A Beginner’s Guide to CVSS

Updated: September 12th, 2024
7 mins read
A beginner’s guide to CVSS.

The Common Vulnerability Scoring System (CVSS) is an open standard for assessing the severity of computer system security vulnerabilities. It’s crucial because it helps organizations discern and address their cybersecurity uncertainties.

Scored from 0 to 10, with ten being the most severe, organizations can use severity scores to assess their exposure and plan accordingly, specific to risk profiles, using CVSS’s valuable insights into how you may wish to consider treating your cybersecurity risks.

They were first published in 2005 and have been revised multiple times since then. Each new version provides a better scoring mechanism and enables the scores to be used with different computer systems/networks.

The most recent version is CVSS 4.0, launched in 2023. It grants modifications to improve the scoring system’s representation of real-world risks and the user’s understanding of each vulnerability.

Understanding CVSS

The Common Vulnerability Scoring System, or CVSS, is a standard scoring method for determining the severity of vulnerabilities in computers. It provides a way to link with the common features of a single vulnerability by asserting its categorical scores to determine how serious they are.

CVSS framework consists of three main pieces:

  • Base Score: Metrics of a vulnerability that are inherent and constant in the real-world time frame and user environments.
  • Temporal Score: This score captures other time-based dimensions relating to the severity of a vulnerability, such as changes that can occur after the exploit code is published or well-crafted fixes are released.
  • Environmental Score: The impact of a specific vulnerability occurring within the selected environment.
CVSS v4.0 Ratings

There are a variety of reasons why it is critical to the security landscape that we get CVSS right.

  • CVSS offers a standardized method for scoring vulnerabilities so that security risk discussions can be had across organizations.
  • When using CVSS, security teams can prioritize which vulnerabilities to remediate first.
  • CVSS provides a simplistic, fact-based method for scoring vulnerability criticality.
  • CVSS can be applied to multi-system and network types, and it is widely applicable throughout the tech industry.

CVSS 4.0: The Latest Version

In 2023, the Common Vulnerability Scoring System (CVSS) was updated to version 4.0. It is a new version that tries to correct some shortcomings in CVSS 3.1 and improve the scoring system on more complete and flexible measures.

Following are the changes from CVSS 3 to CVSS 4:

  • No Scope metric: CVSS 4.0 obviates the need for a Scope metric since all relevant information is included in separate impact metrics of Vulnerable and Subsequent systems.
  • Attack Requirements (AT): A new Base metric was added to capture the prerequisites for a successful exploitation attempt
  • Improved User Interaction: The new Versions of UI will contain None, Passive, and Active ones.
  • Enhanced impact metrics: Confidentiality, Integrity, and Availability for both the Vulnerable systems and Subsequent systems are evaluated.

New nomenclature in CVSS 4.0:

  • CVSS-B: Base Score only
  • CVSS-BT: Base + Threat Score
  • CVSS-BE: Base + Environmental Score
  • CVSS-BTE: Base + Threat + Environment Score

This new naming convention is intended to stress that CVSS consists of more than just the Base score. It suggests that the user takes threat and environmental factors into account for a better vulnerability assessment.

CVSS 4.0 also brings another new aspect to scoring — severity ordering, which is directly calculated on expert opinion and equivalence sets instead of raw scores for better targeting in different ranking levels

Astra Pentest is built by the team of experts that helped secure Microsoft, Adobe, Facebook, and Buffer


character

New and Updated Metrics in CVSS 4.0

Significant changes have been introduced in CVSS 4.0, especially to its metric structure. A new Attack Requirements (or AT) metric captures prerequisites for exploitation, such as specific configurations or conditions in the Base Metrics. A new Passive option under the User Interaction (UI) measure provides greater granularity around when vulnerabilities need different amounts of user engagement.

The removal of “Scope” is also a big departure from the metrics. The individualized impact metrics for Vulnerable and Subsequent systems replaces this:

  • Vulnerable System: Confidentiality (VC), Integrity (VI), Availability( VA)
  • Subsequent System: Confidentiality (SC), Integrity (SI), Availability (SA)

This change permits investigators to better quantify impacts in complex systems.

The Temporal metrics have been streamlined and relabeled as Threat Metric Group, which has a single metric :

Exploit Maturity (E): Not Defined, Unreported, Proof-of-Concept, Active

A new Supplemental Metric Group is presented, adding context without information to the numerical score. The most important metrics are Safety (S), Automatable (A), Recovery(R), and Provider Urgency(U).

