27:
2143:
allowing a scoring provider to include additional metrics and metric groups while retaining the official Base, Temporal, and
Environmental Metrics. The additional metrics allow industry sectors such as privacy, safety, automotive, healthcare, etc., to score factors that are outside the core CVSS standard. Finally, the CVSS Glossary of Terms has been expanded and refined to cover all terms used throughout the CVSSv3.1 documentation.
1771:
1847:
83:(NIAC) in 2003/2004 led to the launch of CVSS version 1 (CVSSv1) in February 2005, with the goal of being "designed to provide open and universally standard severity ratings of software vulnerabilities". This initial draft had not been subject to peer review or review by other organizations. In April 2005, NIAC selected the Forum of Incident Response and Security Teams (
1943:
1297:
881:
1623:
1777:
2138:
FIRST has used input from industry subject-matter experts to continue to enhance and refine CVSS to be more and more applicable to the vulnerabilities, products, and platforms being developed over the past 15 years and beyond. The primary goal of CVSS is to provide a deterministic and repeatable way
2067:
Several metrics were changed, added, and removed. The numerical formulas were updated to incorporate the new metrics while retaining the existing scoring range of 0-10. Textual severity ratings of None (0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and
Critical (9.0-10.0) were defined, similar
2081:
In the Base vector, the new metrics User
Interaction (UI) and Privileges Required (PR) were added to help distinguish vulnerabilities that required user interaction or user or administrator privileges to be exploited. Previously, these concepts were part of the Access Vector metric of CVSSv2. UI can
1364:
A temporary fix from the vendor would reduce the score back to 7.3 (E:P/RL:T/RC:C), while an official fix would reduce it further to 7.0 (E:P/RL:O/RC:C). As it is not possible to be confident that every affected system has been fixed or patched, the temporal score cannot reduce below a certain level
60:
that approximate ease and impact of an exploit. Scores range from 0 to 10, with 10 being the most severe. While many use only the CVSS Base score for determining severity, temporal and environmental scores also exist, to factor in availability of mitigations and how widespread vulnerable systems are
2113:
The
Environmental metrics of CVSSv2 were completely removed and replaced with essentially a second Base score, known as the Modified vector. The Modified Base is intended to reflect differences within an organization or company compared to the world as a whole. New metrics to capture the importance
977:
This would give an exploitability sub-score of 10, and an impact sub-score of 8.5, giving an overall base score of 9.0. The vector for the base score in this case would be AV:N/AC:L/Au:N/C:P/I:P/A:C. The score and vector are normally presented together to allow the recipient to fully understand the
2134:
A minor update to CVSS was released on June 17, 2019. The goal of CVSSv3.1 was to clarify and improve upon the existing CVSSv3.0 standard without introducing new metrics or metric values, allowing for frictionless adoption of the new standard by both scoring providers and scoring consumers alike.
2085:
The Base vector also saw the introduction of the new Scope (S) metric, which was designed to make clear which vulnerabilities may be exploited and then used to attack other parts of a system or network. These new metrics allow the Base vector to more clearly express the type of vulnerability being
2047:
jointly published a public letter to FIRST regarding the shortcomings and failures of CVSSv2. The authors cited a lack of granularity in several metrics, which results in CVSS vectors and scores that do not properly distinguish vulnerabilities of different type and risk profiles. The CVSS scoring
2142:
Updates to the CVSSv3.1 specification include clarification of the definitions and explanation of existing base metrics such as Attack Vector, Privileges
Required, Scope, and Security Requirements. A new standard method of extending CVSS, called the CVSS Extensions Framework, was also defined,
273:
The authentication (Au) metric describes the number of times that an attacker must authenticate to a target to exploit it. It does not include (for example) authentication to a network in order to gain access. For locally exploitable vulnerabilities, this value should only be set to Single or
2093:
Access
Complexity was renamed Attack Complexity (AC) to make clear that access privileges were moved to a separate metric. This metric now describes how repeatable exploit of this vulnerability may be; AC is High if the attacker requires perfect timing or other circumstances (other than user
1853:
768:
674:
565:
2089:
The
Confidentiality, Integrity, and Availability (C, I, A) metrics were updated to have scores consisting of None, Low, or High, rather than the None, Partial, and Complete of CVSSv2. This allows more flexibility in determining the impact of a vulnerability on CIA metrics.
1225:
2139:
to score the severity of a vulnerability across many different constituencies, allowing consumers of CVSS to use this score as input to a larger decision matrix of risk, remediation, and mitigation specific to their particular environment and risk tolerance.
1373:
The environmental metrics use the base and current temporal score to assess the severity of a vulnerability in the context of the way that the vulnerable product or software is deployed. This measure is calculated subjectively, typically by affected parties.
1976:
This value would depend on what information the attacker is able to access if a vulnerable system is exploited. In this case I am assuming that some personal banking information is available, therefore there is a significant reputational impact on the bank.
2063:
To address some of these criticisms, development of CVSS version 3 was started in 2012. The final specification was named CVSSv3.0 and released in June 2015. In addition to a
Specification Document, a User Guide and Examples document were also released.
2135:
Usability was a prime consideration when making improvements to the CVSS standard. Several changes being made in CVSSv3.1 are to improve the clarity of concepts introduced in CVSSv3.0, and thereby improve the overall ease of use of the standard.
2027:
This would give an environmental score of 8.2, and an environmental vector of CDP:MH/TD:H/CR:H/IR:H/AR:L. This score is within the range 7.0-10.0, and therefore constitutes a critical vulnerability in the context of the affected bank's business.
1766:{\displaystyle {\textsf {AdjustedImpact}}=\min(10,10.41\times (1-(1-{\textsf {ConfImpact}}\times {\textsf {ConfReq}})\times (1-{\textsf {IntegImpact}}\times {\textsf {IntegReq}})\times (1-{\textsf {AvailImpact}}\times {\textsf {AvailReq}})))}
774:
1842:{\displaystyle {\textsf {AdjustedTemporal}}={\textsf {TemporalScore}}{\text{ recomputed with the }}{\textsf {BaseScore}}{\text{s }}{\textsf {Impact}}{\text{ sub-equation replaced with the }}{\textsf {AdjustedImpact}}{\text{ equation}}}
90:
Feedback from vendors using CVSSv1 in production suggested there were "significant issues with the initial draft of CVSS". Work on CVSS version 2 (CVSSv2) began in April 2005 with the final specification being launched in June 2007.
