
What Is CVSS? Common Vulnerability Scoring System Overview
With so many software vulnerabilities, it can be difficult to properly assess which ones should be your top priority.
Here, we explain what is the National Vulnerability Database (NVD), what is the Common Vulnerability Scoring System (CVSS), and how CVSS is used to calculate risk.
Read along or jump to the section that interests you the most:
- What Is NVD?
- What Is CVSS?
- What Are CVSS Metrics?
- What Are The Top 10 Most Exploited Vulnerabilities?
- How SAST Tools Can Identify High-Risk CVSS Vulnerabilities?
What Is NVD?
The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data.
This database is synchronized with the CVE list and provides additional content, including how to fix vulnerabilities, severity scores, and impact ratings. In order to calculate severity scores, the Common Vulnerability Scoring System (CVSS) must be used.
What Is CVSS?
The Common Vulnerability Scoring System (CVSS) is an open industry standard for assessing the severity of software vulnerabilities.
For each vulnerability, CVSS assigns a severity score from 0.0 (the lowest amount of risk) to 10.0 (the highest amount of risk), which enables you to more effectively prioritize remediation of vulnerabilities.
CVSS v3.0 Ratings | |
Severity | Base Score Range |
None | 0.0 |
Low | 0.1 – 3.9 |
Medium | 4.0 – 6.9 |
High | 7.0 – 8.9 |
Critical | 9.0 – 10.0 |
To calculate the CVSS base score, you need to input CVSS metrics into the NVD CVSS Calculator. For detailed guidance on how to use the calculator, be sure to refer to the CVSS standards guide.
What Are CVSS Metrics?
The common vulnerability scoring system is made up of three groups of metrics: base, temporal, and environmental.
Base Metrics
Base metrics are divided into two groups: exploitability and impact.
Exploitability Metrics
Exploitability metrics refer to the characteristics of the piece of software or product that make it vulnerable.
- Attack Vector — Shows how a vulnerability may be exploited.
- Attack Complexity — Refers to how easy or difficult it is to exploit the discovered vulnerability.
- Authentication — Refers to the number of times that an attacker must authenticate to a target to exploit it.
- User Interaction (UI) — Refers to the requirement for a human user — other than the attacker — to participate in the successful compromise of the vulnerable component.
- Privileges Required (PR) — Refers to the level of privileges an attacker must possess before successfully exploiting the vulnerability.
Impact Metrics
Impact metrics deal with the worst case scenario, if the piece of software or product were to be attacked and the effects of a successfully exploited vulnerability.
- Confidentiality — Refers to the impact on the confidentiality of data processed by the system.
- Integrity — Refers to the impact on the integrity of the exploited system.
- Availability — Refers to the impact on the availability of the target system.
Temporal Metrics
Unlike the other CVSS metrics, the value of temporal metrics change over the lifetime of the vulnerability. This is due to exploits being developed, disclosed, and automated along with mitigations and fixes being made available.
- Exploitability — Refers to the current state of exploitation techniques or automated exploitation code.
- Remediation Level — Refers to the amount of mitigations and official fixes that are available to decrease the amount of vulnerabilities.
- Report Confidence — Refers to the level of confidence in the existence of the vulnerability and the credibility of the technical details for the vulnerability.
Environmental Metrics
The environmental metrics use the base metrics score and the temporal metrics score to assess the severity of a vulnerability to the piece of software or product that is currently in development.
- Collateral Damage Potential — Measures the potential loss or impact on either physical assets — such as equipment, hardware, and users — or the financial impact, if the vulnerability is exploited.
- Target Distribution — Measures the proportion of vulnerable systems.
- Impact Subscore Modifier — Measures the specific security requirements for confidentiality, integrity, and availability. This metric enables you to customize the environmental score based upon your environment.
What Are the Top 10 Most Exploited Vulnerabilities?
There are hundreds of vulnerabilities on the CVE list, but these are the top 10 most exploited.
Vulnerability ID | Vulnerability Summary | CVSS Severity |
CVE-2019-19781 | Citrix Application Delivery Controller Vulnerability | 9.8 — Critical |
CVE-2018-7600 | Drupal Remote Code Execution Vulnerability | 9.8 — Critical |
CVE-2015-1641 | Microsoft Office Memory Corruption Vulnerability | 9.3 — Critical |
CVE-2017-8759 | Microsoft .NET Framework Remote Code Execution Vulnerability | 7.8 — High |
CVE-2018-4878 | Adobe Flash Player Vulnerability | 9.8 — Critical |
CVE-2017-0143 | SMB Server Vulnerability in Older Versions of Windows and Windows Server | 8.1 — High |
CVE-2019-0604 | Remote Code Execution Vulnerability in all Modern Versions of Sharepoint | 9.8 — Critical |
CVE-2012-0158 | Microsoft Office Vulnerability | 9.3 — Critical |
CVE-2017-5638 | Apache Struts Vulnerability | 10.0 — Critical |
CVE-2017-0199 | Microsoft Office Remote Code Execution | 7.8 — High |
How SAST Tools can Identify High-Risk CVSS Vulnerabilities
A SAST tool, like Klocwork, is the best way to ensure that your code is secure. SAST tools identify and eliminate security vulnerabilities and software defects early on in development. That helps to ensure that your software is secure, reliable, and compliant.
Klocwork helps you:
- Identify and analyze security risks and prioritizes severity.
- Fulfill compliance standard requirements.
- Apply and enforce coding standards.
- Verify and validate through testing.
- Achieve compliance and get certified faster.
Learn More About How to Enforce Secure Coding Standards >>
Use Klocwork to Ensure Software Security
See for yourself how Klocwork can help you enforce software security standards. Sign up for our next live demo and see how it works.