoring System - a standardized framework for rating the severity of security vulnerabilities on a scale of 0 to 10.

Also known asVulnerability ScoringCVE Scoring
Full Definition

What is CVSS?

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. It produces a numerical score (0-10) reflecting the severity of a vulnerability.

CVSS Score Ranges

ScoreSeverity
0.0None
0.1-3.9Low
4.0-6.9Medium
7.0-8.9High
9.0-10.0Critical

CVSS v3.1 Metric Groups

Base Metrics Intrinsic characteristics:

  • Attack Vector (AV)
  • Attack Complexity (AC)
  • Privileges Required (PR)
  • User Interaction (UI)
  • Scope (S)
  • Impact: CIA

Temporal Metrics Change over time:

  • Exploit Code Maturity
  • Remediation Level
  • Report Confidence

Environmental Metrics Organization-specific:

  • Modified Base Metrics
  • CIA Requirements

Example Calculation

CVE-2021-44228 (Log4Shell)

  • Base Score: 10.0 (Critical)
  • Vector: Network
  • Complexity: Low
  • Privileges: None
  • Impact: Complete

Using CVSS

Prioritization

  • Rank vulnerabilities
  • Resource allocation
  • Risk decisions

Limitations

  • Doesn't consider context
  • No threat intelligence
  • Requires supplementation

Best Practices

  • Combine with threat intel
  • Consider asset criticality
  • Use environmental scores
  • Don't rely solely on CVSS
Previous

Cryptography

Next

Data Breach