1382:
The collateral damage potential (CDP) metric measures the potential loss or impact on either physical assets such as equipment (and lives), or the financial impact upon the affected organisation if the vulnerability is exploited.
1306:
To continue with the example above, if the vendor was first informed of the vulnerability by a posting of proof-of-concept code to a mailing list, the initial temporal score would be calculated using the values shown below:
1938:{\displaystyle {\textsf {EnvironmentalScore}}={\textsf {roundTo1Decimal}}(({\textsf {AdjustedTemporal}}+(10-{\textsf {AdjustedTemporal}})\times {\textsf {CollateralDamagePotential}})\times {\textsf {TargetDistribution}})}
2082:
take the values None or
Required; attacks that do not require logging in as a user are considered more severe. PR can take the values None, Low, or High; similarly, attacks requiring fewer privileges are more severe.
448:
The availability (A) metric describes the impact on the availability of the target system. Attacks that consume network bandwidth, processor cycles, memory, or any other resources affect the availability of a system.
377:
There is total information disclosure, providing access to any / all data on the system. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious
680:
1550:
Three further metrics assess the specific security requirements for confidentiality (CR), integrity (IR) and availability (AR), allowing the environmental score to be fine-tuned according to the users' environment.
571:
510:
56:. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. Scores are calculated based on a formula that depends on several
2054:
introduced the new metric value of "Partial+" for
Confidentiality, Integrity, and Availability, to fill perceived gaps in the description between Partial and Complete in the official CVSS specifications.
2353:
MITRE and CERT/CC both bring distinct but important value. Based on those proposals, the Working Group strongly suggests that these organizations work under the umbrella provided by Global FIRST for the
1952:
If the aforementioned vulnerable web server were used by a bank to provide online banking services, and a temporary fix was available from the vendor, then the environmental score could be assessed as:
248:
There are some additional requirements for the attack, such as a limit on the origin of the attack, or a requirement for the vulnerable system to be running with an uncommon, non-default configuration.
1618:
The five environmental metrics are used in conjunction with the previously assessed base and temporal metrics to calculate the environmental score and to produce the associated environmental vector.
1292:{\displaystyle {\textsf {TemporalScore}}={\textsf {roundTo1Decimal}}({\textsf {BaseScore}}\times {\textsf {Exploitability}}\times {\textsf {RemediationLevel}}\times {\textsf {ReportConfidence}})}
1150:
The report confidence (RC) of a vulnerability measures the level of confidence in the existence of the vulnerability and also the credibility of the technical details of the vulnerability.
1217:
These three metrics are used in conjunction with the base score that has already been calculated to produce the temporal score for the vulnerability with its associated vector.
986:
The value of temporal metrics change over the lifetime of the vulnerability, as exploits are developed, disclosed and automated and as mitigations and fixes are made available.
2759:
2200:
259:
There are no special conditions for exploiting the vulnerability, such as when the system is available to large numbers of users, or the vulnerable configuration is ubiquitous.
1125:
There is no solution available, or it is impossible to apply a suggested solution. This is the usual initial state of the remediation level when a vulnerability is identified.
2723:
893:
A buffer overflow vulnerability affects web server software that allows a remote user to gain partial control of the system, including the ability to cause it to shut down:
116:
A numerical score is generated for each of these metric groups. A vector string (or simply "vector" in CVSSv2) represents the values of all the metrics as a block of text.
876:{\displaystyle {\textsf {BaseScore}}={\textsf {roundTo1Decimal}}(((0.6\times {\textsf {Impact}})+(0.4\times {\textsf {Exploitability}})-1.5)\times f({\textsf {Impact}}))}
2097:
Attack Vector (AV) saw the inclusion of a new metric value of Physical (P), to describe vulnerabilities that require physical access to the device or system to perform.
2341:
1025:
Proof-of-concept exploit code or demonstration attacks are available, but not practical for widespread use. Not functional against all instances of the vulnerability.
505:
These six metrics are used to calculate the exploitability and impact sub-scores of the vulnerability. These sub-scores are used to calculate the overall base score.
2159:
Versions of CVSS have been adopted as the primary method for quantifying the severity of vulnerabilities by a wide range of organizations and companies, including:
84:
2456:
1114:
There is an unofficial, non-vendor solution or mitigation available — perhaps developed or suggested by users of the affected product or another third party.
1072:
The remediation level (RL) of a vulnerability allows the temporal score of a vulnerability to decrease as mitigations and official fixes are made available.
80:
1358:
This would give a temporal score of 7.3, with a temporal vector of E:P/RL:U/RC:UC (or a full vector of AV:N/AC:L/Au:N/C:P/I:P/A:C/E:P/RL:U/RC:UC).
2716:
2151:
In June 2023, a public preview of CVSSv4.0 was released, bringing a number of improvements. Version 4.0 was officially released in November 2023.
763:{\displaystyle f({\textsf {Impact}})={\begin{cases}0,&{\text{if }}{\textsf {Impact}}{\text{ = 0}}\\1.176,&{\text{otherwise }}\end{cases}}}
669:{\displaystyle {\textsf {Impact}}=10.41\times (1-(1-{\textsf {ConfImpact}})\times (1-{\textsf {IntegImpact}})\times (1-{\textsf {AvailImpact}}))}
560:{\displaystyle {\textsf {Exploitability}}=20\times {\textsf {AccessVector}}\times {\textsf {AccessComplexity}}\times {\textsf {Authentication}}}
2126:
discussed limitations of CVSSv2 and CVSSv3.0 for use in scoring vulnerabilities in emerging technology systems such as the Internet of Things.
2335:"NATIONAL INFRASTRUCTURE ADVISORY COUNCIL / MEETING AGENDA / Tuesday, April 12, 2005 / 1:30-4:30 p.m. / National Press Club / Washington, DC"
294:
Exploitation of the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time.
