Announcing Tetrate Agent Router Service: Intelligent routing for GenAI developers

Learn more

What Is CVSS?

What Is CVSS?

CVSS (Common Vulnerability Scoring System) is a standardized framework for rating the severity of security vulnerabilities. It provides a numerical score that helps organizations prioritize their vulnerability management efforts and make informed decisions about which vulnerabilities to address first.

Understanding CVSS

CVSS is maintained by the Forum of Incident Response and Security Teams (FIRST) and provides a way to assess and communicate the characteristics and severity of software vulnerabilities. The system produces a numerical score that represents the overall severity of a vulnerability, ranging from 0.0 (no severity) to 10.0 (critical severity).

CVSS Scoring System

CVSS uses three metric groups to calculate a vulnerability’s score:

Base Score Metrics

These metrics represent the intrinsic characteristics of a vulnerability that are constant over time and across user environments:

  • Attack Vector (AV): How the vulnerability can be exploited (Network, Adjacent, Local, Physical)
  • Attack Complexity (AC): Conditions beyond the attacker’s control that must exist for exploitation
  • Privileges Required (PR): Level of privileges an attacker must possess before successfully exploiting the vulnerability
  • User Interaction (UI): Whether the vulnerability requires a user to take some action
  • Scope (S): Whether a successful attack impacts resources beyond the vulnerable component
  • Confidentiality Impact (C): Impact on the confidentiality of information
  • Integrity Impact (I): Impact on the integrity of information
  • Availability Impact (A): Impact on the availability of the affected system

Temporal Score Metrics

These metrics change over time as the vulnerability ages:

  • Exploit Code Maturity (E): How likely it is that exploit code is available
  • Remediation Level (RL): The level of remediation available
  • Report Confidence (RC): How confident the vulnerability report is

Environmental Score Metrics

These metrics are specific to a user’s environment:

  • Confidentiality Requirement (CR): Importance of confidentiality in the affected system
  • Integrity Requirement (IR): Importance of integrity in the affected system
  • Availability Requirement (AR): Importance of availability in the affected system
  • Modified Base Metrics: Any modifications to the base metrics based on the environment

CVSS Score Ranges

CVSS scores are categorized into severity levels:

  • 0.0: None
  • 0.1-3.9: Low
  • 4.0-6.9: Medium
  • 7.0-8.9: High
  • 9.0-10.0: Critical

Example CVSS Calculation

For a vulnerability with the following characteristics:

  • Attack Vector: Network (AV:N)
  • Attack Complexity: Low (AC:L)
  • Privileges Required: None (PR:N)
  • User Interaction: None (UI:N)
  • Scope: Changed (S:C)
  • Confidentiality Impact: High (C:H)
  • Integrity Impact: High (I:H)
  • Availability Impact: High (A:H)

This would result in a CVSS Base Score of 9.8 (Critical).

CVSS vs. CVE

While CVSS and CVE are related, they serve different purposes:

  • CVE (Common Vulnerabilities and Exposures): Provides a unique identifier for a specific vulnerability
  • CVSS: Provides a standardized way to score and communicate the severity of that vulnerability

A CVE entry will often include a CVSS score to help organizations understand the severity of the vulnerability.

Using CVSS in Vulnerability Management

Prioritization

CVSS scores help organizations prioritize which vulnerabilities to address first:

  • Critical (9.0-10.0): Immediate attention required
  • High (7.0-8.9): Address within days to weeks
  • Medium (4.0-6.9): Address within weeks to months
  • Low (0.1-3.9): Address as resources permit

Risk Assessment

CVSS scores can be used in risk assessments to:

  • Determine the potential impact of vulnerabilities
  • Allocate resources for remediation efforts
  • Communicate risk to stakeholders
  • Comply with security frameworks and regulations

Integration with Security Tools

Many security tools and platforms integrate CVSS scoring to:

  • Automatically prioritize vulnerabilities in scan results
  • Generate risk reports
  • Trigger automated workflows based on severity
  • Provide dashboards and metrics

CVSS in Service Mesh and Cloud-Native Security

In the context of service mesh and cloud-native applications, CVSS is particularly important because:

Microservices Complexity

  • Multiple services increase the attack surface
  • Vulnerabilities in one service can affect others
  • CVSS helps prioritize which service vulnerabilities to address first

Container Security

  • Container images may contain multiple vulnerabilities
  • CVSS scores help determine which containers to update first
  • Integration with container scanning tools provides automated prioritization

Zero Trust Architecture

  • CVSS scores inform access control decisions
  • High-severity vulnerabilities may require additional security measures
  • Helps maintain the principle of “never trust, always verify”

Best Practices for Using CVSS

1. Don’t Rely Solely on CVSS Scores

  • Consider your specific environment and context
  • Factor in business impact and asset criticality
  • Use CVSS as one input in your risk assessment

2. Regular Updates

  • CVSS scores may change over time as new information becomes available
  • Regularly review and update vulnerability assessments
  • Monitor for changes in exploit availability and remediation status

3. Integration with Other Frameworks

  • Combine CVSS with other security frameworks (NIST, ISO 27001, etc.)
  • Use CVSS scores in compliance reporting
  • Integrate with your overall security program

4. Communication

  • Use CVSS scores to communicate risk to stakeholders
  • Provide context for non-technical audiences
  • Include CVSS scores in security reports and dashboards

Learn More

For organizations looking to improve their vulnerability management:

Decorative CTA background pattern background background
Tetrate logo in the CTA section Tetrate logo in the CTA section for mobile

Ready to enhance your
network

with more
intelligence?