Practical Applications of CVSS 4.0

Here’s how organizations can leverage CVSS 4.0 scores to improve their vulnerability management strategies:

  • Granulate Base metrics: With the Attack Requirements (AR) and User Interaction (UI), you can rank vulnerabilities more accurately. This has the advantage of enabling security teams to prioritize what is most important.
  • Environmental Contextualization: Now, organizations can adapt their scores by reweighting the new Environmental metrics, which cover safety as a characteristic of your IT landscape. This will lead to each distinct environment having even more meaningful severity ratings.
  • Fully Threat-Informed Response: The Exploit Maturity (Threat Metric Group) capability ensures that the importance assigned to a vulnerability changes over time as exploit activity does, making security measures immediately adjustable.
  • Supplemental Insight Integration: Additional Supplemental metrics like Automatable (A) and Recovery (R) serve as additional data points for decision-making but do not influence the numerical score.

An Overview of CVSS 3

CVSS 3 was published in June 2015 with major modifications to the scoring system. CVSS 3 introduced  “Scope” – the idea of Scope is how to respond to any vulnerable component beyond the vulnerability itself. This resulted in a more accurate scoring mechanism to be used for complex vulnerabilities across the networked systems.

CVSS 3 contains the following key features:

  • Attack Vector (AV): Network, Adjacent Network, Local, Physical
  • Attack Complexity (AC): Low, High
  • Privileges Required (PR): None, Low, High
  • User Interaction (UI): None, Required
  • Scope (S): Unchanged, Changed
  • C: Confidentiality, I: Integrity, A; Availability: None, Low, High

These metrics are used to calculate the Base Score in CVSS 3, which ranges from 0 to 10. They provide a way to account for vulnerability impact and exploitability.

This score could be similarly refined with a temporal factor:

  • Exploit Code Maturity (E)
  • Remediation Level (RL)
  • Report Confidence (RC)

Organizations could use environmental metrics to provide their own context for the score based on what was relevant in their IT environment:

  • Modified Base Metrics
  • Security Requirements (C, I, A)

Comparing CVSS 3 and CVSS 4.0

Let’s discuss the key changes from CVSS 3 to CVSS 4.0:

MetricCVSS 3CVSS 4.0
Scope ConceptSingle Scope metricIndividual vulnerable and subsequent impact metrics
Attack RequirementsNot presentBase metric (Attack Requirements)
User InteractionNone, RequiredPassive, None, Required
Temporal MetricsSeparate metrics (Exploitability, Remediation Level, Report Confidence)Single Threat metric (Exploit Maturity)
Supplemental MetricsNot presentProvides additional data without affecting numeric value

Here are a few of the advantages CVSS 4.0 provides over its predecessor: 

  • More accurate representation of complex vulnerability impacts.
  • Additional context scoring is available through Supplemental Metrics. This adjusted scoring process should result in less simplistic aggregate scores.
  • Safety metrics have been added for better coverage of operational technology (OT) and industrial control systems in CVSS 4.0 as well.

Apart from benefits, transitioning from CVSS 3 to CVSS4 provides several challenges. Your security team would also need retraining on the new metrics and scoring system. Vulnerability management tools and databases will need to be updated for CVSS 4.0 support. This new scoring system will potentially create issues different from CVSS 3, which may require re-calibration of severity thresholds.

It is important to note that previous CVSS 3 scores and the new CVSS 4 score do not directly compare as this would be an apples-to-oranges comparison based on different scoring methodologies; however, it seems safe to say current values are at least reaching general points of comparisons between either rating system for amplification or reduction in risk levels which should credential quick insight into failures within securing externally-facing systems. 

Finally, there is no way that CVSS 4.0 will be widely adopted overnight, and while it may eventually stick around for some time to come, we might have a little delta period where both are used simultaneously within the industry.

Lock down your security with our 9300+ AI-powered test cases.

Discuss your security
needs & get started today!

character

Final Thoughts

The Common Vulnerability Scoring System has advanced to version 4.0, with substantial modifications that significantly contribute to enabling better vulnerability evaluation methods. These updates provide finer impact assessment and more accurate scoring. 

The move, however obvious in hindsight, will necessitate retraining and updates to tools and pose challenges for historical score comparisons. Taken together, CVSS 4.0 is designed to be a more modern system for scoring severity in contemporary IT environments.

FAQs

What does CVSS mean?

The Common Vulnerability Scoring System, or CVSS, is a standard scoring method for determining the severity of vulnerabilities in computers. It provides a way to link with the common features of a single vulnerability by asserting its categorical scores to determine how serious they are.

What is CVSS vs CVE score?

CVSS (Common Vulnerability Scoring System) is a numerical score assigned to vulnerabilities based on severity, whereas CVE (Common Vulnerabilities and Exposures) is a unique identifier for each vulnerability. CVSS scores help prioritize security patches, while CVE IDs are used to track and reference vulnerabilities.