2785:
2749:
2194:
2790:
2709:
2170:
2040:
366:
There is considerable disclosure of information, but the scope of the loss is constrained such that not all of the data is available.
195:. These types of vulnerabilities are often described as remotely exploitable (e.g. a remote buffer overflow in a network service)
2164:
2223:
916:
The vulnerability may be accessed from any network that can access the target system — typically the whole of the internet.
2334:
234:
94:
Further feedback resulted in work beginning on CVSS version 3 in 2012, ending with CVSSv3.0 being released in June 2015.
17:
2744:
2387:
2188:
994:
The exploitability (E) metric describes the current state of exploitation techniques or automated exploitation code.
2663:
1361:
If the vendor then confirms the vulnerability, then the score rises to 8.1, with a temporal vector of E:P/RL:U/RC:C
971:
The attacker can cause the system and web service to become unavailable / unresponsive by shutting the system down.
2487:
2463:
2576:
1593:
Loss of (confidentiality / integrity / availability) is likely to have a catastrophic effect on the organisation.
1571:
Loss of (confidentiality / integrity / availability) is likely to have only a limited effect on the organisation.
209:
The access complexity (AC) metric describes how easy or difficult it is to exploit the discovered vulnerability.
53:
2021:
Unavailability of online banking services is likely to be an inconvenience for customers, but not catastrophic.
2175:
2123:
2044:
1582:
Loss of (confidentiality / integrity / availability) is likely to have a serious effect on the organisation.
1365:
based on the vendor's actions, and may increase if an automated exploit for the vulnerability is developed.
335:
The confidentiality (C) metric describes the impact on the confidentiality of data processed by the system.
1181:
Multiple sources that broadly agree — there may be a level of remaining uncertainty about the vulnerability
2224:"FIRST has officially published the latest version of the Common Vulnerability Scoring System (CVSS v4.0)"
434:
There is total loss of integrity; the attacker can modify any files or information on the target system.
2530:"Common Vulnerability Scoring System v3.0: Specification Document (Qualitative Severity Rating Scale)"
1472:
The target distribution (TD) metric measures the proportion of vulnerable systems in the environment.
1047:
The vulnerability can be exploited by automated code, including mobile code (such as a worm or virus).
1036:
Functional exploit code is available, and works in most situations where the vulnerability is present.
2242:
2094:
interaction, which is also a separate metric) which may not be easily duplicated on future attempts.
162:
708:
423:
Modification of some data or system files is possible, but the scope of the modification is limited.
112:
environmental metrics for vulnerabilities that depend on a particular implementation or environment.
26:
176:
The attacker must have access to the broadcast or collision domain of the vulnerable system (e.g.
2701:
2295:
2051:
46:
2048:
system was also noted as requiring too much knowledge of the exact impact of the vulnerability.
2732:
2287:
50:
2279:
68:
57:
978:
nature of the vulnerability and to calculate their own environmental score if necessary.
2696:
392:
The Integrity (I) metric describes the impact on the integrity of the exploited system.
124:
Complete documentation for CVSSv2 is available from FIRST. A summary is provided below.
109:
temporal metrics for characteristics that evolve over the lifetime of vulnerability, and
2529:
230:
2114:
of Confidentiality, Integrity, and Availability to a specific environment were added.
1330:
Proof-of concept, non-automated code is provided to show basic exploit functionality.
2779:
43:
2508:
2299:
1170:
A single unconfirmed source, or multiple conflicting sources. Rumored vulnerability.
2266:
Johnson, Pontus; Lagerstrom, Robert; Ekstedt, Mathias; Franke, Ulrik (2018-11-01).
2227:
2010:
Financial and personal information should not be changeable without authorization.
177:
2178:, which in particular makes use of CVSSv2 Base, Temporal and Environmental metrics
938:
There is no requirement for authentication in order to exploit the vulnerability.
1192:
Acknowledged and confirmed by the vendor or manufacturer of the affected product.
2267:
885:
The metrics are concatenated to produce the CVSS Vector for the vulnerability.
2283:
2068:
to the categories NVD defined for CVSSv2 that were not part of that standard.
1103:
There is an official but temporary fix / mitigation available from the vendor.
2291:
2268:"Can the Common Vulnerability Scoring System be Trusted? A Bayesian Analysis"
157:
The attacker must either have physical access to the vulnerable system (e.g.
2391:
192:
158:
2764:
1341:
The vendor has not yet had the opportunity to provide a mitigation or fix.
305:
The attacker must authenticate once in order to exploit the vulnerability.
2036:
Several vendors and organizations expressed dissatisfaction with CVSSv2.
2366:
1092:
A complete vendor solution is available — either a patch or an upgrade.
2435:
64:
The current version of CVSS (CVSSv4.0) was released in November 2023.
2241:
Spring, J. M.; Hatleback, E.; Manion, A.; Shick, D. (December 2018).
274:
Multiple if further authentication is required after initial access.
2388:"Announcing the CVSS Special Interest Group for CVSS v3 Development"
2687:
The Forum of Incident Response and Security Teams (FIRST) CVSS site
137:
The access vector (AV) shows how a vulnerability may be exploited.
2765:
Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)
2597:
1492:
No target systems exist, or they only exist in laboratory settings
25:
1414:
Slight damage to assets, or minor loss of revenue or productivity
2313:
2705:
2691:
2621:
2550:
1999:
Customers expect their banking information to be confidential.
191:
The vulnerable interface is working at layer 3 or above of the
237:
methods that would be readily noticed by knowledgeable people.
2686:
2413:
2105:
The Temporal metrics were essentially unchanged from CVSSv2.
491:
There is total loss of availability of the attacked resource.
2760:
Common Attack Pattern Enumeration and Classification (CAPEC)
2414:"Common Vulnerability Scoring System, V3 Development Update"
1014:
No exploit code is available, or the exploit is theoretical.
1988:
All of the bank's web servers run the vulnerable software.
756:
480:
There is reduced performance or loss of some functionality.
1403:
No potential for loss of property, revenue or productivity
960:
The attacker can alter some files and data on the system.
87:) to become the custodian of CVSS for future development.
