What Is CVSS? Common Vulnerability Scoring System Overview
Common Vulnerability Scoring System and the National Vulnerability Database help you to properly assess which software vulnerabilities should be your top priority.
Here, we explain what is the National Vulnerability Database (NVD), what is the Common Vulnerability Scoring System (CVSS), and how CVSS is used to calculate risk.
Read along or jump to the section that interests you the most:
- What Is NVD?
- What Is CVSS?
- What Are CVSS Metrics?
- What Are The Top 10 Most Exploited Vulnerabilities?
- How SAST Tools Identify High-Risk CVSS Vulnerabilities?
➡️ start Your Klocwork Free Trial
What Is NVD?
The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data.
The National Vulnerability Database is synchronized with the CVE list and provides additional content, including how to fix vulnerabilities, severity scores, and impact ratings. In order to calculate severity scores, the Common Vulnerability Scoring System (CVSS) must be used.
What Is CVSS?
The Common Vulnerability Scoring System (CVSS) is an open industry standard for assessing the severity of software vulnerabilities.
For each vulnerability, the standard assigns a severity score from 0.0 (the lowest amount of risk) to 10.0 (the highest amount of risk), which enables you to more effectively prioritize remediation of vulnerabilities.
CVSS v3.0 Ratings | |
Severity | Base Score Range |
None | 0.0 |
Low | 0.1 – 3.9 |
Medium | 4.0 – 6.9 |
High | 7.0 – 8.9 |
Critical | 9.0 – 10.0 |
To calculate the base score, you need to input CVSS metrics into the NVD CVSS Calculator. For detailed guidance on how to use the calculator, be sure to refer to the CVSS standards guide.
What Are Common Vulnerability Scoring System Metrics?
Common Vulnerability Scoring System is made up of three groups of metrics: base, temporal, and environmental.
Base Metrics
Base metrics are divided into two groups: exploitability and impact.
Exploitability Metrics
Exploitability metrics refer to the characteristics of the piece of software or product that make it vulnerable.
- Attack Vector — Shows how a vulnerability may be exploited.
- Attack Complexity — Refers to how easy or difficult it is to exploit the discovered vulnerability.
- Authentication — Refers to the number of times that an attacker must authenticate to a target to exploit it.
- User Interaction (UI) — Refers to the requirement for a human user — other than the attacker — to participate in the successful compromise of the vulnerable component.
- Privileges Required (PR) — Refers to the level of privileges an attacker must possess before successfully exploiting the vulnerability.
Impact Metrics
Impact metrics deal with the worst-case scenario if the piece of software or product were to be attacked and the effects of a successfully exploited vulnerability.
- Confidentiality — Refers to the impact on the confidentiality of data processed by the system.
- Integrity — Refers to the impact on the integrity of the exploited system.
- Availability — Refers to the impact on the availability of the target system.
Temporal Metrics
Unlike the other CVSS metrics, the value of temporal metrics changes over the lifetime of the vulnerability. This is due to exploits being developed, disclosed, and automated along with mitigations and fixes being made available.
- Exploitability — Refers to the current state of exploitation techniques or automated exploitation code.
- Remediation Level — Refers to the amount of mitigations and official fixes that are available to decrease the number of vulnerabilities.
- Report Confidence — Refers to the level of confidence in the existence of the vulnerability and the credibility of the technical details for the vulnerability.
Environmental Metrics
The environmental metrics use the base metrics score and the temporal metrics score to assess the severity of a vulnerability to the piece of software or product that is currently in development.
- Collateral Damage Potential — Measures the potential loss or impact on either physical assets — such as equipment, hardware, and users — or the financial impact, if the vulnerability is exploited.
- Target Distribution — Measures the proportion of vulnerable systems.
- Impact Subscore Modifier — Measures the specific security requirements for confidentiality, integrity, and availability. This metric enables you to customize the environmental score based upon your environment.
What Are the Top 10 Most Exploited Vulnerabilities?
There are hundreds of vulnerabilities on the CVE list, but these are the top 10 most exploited.
Vulnerability ID | Vulnerability Summary | CVSS Severity |
CVE-2019-19781 | Citrix Application Delivery Controller Vulnerability | 9.8 — Critical |
CVE-2018-7600 | Drupal Remote Code Execution Vulnerability | 9.8 — Critical |
CVE-2015-1641 | Microsoft Office Memory Corruption Vulnerability | 9.3 — Critical |
CVE-2017-8759 | Microsoft .NET Framework Remote Code Execution Vulnerability | 7.8 — High |
CVE-2018-4878 | Adobe Flash Player Vulnerability | 9.8 — Critical |
CVE-2017-0143 | SMB Server Vulnerability in Older Versions of Windows and Windows Server | 8.1 — High |
CVE-2019-0604 | Remote Code Execution Vulnerability in all Modern Versions of Sharepoint | 9.8 — Critical |
CVE-2012-0158 | Microsoft Office Vulnerability | 9.3 — Critical |
CVE-2017-5638 | Apache Struts Vulnerability | 10.0 — Critical |
CVE-2017-0199 | Microsoft Office Remote Code Execution | 7.8 — High |
How SAST Tools Identify High-Risk CVSS Vulnerabilities
A SAST tool, like Klocwork, is the best way to ensure that your code is secure. SAST tools identify and eliminate security vulnerabilities and software defects early on in development. That helps to ensure that your software is secure, reliable, and compliant.
Klocwork helps you:
- Identify and analyze security risks and prioritize severity.
- Fulfill compliance standard requirements.
- Apply and enforce coding standards, including CWE, CERT C/CERT C++, and OWASP/OWASP Top 10.
- Verify and validate through testing.
- Achieve compliance and get certified faster.
📕 Related Content: Visit the SAST tutorial for additional resources.
Use Klocwork to Ensure Software Security
See for yourself how Klocwork can help you enforce software security standards. Sign up for our on-demand demo and see how it works.