CVSS Scoring

The Common Vulnerability Scoring System (CVSS) is framework for communicating the characteristics and severity of software vulnerabilities. This is a score from 0-10 based on: 

Impact

  • Scope changed
  • Confidentiality
  • Integrity
  • Availability

Exploitabilty

  • Attack vector: a measure of how much network access an attacker requires [adjacent, local, physical]
  • Attack complexity: how difficult the weakness is to exploit [low, high]
  • Privileges required: how privileged the attacker needs to be [none, low, high]
  • User interaction: how much user interaction is required to exploit the vulnerability

A score is developed for the impact and the exploitability, which are then combined in order to generate the CVSS score.

NOTE the CVSS communicates how easy a vulnerability is to exploit and its impact. It does not describe how likely a vulnerability is to be exploited.


References

Notes mentioning this note


Here are all the notes in this garden, along with their links, visualized as a graph.