949:
The attacker can read some files and data on the system.
316:
There is no requirement for the attacker to authenticate.
2642:
355:
There is no impact on the confidentiality of the system.
106:
base metrics for qualities intrinsic to a vulnerability,
23:
Standard for assessing computer system vulnerabilities
2602:
FIRST — Forum of Incident Response and Security Teams
1856:
1780:
1626:
1352:
There has been a single report of the vulnerability.
1228:
1220:
The formula used to calculate the temporal score is:
777:
683:
574:
513:
469:
There is no impact on the availability of the system.
102:
The CVSS assessment measures three areas of concern:
2551:"NVD Common Vulnerability Scoring System Support v2"
2272:
IEEE Transactions on Dependable and Secure Computing
2201:
Common Attack Pattern Enumeration and Classification
1937:
1841:
1765:
1291:
875:
762:
668:
559:
412:There is no impact on the integrity of the system.
71:prioritization, but is used like that regardless.
2697:Common Vulnerability Scoring System v2 Calculator
2462:. Risk Based Security. 2013-02-27. Archived from
2557:. National Institute of Standards and Technology
2342:Cybersecurity and Infrastructure Security Agency
1637:
67:CVSS is not intended to be used as a method for
2692:National Vulnerability Database (NVD) CVSS site
927:There are no special requirements for access.
2717:
8:
2250:Carnegie Mellon University Technical Reports
233:with a narrow window, or a requirement for
16:"CVSS" redirects here. For the school, see
2755:Common Vulnerability Scoring System (CVSS)
2750:Common Vulnerabilities and Exposures (CVE)
2724:
2710:
2702:
2457:"CVSS - Shortcomings, Faults and Failures"
2171:Open Source Vulnerability Database (OSVDB)
1824: sub-equation replaced with the
2218:
2216:
1927:
1926:
1925:
1914:
1913:
1912:
1901:
1900:
1899:
1882:
1881:
1880:
1869:
1868:
1867:
1859:
1858:
1857:
1855:
1834:
1829:
1828:
1827:
1822:
1817:
1816:
1815:
1810:
1805:
1804:
1803:
1798:
1793:
1792:
1791:
1783:
1782:
1781:
1779:
1749:
1748:
1747:
1739:
1738:
1737:
1717:
1716:
1715:
1707:
1706:
1705:
1685:
1684:
1683:
1675:
1674:
1673:
1629:
1628:
1627:
1625:
1281:
1280:
1279:
1271:
1270:
1269:
1261:
1260:
1259:
1251:
1250:
1249:
1241:
1240:
1239:
1231:
1230:
1229:
1227:
862:
861:
860:
834:
833:
832:
812:
811:
810:
790:
789:
788:
780:
779:
778:
776:
748:
731:
726:
725:
724:
719:
703:
692:
691:
690:
682:
655:
654:
653:
633:
632:
631:
611:
610:
609:
577:
576:
575:
573:
552:
551:
550:
542:
541:
540:
532:
531:
530:
516:
515:
514:
512:
2643:"The Open Source Vulnerability Database"
1955:
1553:
1474:
1385:
1309:
1152:
1074:
996:
895:
451:
394:
337:
276:
229:Specialised conditions exist, such as a
211:
139:
81:National Infrastructure Advisory Council
2212:
2039:Risk Based Security, which manages the
2666:. CERT Coordination Center. 2012-04-12
2622:"National Vulnerability Database Home"
2579:. CERT Coordination Center. 2015-09-02
2122:In a blog post in September 2015, the
1604:This is a signal to ignore this score.
1536:This is a signal to ignore this score.
1458:This is a signal to ignore this score.
1203:This is a signal to ignore this score.
1136:This is a signal to ignore this score.
1058:This is a signal to ignore this score.
61:within an organization, respectively.
2598:"Common Vulnerability Scoring System"
2165:National Vulnerability Database (NVD)
7:
2261:
2259:
2195:Common Vulnerabilities and Exposures
2664:"Vulnerability Severity Using CVSS"
2509:"CVSS v3,.0 Specification Document"
36:Common Vulnerability Scoring System
2041:Open Source Vulnerability Database
14:
2745:Common Weakness Enumeration (CWE)
2577:"CVSS and the Internet of Things"
2436:"CVSS v2 Complete Documentation"
2390:. First.org, Inc. Archived from
2555:National Vulnerability Database
1800: recomputed with the
1932:
1919:
1906:
1890:
1877:
1874:
1760:
1757:
1754:
1728:
1722:
1696:
1690:
1664:
1655:
1640:
1286:
1246:
870:
867:
857:
848:
839:
823:
817:
801:
798:
795:
697:
687:
663:
660:
644:
638:
622:
616:
600:
591:
49:for assessing the severity of
1:
161:) or a local account (e.g. a
2735:computer security ontologies
18:Compassvale Secondary School
2786:Computer security standards
2189:Common Weakness Enumeration
1993:Confidentiality Requirement
1970:Collateral Damage Potential
1447:Catastrophic damage or loss
1378:Collateral Damage Potential
2807:
1525:76–100% of systems at risk
1436:Significant damage or loss
15:
2791:Computer network security
2740:
2284:10.1109/TDSC.2016.2644614
1915:CollateralDamagePotential
1514:26–75% of systems at risk
2243:"Towards improving CVSS"
2176:CERT Coordination Center
2124:CERT Coordination Center
2045:Open Security Foundation
2015:Availability Requirement
1546:Impact Subscore Modifier
1503:1–25% of systems at risk
51:computer system security
2226:. FIRST. Archived from
1425:Moderate damage or loss
2118:Criticism of Version 3
2072:Changes from Version 2
2032:Criticism of Version 2
1939:
1843:
1767:
1293:
877:
764:
670:
561:
31:
2488:"CVSS Scoring System"
2109:Environmental metrics
2004:Integrity Requirement
1940:
1844:
1768:
1369:Environmental metrics
1294:
878:
765:
671:
562:
180:, Bluetooth attacks).
