Skip to content

Common Vulnerability Scoring System: Facts To Note


The Common Vulnerability Scoring System (CVSS) is a risk assessment tool that is designed to convey the common attributes and severity of vulnerabilities in computer hardware and software systems. The third revision, CVSS 3.0, is a vendor-neutral, industry-standard, open framework for weighting the risks of a vulnerability using a variety of metrics. These weights combine to provide a score of the risk inherent in a vulnerability. The numeric score can be used to determine the urgency of the vulnerability, and the priority of addressing it. The benefits of the CVSS can be summarized as follows:

  • It provides standardized vulnerability scores that should be meaningful across organizations.
  • It provides an open framework with the meaning of each metric openly available to all users.
  • It helps prioritize risk in a way that is meaningful to individual organizations.


The Forum of Incident Response and Security Teams (FIRST) has been designated as the custodian of the CVSS to promote it’s adoption globally. The Version 3 standard was developed with contributions by Cisco and other industry partners. Version 3.1 was released in June of 2019. The figure displays the specification page for the CVSS at the FIRST website.


The image displays a screenshot of the specification page for CVSS at the Forum of Incident Response and Security Teams (FIRST) website at the URL

CVSS Metric Groups

Before performing a CVSS assessment, it is important to know key terms that are used in the assessment instrument.
Many of the metrics address the role of what the CVSS calls an authority. An authority is a computer entity, such as a database, operating system, or virtual sandbox, that grants and manages access and privileges to users.
The image displays the CVSS Metric Groups. There are three boxes shown side by side. The first box, on the left, is titled Base Metric Group.
Within this box are two columns: Exploitability metrics and Impact metrics. Under the Exploitability column are four items: attack vector, attack complexity, privileges required, and user interaction.
Under the Impact column are three items: confidentiality impact, integrity impact and availability impact. Spanning both columns at the bottom is Scope. The second box, in the middle, is titled Temporal Metric Group.
This box contains three items: Exploit code maturity, remediation level, and report confidence. The third box, at the right, are four boxes: Modified Base Metrics, confidentiality requirement, integrity requirement, and availability requirement.

CVSS Metric Groups

This represents the characteristics of a vulnerability that are constant over time and across contexts. It has two classes of metrics:

  • Exploitability – These are features of the exploit such as the vector, complexity, and user interaction required by the exploit.
  • Impact metrics – The impacts of the exploit are rooted in the CIA triad of confidentiality, integrity, and availability.

CVSS Base Metric Group

Criteria Description
Attack vector This is a metric that reflects the proximity of the threat actor to the vulnerable component. The more remote the threat actor is to the component, the higher the severity. Threat actors close to your network or inside your network are easier to detect and mitigate.
Attack complexity This is a metric that expresses the number of components, software, hardware, or networks, that are beyond the attacker’s control and that must be present for a vulnerability to be successfully exploited.
Privileges required This is a metric that captures the level of access that is required for a successful exploit of the vulnerability.
User interaction This metric expresses the presence or absence of the requirement for user interaction for an exploit to be successful.
Scope This metric expresses whether multiple authorities must be involved in an exploit. This is expressed as whether the initial authority changes to a second authority during the exploit.
The Base Metric Group Impact metrics increase with the degree or consequence of loss due to the impacted component. The table lists the impact metric components.
Term Description
Confidentiality Impact This is a metric that measures the impact to confidentiality due to a successfully exploited vulnerability. Confidentiality refers to the limiting of access to only authorized users.
Integrity Impact This is a metric that measures the impact on integrity due to a successfully exploited vulnerability. Integrity refers to the trustworthiness and authenticity of the information.
Availability Impact This is a metric that measures the impact to availability due to a successfully exploited vulnerability. Availability refers to the accessibility of information and network resources. Attacks that consume network bandwidth, processor cycles, or disk space all impact the availability.

