Understanding CVSS: How vulnerability severity is calculated

As cybersecurity threats become more complex, understanding the severity of vulnerabilities is crucial for managing risk effectively. Without a standardized system, it becomes challenging to prioritize vulnerabilities and address the most critical ones first. This is where the Common Vulnerability Scoring System (CVSS) comes into play. CVSS offers a consistent and objective way to evaluate and rate vulnerabilities, allowing security teams to focus on the most pressing threats.

In this article, we’ll break down how CVSS works, its key components, and how the severity of vulnerabilities is calculated.

Key components of CVSS scoring 3.1

CVSS 3.1 assigns a severity score to vulnerabilities based on several metrics, which are divided into three groups: Base, Temporal, and Environmental. These groups represent different aspects of a vulnerability's risk profile. The Base metrics are the primary ones used for most assessments and provide an intrinsic view of the vulnerability, regardless of specific organizational factors.

Here’s a breakdown of the Base Metrics:

Attack Vector (AV): Measures how the vulnerability can be exploited. The scale ranges from physical access to remote network-based attacks.

Attack Complexity (AC): Assesses the complexity required to exploit the vulnerability. A vulnerability with 'Low' complexity is easier to exploit than one with 'High' complexity.

Privileges Required (PR): Indicates the level of privileges an attacker must have to exploit the vulnerability. The scale ranges from 'None' (no privileges needed) to 'High' (administrator-level access required).

User Interaction (UI): Determines whether the vulnerability can be exploited without user action or requires user interaction, such as clicking a link.

Scope (S): Evaluates the impact of the vulnerability on other components beyond the initial target. If the vulnerability extends its impact beyond the target, the scope is considered 'Changed'.

Confidentiality (C), Integrity (I), and Availability (A) Impact: These three metrics assess how much a vulnerability affects the confidentiality, integrity, and availability of a system. The impact is rated on a scale from 'None' to 'High'.

For more detailed information about CVSS metrics, you can explore the official CVSS v3.1 Calculator here.

How vulnerability severity is calculated

The CVSS Base Score provides a numerical value that represents the overall risk associated with a vulnerability. This score is calculated by combining the Base metrics discussed above. The formula used for this calculation is complex, but the result gives an intrinsic measure of the vulnerability's potential impact, ranging from 0 (no impact) to 10 (critical).

While the Base Score offers a general idea of risk, additional metrics from the Temporal and Environmental groups can further refine the score to account for factors specific to an organization’s environment. This flexibility ensures that the calculated severity score aligns with the organization's unique infrastructure and security priorities.

Organizations rely on these scores to prioritize vulnerabilities, ensuring that the most critical threats are addressed first, protecting sensitive data and maintaining system integrity.

Using the CVSS calculator to evaluate vulnerabilities

To streamline the process of assessing vulnerabilities, the Common Vulnerability Scoring System (CVSS) Calculator is an essential tool for security teams. The CVSS calculator allows users to input specific vulnerability metrics—such as Attack Vector, Attack Complexity, and Privileges Required—to generate a precise severity score. For example, consider a vulnerability that allows remote code execution on a server:

• Attack Vector (AV): Network (N) – the attack can be executed remotely over a network.
• Attack Complexity (AC): Low (L) – the exploit is relatively straightforward.
• Privileges Required (PR): None (N) – the attacker doesn't need any special privileges to exploit the vulnerability.
• User Interaction (UI): None (N) – no user action is required for the attack to be successful.
• Scope (S): Changed (C) – the vulnerability affects multiple components beyond the initial system.

With these inputs, the calculator might generate a CVSS Base Score of 9.8 (Critical), indicating that the vulnerability requires immediate action.

On the other hand, take a less severe example, such as an information disclosure vulnerability in a web application:

• Attack Vector (AV): Network (N) – the vulnerability can be exploited remotely.
• Attack Complexity (AC): High (H) – the exploit requires specific conditions to be met.
• Privileges Required (PR): Low (L) – the attacker must have limited access to the system.
• User Interaction (UI): Required (R) – the attack can only occur if a user performs a specific action, such as clicking a link.
• Scope (S): Unchanged (U) – the vulnerability is confined to the original component.

With these inputs, the calculator might generate a CVSS Base Score of 4.3 (Medium), indicating that while the vulnerability should be addressed, it is not as urgent as a critical issue.

By utilizing the CVSS calculator, organizations can efficiently determine the potential risk a vulnerability poses to their systems. The tool calculates the severity based on these metrics, helping teams prioritize which vulnerabilities to address first.

The CVSS calculator is particularly useful for businesses needing a structured decision-making process. For example, a vulnerability with a score of 9.0–10.0 is considered "Critical" and requires immediate attention, while a score of 0.1–3.9 might be classified as "Low," suggesting a lesser risk. This helps teams allocate resources effectively and focus on the most pressing threats.