29:
2490:. Oracle. 2010-06-01
2394:on February 17, 2013
1854:
1778:
1624:
1226:
1022:Proof-of-concept (P)
775:
681:
572:
511:
173:Adjacent Network (A)
163:privilege escalation
1982:Target Distribution
1468:Target Distribution
1178:Uncorroborated (UR)
1935:
1928:TargetDistribution
1860:EnvironmentalScore
1839:
1763:
1289:
873:
760:
755:
666:
557:
235:social engineering
32:
2773:
2772:
2733:Mitre Corporation
2367:"CVSS v2 History"
2314:"CVSS v1 Archive"
2025:
2024:
1929:
1916:
1903:
1884:
1871:
1861:
1837:
1831:
1825:
1819:
1813:
1807:
1801:
1795:
1785:
1751:
1741:
1719:
1709:
1687:
1677:
1631:
1611:
1610:
1543:
1542:
1465:
1464:
1356:
1355:
1346:Report Confidence
1335:Remediation Level
1283:
1273:
1263:
1253:
1243:
1233:
1210:
1209:
1146:Report Confidence
1143:
1142:
1100:Temporary Fix (T)
1068:Remediation Level
1065:
1064:
975:
974:
921:Attack Complexity
864:
836:
814:
792:
782:
751:
734:
728:
722:
694:
657:
635:
613:
579:
554:
544:
534:
518:
498:
497:
441:
440:
385:
384:
323:
322:
266:
265:
205:Access Complexity
202:
201:
193:OSI Network stack
47:industry standard
2798:
2726:
2719:
2712:
2703:
2675:
2674:
2672:
2671:
2660:
2654:
2653:
2651:
2650:
2639:
2633:
2632:
2630:
2629:
2618:
2612:
2611:
2609:
2608:
2594:
2588:
2587:
2585:
2584:
2573:
2567:
2566:
2564:
2562:
2547:
2541:
2540:
2538:
2537:
2526:
2520:
2519:
2517:
2516:
2505:
2499:
2498:
2496:
2495:
2484:
2478:
2477:
2475:
2474:
2468:
2461:
2453:
2447:
2446:
2444:
2443:
2438:. First.org, Inc
2432:
2426:
2425:
2423:
2421:
2416:. First.org, Inc
2410:
2404:
2403:
2401:
2399:
2384:
2378:
2377:
2375:
2374:
2369:. First.org, Inc
2363:
2357:
2356:
2350:
2349:
2339:
2331:
2325:
2324:
2322:
2321:
2316:. First.org, Inc
2310:
2304:
2303:
2278:(6): 1002–1015.
2263:
2254:
2253:
2247:
2238:
2232:
2231:
2220:
2101:Temporal metrics
1956:
1944:
1942:
1941:
1936:
1931:
1930:
1918:
1917:
1905:
1904:
1902:AdjustedTemporal
1886:
1885:
1883:AdjustedTemporal
1873:
1872:
1863:
1862:
1848:
1846:
1845:
1840:
1838:
1835:
1833:
1832:
1826:
1823:
1821:
1820:
1814:
1811:
1809:
1808:
1802:
1799:
1797:
1796:
1787:
1786:
1784:AdjustedTemporal
1772:
1770:
1769:
1764:
1753:
1752:
1743:
1742:
1721:
1720:
1711:
1710:
1689:
1688:
1679:
1678:
1633:
1632:
1601:Not Defined (ND)
1554:
1533:Not Defined (ND)
1475:
1455:Not Defined (ND)
1433:Medium-High (MH)
1386:
1327:Proof-of-concept
1310:
1298:
1296:
1295:
1290:
1285:
1284:
1282:ReportConfidence
1275:
1274:
1272:RemediationLevel
1265:
1264:
1255:
1254:
1245:
1244:
1235:
1234:
1200:Not Defined (ND)
1167:Unconfirmed (UC)
1153:
1133:Not Defined (ND)
1089:Official Fix (O)
1075:
1055:Not Defined (ND)
997:
982:Temporal metrics
896:
882:
880:
879:
874:
866:
865:
838:
837:
816:
815:
794:
793:
784:
783:
769:
767:
766:
761:
759:
758:
752:
749:
735:
732:
730:
729:
723:
720:
696:
695:
675:
673:
672:
667:
659:
658:
637:
636:
615:
614:
581:
580:
566:
564:
563:
558:
556:
555:
546:
545:
543:AccessComplexity
536:
535:
520:
519:
452:
395:
338:
277:
212:
159:firewire attacks
140:
79:Research by the
69:patch management
42:) is a free and
2806:
2805:
2801:
2800:
2799:
2797:
2796:
2795:
2776:
2775:
2774:
2769:
2736:
2730:
2683:
2678:
2669:
2667:
2662:
2661:
2657:
2648:
2646:
2641:
2640:
2636:
2627:
2625:
2620:
2619:
2615:
2606:
2604:
2596:
2595:
2591:
2582:
2580:
2575:
2574:
2570:
2560:
2558:
2549:
2548:
2544:
2535:
2533:
2528:
2527:
2523:
2514:
2512:
2507:
2506:
2502:
2493:
2491:
2486:
2485:
2481:
2472:
2470:
2466:
2459:
2455:
2454:
2450:
2441:
2439:
2434:
2433:
2429:
2419:
2417:
2412:
2411:
2407:
2397:
2395:
2386:
2385:
2381:
2372:
2370:
2365:
2364:
2360:
2347:
2345:
2337:
2333:
2332:
2328:
2319:
2317:
2312:
2311:
2307:
2265:
2264:
2257:
2245:
2240:
2239:
2235:
2222:
2221:
2214:
2210:
2185:
2157:
2149:
2132:
2120:
2111:
2103:
2079:
2074:
2061:
2034:
1950:
1870:roundTo1Decimal
1852:
1851:
1776:
1775:
1622:
1621:
1616:
1548:
1470:
1422:Low-Medium (LM)
1380:
1371:
1304:
1242:roundTo1Decimal
1224:
1223:
1215:
1148:
1122:Unavailable (U)
1070:
992:
984:
943:Confidentiality
891:
791:roundTo1Decimal
773:
772:
754:
753:
750:otherwise
746:
737:
736:
717:
704:
679:
678:
570:
569:
509:
508:
503:
446:
390:
333:
331:Confidentiality
328:
271:
207:
135:
130:
122:
100:
77:
54:vulnerabilities
24:
21:
12:
11:
5:
2804:
2802:
2794:
2793:
2788:
2778:
2777:
2771:
2770:
2768:
2767:
2762:
2757:
2752:
2747:
2741:
2738:
2737:
2731:
2729:
2728:
2721:
2714:
2706:
2700:
2699:
2694:
2689:
2682:
2681:External links
2679:
2677:
2676:
2655:
2634:
2624:. Nvd.nist.gov
2613:
2589:
2568:
2542:
2521:
2500:
2479:
2448:
2427:
2405:
2379:
2358:
2326:
2305:
2255:
2233:
2230:on 2023-11-01.