The CVSS Process

The CVSS Base Metrics Group is designed as a way to assess security vulnerabilities that are found in software and hardware systems. It describes the severity of a vulnerability based on the characteristics of a successful exploit of the vulnerability. The other metric groups modify the base severity score by accounting for how the base severity rating is affected by time and environmental factors.
The CVSS process uses a tool called the CVSS v3.1 Calculator, shown in the figure.
Image is a screenshot of the CVSS v3.1 Calculator, available at
The calculator is like a questionnaire in which choices are made that describe the vulnerability for each metric group. After all choices are made, a score is generated. Pop-up text that explains each metric and metric value is displayed by hovering the mouse over each. Choices are made by choosing one of the values for the metric. Only one choice can be made per metric.
The CVSS calculator can be accessed on the CVSS portion of the FIRST website.
A detailed user guide that defines metric criteria, examples of assessments of common vulnerabilities, and the relationship of metric values to the final score is available to support the process.
After the Base Metric group is completed, the numeric severity rating is displayed, as shown in the figure.
Image is a screenshot of the CVSS v3.1 Calculator base score screen, which shows the base score after the choices are made on the calculator screen, available at
A vector string is also created that summarizes the choices made. If other metric groups are completed, those values are appended to the vector string.
The string consists of the initial(s) for the metric, and an abbreviated value for the selected metric value separated by a colon. The metric-value pairs are separated by slashes. The vector strings allow the results of the assessment to be easily shared and compared.
The table lists the key for the Base Metric group.
Metric Name Initials Possible Values Values
Attack Vector AV [N, A, L, P] N = Network
A = Adjacent
L = Local
P = Physical
Attack Complexity AC [L, H] L = Low
H = High
Privileges Required PR [N, L, H] N = None
L = Low
H = High
User Interaction UI [N, R] N = None
R = Required
Scope S [U, C] U = Unchanged
C = Changed
Confidentiality Impact C [H, L, N] H = High
L = Low
N = None
Integrity Impact I [H, L, N] H = High
L = Low
N = None
Availability Impact A [H, L, N] H = High
L = Low
N = None
The values for the numeric severity rating string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N are listed in the table.
Metric Name Values
Attack Vector, AV Network
Attack Complexity, AC Low
Privileges Required, PR High
User Interaction, UI None
Scope, S Unchanged
Confidentiality Impact, C Low
Integrity Impact, I Low
Availability Impact, A None
In order for a score to be calculated for the Temporal or Environmental metric groups, the Base Metric group must first be completed. The Temporal and Environmental metric values than modify the Base Metric results to provide an overall score. 
Image depicts the interaction of scores for the metric groups. At the top left of the graphic are the Base Metric Group Metrics, set by vendor: once set doesn’t change. An arrow connects the Metrics to a cloud representing the base formula. An arrow points from the cloud to a circle representing the base score.
On the left, under the Base Metric Group is the Temporal Metric Group, set by vendor: once set, changes with time. An arrow connects the Temporal Metric Group Metrics to another cloud, representing the temporal formula.
The temporal formula uses the Temporal Metrics and the Base Score to create the Temporarily Adjusted Score. On the left, under the Temporal Metric Group, are the Environmental Metric Group Metrics, optionally set by end-users. An arrow connects the Environmental Metric Group metrics to a cloud representing the Environmental Formula.
The Environmental Formula uses the Environmental Metric Group Metrics and the Temporarily Adjusted score to create the Environmentally Adjusted Score. Source:

CVSS Reports

The ranges of scores and the corresponding qualitative meaning is shown in the table.
Rating CVSS Score
None 0
Low 0.1 – 3.9
Medium 4.0 – 6.9
High 7.0 – 8.9
Critical 9.0 – 10.0

Frequently, the Base and Temporal metric group scores will be supplied to customers by the application or security vendor in whose product the vulnerability has been discovered. The affected organization completes the environmental metric group to tailor the vendor-supplied scoring to the local context.

The resulting score serves to guide the affected organization in the allocation of resources to address the vulnerability. The higher the severity rating, the greater the potential impact of an exploit and the greater the urgency in addressing the vulnerability. While not as precise as the numeric CVSS scores, the qualitative labels are very useful for communicating with stakeholders who are unable to relate to the numeric scores.

In general, any vulnerability that exceeds 3.9 should be addressed. The higher the rating level, the greater the urgency for remediation.

Other Vulnerability Information Sources

There are other important vulnerability information sources. These work together with the CVSS to provide a comprehensive assessment of vulnerability severity. There are two systems that operate in the United States:
Common Vulnerabilities and Exposures (CVE)
This is a dictionary of common names, in the form of CVE identifiers, for known cybersecurity vulnerabilities. The CVE identifier provides a standard way to research a reference to vulnerabilities. When a vulnerability has been identified, CVE identifiers can be used to access fixes. In addition, threat intelligence services use CVE identifiers, and they appear in various security system logs. The CVE Details website provides a linkage between CVSS scores and CVE information. It allows browsing of CVE vulnerability records by CVSS severity rating.
Search the internet for Mitre for more information on CVE as shown in the figure.
Image is a screenshot of the CVE screen at Mitre.og, available at
National Vulnerability Database (NVD)
This utilizes CVE identifiers and supplies additional information on vulnerabilities such as CVSS threat scores, technical details, affected entities, and resources for further investigation. The database was created and is maintained by the U.S. government National Institute of Standards and Technology (NIST) agency.
Image is a screenshot of the National Vulnerability Database (NVD) search screen, available at
Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained includes staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training. 

I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.


Fact Check Policy

CRMNIGERIA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.


Fact Check Policy

Leave a Reply

Your email address will not be published. Required fields are marked *