October 16, 2020

CVSS: Common Vulnerability Scoring System Overview

Security & Compliance
Static Analysis

By

Common Vulnerability Scoring System and the National Vulnerability Database help you to properly assess which software vulnerabilities should be your top priority.

Here, we explain what is the National Vulnerability Database (NVD), what is the Common Vulnerability Scoring System (CVSS), and how CVSS is used to calculate risk.

Read along or jump to the section that interests you the most:

➡️ efficiently identify high-risk vulnerabilities

What Is NVD?

The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data.

The National Vulnerability Database is synchronized with the CVE list and provides additional content, including how to fix vulnerabilities, severity scores, and impact ratings. In order to calculate severity scores, the Common Vulnerability Scoring System (CVSS) must be used.

What Is CVSS?

The Common Vulnerability Scoring System (CVSS) is an open industry standard for assessing the severity of software vulnerabilities.

For each vulnerability, the standard assigns a severity score from 0.0 (the lowest amount of risk) to 10.0 (the highest amount of risk), which enables you to more effectively prioritize remediation of vulnerabilities.

CVSS v3.0 Ratings

Severity

Base Score Range

None

0.0

Low

0.1 – 3.9

Medium

4.0 – 6.9

High

7.0 – 8.9

Critical

9.0 – 10.0

To calculate the base score, you need to input CVSS metrics into the NVD CVSS Calculator. For detailed guidance on how to use the calculator, be sure to refer to the CVSS standards guide.

What Are Common Vulnerability Scoring System Metrics?

Common Vulnerability Scoring System is made up of three groups of metrics: base, temporal, and environmental.

Base Metrics

Base metrics are divided into two groups: exploitability and impact.

Exploitability Metrics

Exploitability metrics refer to the characteristics of the piece of software or product that make it vulnerable.

  • Attack Vector — Shows how a vulnerability may be exploited.
  • Attack Complexity — Refers to how easy or difficult it is to exploit the discovered vulnerability.
  • Authentication — Refers to the number of times that an attacker must authenticate to a target to exploit it.
  • User Interaction (UI) — Refers to the requirement for a human user — other than the attacker — to participate in the successful compromise of the vulnerable component.
  • Privileges Required (PR) — Refers to the level of privileges an attacker must possess before successfully exploiting the vulnerability.

Impact Metrics

Impact metrics deal with the worst-case scenario if the piece of software or product were to be attacked and the effects of a successfully exploited vulnerability.

  • Confidentiality — Refers to the impact on the confidentiality of data processed by the system.
  • Integrity — Refers to the impact on the integrity of the exploited system.
  • Availability — Refers to the impact on the availability of the target system.

Temporal Metrics

Unlike the other CVSS metrics, the value of temporal metrics changes over the lifetime of the vulnerability. This is due to exploits being developed, disclosed, and automated along with mitigations and fixes being made available.

  • Exploitability — Refers to the current state of exploitation techniques or automated exploitation code.
  • Remediation Level — Refers to the amount of mitigations and official fixes that are available to decrease the number of vulnerabilities.
  • Report Confidence — Refers to the level of confidence in the existence of the vulnerability and the credibility of the technical details for the vulnerability.

Environmental Metrics

The environmental metrics use the base metrics score and the temporal metrics score to assess the severity of a vulnerability to the piece of software or product that is currently in development.

  • Collateral Damage Potential — Measures the potential loss or impact on either physical assets — such as equipment, hardware, and users — or the financial impact, if the vulnerability is exploited.
  • Target Distribution — Measures the proportion of vulnerable systems.
  • Impact Subscore Modifier — Measures the specific security requirements for confidentiality, integrity, and availability. This metric enables you to customize the environmental score based upon your environment.

What Are the Top 10 Most Exploited Vulnerabilities?

There are hundreds of vulnerabilities on the CVE list, but these are the top 10 most exploited.

Vulnerability ID

Vulnerability Summary

CVSS Severity

CVE-2019-19781

Citrix Application Delivery Controller Vulnerability

9.8 — Critical

CVE-2018-7600

Drupal Remote Code Execution Vulnerability

9.8 — Critical

CVE-2015-1641

Microsoft Office Memory Corruption Vulnerability

9.3 — Critical

CVE-2017-8759

Microsoft .NET Framework Remote Code Execution Vulnerability

7.8 — High

CVE-2018-4878

Adobe Flash Player Vulnerability

9.8 — Critical

CVE-2017-0143

SMB Server Vulnerability in Older Versions of Windows and Windows Server

8.1 — High

CVE-2019-0604

Remote Code Execution Vulnerability in all Modern Versions of Sharepoint

9.8 — Critical

CVE-2012-0158

Microsoft Office Vulnerability

9.3 — Critical

CVE-2017-5638

Apache Struts Vulnerability

10.0 — Critical

CVE-2017-0199

Microsoft Office Remote Code Execution

7.8 — High

How SAST Tools Identify High-Risk CVSS Vulnerabilities

A SAST tool, like Klocwork, is the best way to ensure that your code is secure. SAST tools identify and eliminate security vulnerabilities and software defects early on in development. That helps to ensure that your software is secure, reliable, and compliant.

Klocwork helps you:

  • Identify and analyze security risks and prioritize severity.
  • Fulfill compliance standard requirements.
  • Apply and enforce coding standards, including CWE, CERT C/CERT C++, and OWASP/OWASP Top 10.
  • Verify and validate through testing.
  • Achieve compliance and get certified faster.
📕 Related Content: Visit the SAST tutorial for additional resources.

 

Use Klocwork to Ensure Software Security

See for yourself how Klocwork can help you enforce software security standards, register for a free trial.

➡️ Register for Klocwork free trial

Stuart Foster Headshot — 250x250

Stuart Foster

Klocwork and Helix QAC Product Manager, Perforce

Stuart Foster has over 10 years of experience in mobile and software development. He has managed product development of consumer apps and enterprise software. Currently, he manages Klocwork and Helix QAC, Perforce’s market-leading code quality management solutions. He believes in developing products, features, and functionality that fit customer business needs and helps developers produce secure, reliable, and defect-free code. Stuart holds a bachelor’s degree in information technology, interactive multimedia and design from Carleton University, and an advanced diploma in multimedia design from the Algonquin College of Applied Arts and Technology.