2211:
2209:
2206:
2205:
2204:
2198:
2192:
2184:
2181:
2180:
2179:
2173:
2167:
2156:
2153:
2148:
2145:
2131:
2128:
2119:
2116:
2110:
2107:
2102:
2099:
2078:
2075:
2073:
2070:
2060:
2057:
2033:
2030:
2023:
2022:
2019:
2016:
2012:
2011:
2008:
2005:
2001:
2000:
1997:
1994:
1990:
1989:
1986:
1983:
1979:
1978:
1974:
1971:
1967:
1966:
1963:
1960:
1949:
1946:
1934:
1924:
1921:
1911:
1908:
1898:
1895:
1892:
1889:
1879:
1876:
1866:
1836: equation
1830:AdjustedImpact
1790:
1762:
1759:
1756:
1746:
1736:
1733:
1730:
1727:
1724:
1714:
1704:
1701:
1698:
1695:
1692:
1682:
1672:
1669:
1666:
1663:
1660:
1657:
1654:
1651:
1648:
1645:
1642:
1639:
1636:
1630:AdjustedImpact
1615:
1612:
1609:
1608:
1605:
1602:
1598:
1597:
1594:
1591:
1587:
1586:
1583:
1580:
1576:
1575:
1572:
1569:
1565:
1564:
1561:
1558:
1547:
1544:
1541:
1540:
1537:
1534:
1530:
1529:
1526:
1523:
1519:
1518:
1515:
1512:
1508:
1507:
1504:
1501:
1497:
1496:
1493:
1490:
1486:
1485:
1482:
1479:
1469:
1466:
1463:
1462:
1459:
1456:
1452:
1451:
1448:
1445:
1441:
1440:
1437:
1434:
1430:
1429:
1426:
1423:
1419:
1418:
1415:
1412:
1408:
1407:
1404:
1401:
1397:
1396:
1393:
1390:
1379:
1376:
1370:
1367:
1354:
1353:
1350:
1347:
1343:
1342:
1339:
1336:
1332:
1331:
1328:
1325:
1324:Exploitability
1321:
1320:
1317:
1314:
1303:
1300:
1288:
1278:
1268:
1262:Exploitability
1258:
1248:
1238:
1214:
1211:
1208:
1207:
1204:
1201:
1197:
1196:
1193:
1190:
1186:
1185:
1182:
1179:
1175:
1174:
1171:
1168:
1164:
1163:
1160:
1157:
1147:
1144:
1141:
1140:
1137:
1134:
1130:
1129:
1126:
1123:
1119:
1118:
1115:
1112:
1111:Workaround (W)
1108:
1107:
1104:
1101:
1097:
1096:
1093:
1090:
1086:
1085:
1082:
1079:
1069:
1066:
1063:
1062:
1059:
1056:
1052:
1051:
1048:
1045:
1041:
1040:
1037:
1034:
1033:Functional (F)
1030:
1029:
1026:
1023:
1019:
1018:
1015:
1012:
1008:
1007:
1004:
1001:
991:
990:Exploitability
988:
983:
980:
973:
972:
969:
966:
962:
961:
958:
955:
951:
950:
947:
944:
940:
939:
936:
933:
932:Authentication
929:
928:
925:
922:
918:
917:
914:
911:
907:
906:
903:
900:
890:
887:
872:
869:
859:
856:
853:
850:
847:
844:
841:
835:Exploitability
831:
828:
825:
822:
819:
809:
806:
803:
800:
797:
787:
757:
747:
745:
742:
739:
738:
718:
716:
713:
710:
709:
707:
702:
699:
689:
686:
665:
662:
652:
649:
646:
643:
640:
630:
627:
624:
621:
618:
608:
605:
602:
599:
596:
593:
590:
587:
584:
553:Authentication
549:
539:
529:
526:
523:
517:Exploitability
502:
499:
496:
495:
492:
489:
485:
484:
481:
478:
474:
473:
470:
467:
463:
462:
459:
456:
445:
442:
439:
438:
435:
432:
428:
427:
424:
421:
417:
416:
413:
410:
406:
405:
402:
399:
389:
386:
383:
382:
379:
375:
371:
370:
367:
364:
360:
359:
356:
353:
349:
348:
345:
342:
332:
329:
327:
326:Impact metrics
324:
321:
320:
317:
314:
310:
309:
306:
303:
299:
298:
295:
292:
288:
287:
284:
281:
270:
269:Authentication
267:
264:
263:
260:
257:
253:
252:
249:
246:
242:
241:
238:
231:race condition
227:
223:
222:
219:
216:
206:
203:
200:
199:
196:
189:
185:
184:
181:
174:
170:
169:
166:
155:
151:
150:
147:
144:
134:
131:
129:
126:
121:
118:
114:
113:
110:
107:
99:
96:
76:
73:
22:
13:
10:
9:
6:
4:
3:
2:
2803:
2792:
2789:
2787:
2784:
2783:
2781:
2766:
2763:
2761:
2758:
2756:
2753:
2751:
2748:
2746:
2743:
2742:
2739:
2734:
2727:
2722:
2720:
2715:
2713:
2708:
2707:
2704:
2698:
2695:
2693:
2690:
2688:
2685:
2684:
2680:
2665:
2659:
2656:
2644:
2638:
2635:
2623:
2617:
2614:
2603:
2599:
2593:
2590:
2578:
2572:
2569:
2556:
2552:
2546:
2543:
2531:
2525:
2522:
2510:
2504:
2501:
2489:
2483:
2480:
2469:on 2022-03-11
2465:
2458:
2452:
2449:
2437:
2431:
2428:
2415:
2409:
2406:
2393:
2389:
2383:
2380:
2368:
2362:
2359:
2355:
2343:
2336:
2330:
2327:
2315:
2309:
2306:
2301:
2297:
2293:
2289:
2285:
2281:
2277:
2273:
2269:
2262:
2260:
2256:
2251:
2244:
2237:
2234:
2229:
2225:
2219:
2217:
2213:
2207:
2202:
2199:
2196:
2193:
2190:
2187:
2186:
2182:
2177:
2174:
2172:
2168:
2166:
2162:
2161:
2160:
2154:
2152:
2146:
2144:
2140:
2136:
2129:
2127:
2125:
2117:
2115:
2108:
2106:
2100:
2098:
2095:
2091:
2087:
2083:
2076:
2071:
2069:
2065:
2058:
2056:
2053:
2049:
2046:
2042:
2037:
2031:
2029:
2020:
2017:
2014:
2013:
2009:
2006:
2003:
2002:
1998:
1995:
1992:
1991:
1987:
1984:
1981:
1980:
1975:
1972:
1969:
1968:
1964:
1961:
1958:
1957:
1954:
1947:
1945:
1922:
1909:
1896:
1893:
1887:
1864:
1849:
1794:TemporalScore
1788:
1773:
1744:
1734:
1731:
1725:
1712:
1702:
1699:
1693:
1680:
1670:
1667:
1661:
1658:
1652:
1649:
1646:
1643:
1634:
1619:
1613:
1606:
1603:
1600:
1599:
1595:
1592:
1589:
1588:
1584:
1581:
1578:
1577:
1573:
1570:
1567:
1566:
1562:
1559:
1556:
1555:
1552:
1545:
1538:
1535:
1532:
1531:
1527:
1524:
1521:
1520:
1516:
1513:
1510:
1509:
1505:
1502:
1499:
1498:
1494:
1491:
1488:
1487:
1483:
1480:
1477:
1476:
1473:
1467:
1460:
1457:
1454:
1453:
1449:
1446:
1443:
1442:
1438:
1435:
1432:
1431:
1427:
1424:
1421:
1420:
1416:
1413:
1410:
1409:
1405:
1402:
1399:
1398:
1394:
1391:
1388:
1387:
1384:
1377:
1375:
1368:
1366:
1362:
1359:
1351:
1348:
1345:
1344:
1340:
1337:
1334:
1333:
1329:
1326:
1323:
1322:
1318:
1315:
1312:
1311:
1308:
1301:
1299:
1276:
1266:
1256:
1236:
1232:TemporalScore
1221:
1218:
1212:
1205:
1202:
1199:
1198:
1194:
1191:
1189:Confirmed (C)
1188:
1187:
1183:
1180:
1177:
1176:
1172:
1169:
1166:
1165:
1161:
1158:
1155:
1154:
1151:
1145:
1138:
1135:
1132:
1131:
1127:
1124:
1121:
1120:
1116:
1113:
1110:
1109:
1105:
1102:
1099:
1098:
1094:
1091:
1088:
1087:
1083:
1080:
1077:
1076:
1073:
1067:
1060:
1057:
1054:
1053:
1049:
1046:
1043:
1042:
1038:
1035:
1032:
1031:
1027:
1024:
1021:
1020:
1016:
1013:
1010:
1009:
1005:
1002:
999:
998:
995:
989:
987:
981:
979:
970:
967:
964:
963:
959:
956:
953:
952:
948:
945:
942:
941:
937:
934:
931:
930:
926:
923:
920:
919:
915:
912:
910:Attack Vector
909:
908:
904:
901:
898:
897:
894:
888:
886:
883:
854:
851:
845:
842:
829:
826:
820:
807:
804:
785:
770:
743:
740:
714:
711:
705:
700:
684:
676:
650:
647:
641:
628:
625:
619:
606:
603:
597:
594:
588:
585:
582:
567:
547:
537:
527:
524:
521:
506:
500:
493:
490:
487:
486:
482:
479:
476:
475:
471:
468:
465:
464:
460:
457:
454:
453:
450:
443:
436:
433:
430:
429:
425:
422:
419:
418:
414:
411:
408:
407:
403:
400:
397:
396:
393:
387:
380:
376:
373:
372:
368:
365:
362:
361:
357:
354:
351:
350:
346:
343:
340:
339:
336:
330:
325:
318:
315:
312:
311:
307:
304:
301:
300:
296:
293:
290:
289:
285:
282:
279:
278:
275:
268:
261:
258:
255:
254:
250:
247:
244:
243:
239:
236:
232:
228:
225:
224:
220:
217:
214:
213:
210:
204:
197:
194:
190:
187:
186:
182:
179:
175:
172:
171:
167:
164:
160:
156:
153:
152:
148:
145:
142:
141:
138:
133:Access Vector
132:
127:
125:
119:
117:
111:
108:
105:
104:
103:
97:
95:
92:
88:
86:
82:
74:
72:
70:
65:
62:
59:
55:
52:
48:
45:
41:
37:
28:
19:
2754:
2668:. Retrieved
2658:
2647:. Retrieved
2637:
2626:. Retrieved
2616:
2605:. Retrieved
2601:
2592:
2581:. Retrieved
2571:
2559:. Retrieved
2554:
2545:
2534:. Retrieved
2524:
2513:. Retrieved
2511:. FIRST, Inc
2503:
2492:. Retrieved
2482:
2471:. Retrieved
2464:the original
2451:
2440:. Retrieved
2430:
2420:November 13,
2418:. Retrieved
2408:
2396:. Retrieved
2392:the original
2382:
2371:. Retrieved
2361:
2352:
2346:. Retrieved
2344:. 2005-04-12
2329:
2318:. Retrieved
2308:
2275:
2271:
2249:
2236:
2228:the original
2158:
2150:
2141:
2137:
2133:
2121:
2112:
2104:
2096:
2092:
2088:
2084:
2080:
2077:Base metrics
2066:
2062:
2050:
2038:
2035:
2026:
1965:Description
1951:
1850:
1774:
1620:
1617:
1614:Calculations
1549:
1471:
1381:
1372:
1363:
1360:
1357:
1319:Description
1305:
1222:
1219:
1216:
1213:Calculations
1149:
1071:
1011:Unproven (U)
993:
985:
976:
965:Availability
905:Description
892:
884:
771:
677:
568:
533:AccessVector
507:
504:
501:Calculations
488:Complete (C)
447:
444:Availability
431:Complete (C)
391:
374:Complete (C)
334:
291:Multiple (M)
272:
208:
178:ARP spoofing
136:
128:Base metrics
123:
115:
101:
93:
89:
78:
66:
63:
39:
35:
33:
2532:. First.org
2147:Version 4.0
2130:Version 3.1
2086:evaluated.
1973:Medium-High
1740:AvailImpact
1708:IntegImpact
1560:Description
1481:Description
1392:Description
1349:Unconfirmed
1338:Unavailable
1159:Description
1081:Description
1003:Description
656:AvailImpact
634:IntegImpact
477:Partial (P)
458:Description
420:Partial (P)
401:Description
363:Partial (P)
344:Description
283:Description
218:Description
188:Network (N)
146:Description
98:Terminology
2780:Categories
2670:2015-11-15
2649:2013-04-16
2628:2013-04-16
2607:2023-06-13
2583:2015-11-15
2536:2016-01-10
2515:2015-11-15
2494:2015-11-15
2473:2015-11-15
2442:2015-11-15
2373:2015-11-15
2348:2022-07-18
2320:2015-11-15
2208:References
2043:, and the
1676:ConfImpact
1579:Medium (M)
1511:Medium (M)
612:ConfImpact
302:Single (S)
245:Medium (M)
2292:1545-5971
2059:Version 3
1923:×
1910:×
1897:−
1806:BaseScore
1745:×
1735:−
1726:×
1713:×
1703:−
1694:×
1681:×
1671:−
1662:−
1653:×
1277:×
1267:×
1257:×
1252:BaseScore
954:Integrity
852:×
843:−
830:×
808:×
781:BaseScore
733: = 0
651:−
642:×
629:−
620:×
607:−
598:−
589:×
548:×
538:×
528:×
388:Integrity
154:Local (L)
120:Version 2
30:CVSS logo
2561:March 2,
2398:March 2,
2300:53287880
2183:See also
2155:Adoption
1750:AvailReq
1718:IntegReq
1590:High (H)
1522:High (H)
1489:None (N)
1444:High (H)
1400:None (N)
1044:High (H)
968:Complete
721:if
466:None (N)
409:None (N)
352:None (N)
313:None (N)
226:High (H)
165:attack).
2645:. OSVDB
2203:(CAPEC)
1948:Example
1812:s
1686:ConfReq
1568:Low (L)
1500:Low (L)
1411:Low (L)
1302:Example
957:Partial
946:Partial
913:Network
889:Example
378:impact.
256:Low (L)
75:History
58:metrics
2298:
2290:
2052:Oracle
1959:Metric
1818:Impact
1563:Score
1484:Score
1395:Score
1313:Metric
1162:Score
1084:Score
1006:Score
899:Metric
863:Impact
813:Impact
727:Impact
693:Impact
578:Impact
494:0.660
483:0.275
461:Score
437:0.660
426:0.275
404:Score
381:0.660
369:0.275
347:Score
319:0.704
286:Score
221:Score
183:0.646
168:0.395
149:Score
2467:(PDF)
2460:(PDF)
2354:CVSS.
2338:(PDF)
2296:S2CID
2246:(PDF)
2197:(CVE)
2191:(CWE)
1962:Value
1650:10.41
1596:1.51
1557:Value
1517:0.75
1506:0.25
1478:Value
1389:Value
1316:Value
1184:0.95
1156:Value
1117:0.95
1106:0.90
1095:0.87
1078:Value
1039:0.95
1017:0.85
1000:Value
902:Value
741:1.176
586:10.41
455:Value
398:Value
341:Value
308:0.56
297:0.45
280:Value
262:0.71
251:0.61
240:0.35
215:Value
143:Value
85:FIRST
2563:2013
2422:2015
2400:2013
2288:ISSN
2169:The
2163:The
2007:High
1996:High
1985:High
1607:1.0
1585:1.0
1574:0.5
1539:1.0
1528:1.0
1450:0.5
1439:0.4
1428:0.3
1417:0.1
1206:1.0
1195:1.0
1173:0.9
1139:1.0
1128:1.0
1061:1.0
1050:1.0
1028:0.9
935:None
472:0.0
415:0.0
358:0.0
198:1.0
44:open
40:CVSS
34:The
2280:doi
2018:Low
1638:min
924:Low
846:1.5
827:0.4
805:0.6
2782::
2600:.
2553:.
2351:.
2340:.
2294:.
2286:.
2276:15
2274:.
2270:.
2258:^
2248:.
2215:^
1894:10
1644:10
1495:0
1461:0
1406:0
525:20
2725:e
2718:t
2711:v
2673:.
2652:.
2631:.
2610:.
2586:.
2565:.
2539:.
2518:.
2497:.
2476:.
2445:.
2424:.
2402:.
2376:.
2323:.
2302:.
2282::
2252:.
1933:)
1920:)
1907:)
1891:(
1888:+
1878:(
1875:(
1865:=
1789:=
1761:)
1758:)
1755:)
1732:1
1729:(
1723:)
1700:1
1697:(
1691:)
1668:1
1665:(
1659:1
1656:(
1647:,
1641:(
1635:=
1287:)
1247:(
1237:=
871:)
868:)
858:(
855:f
849:)
840:)
824:(
821:+
818:)
802:(
799:(
796:(
786:=
744:,
715:,
712:0
706:{
701:=
698:)
688:(
685:f
664:)
661:)
648:1
645:(
639:)
626:1
623:(
617:)
604:1
601:(
595:1
592:(
583:=
522:=
38:(
20:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.