CVSS Terminology

Master the Common Vulnerability Scoring System v3.1

1. Overview
2. Metric Groups
3. Calculator
4. Quiz

What is CVSS?

The Common Vulnerability Scoring System (CVSS) is a free, open industry standard for assessing the severity of computer security vulnerabilities. CVSS provides a numerical score (0.0 to 10.0) that represents the severity of a vulnerability, helping organizations prioritize remediation efforts.

Why CVSS Matters

Security teams handle hundreds or thousands of vulnerabilities. CVSS provides a consistent, objective way to compare vulnerabilities and decide which ones to fix first. A CVSS score tells you both how severe a vulnerability is AND how easy it is to exploit.

9.8
Critical

Example: Remote code execution, no authentication required

Severity Rating Scale

CVSS v3.1 maps numerical scores to qualitative severity ratings:

0.0
None
0.1 - 3.9
Low
4.0 - 6.9
Medium
7.0 - 8.9
High
9.0 - 10.0
Critical

CVSS Version History

  • CVSS v1 (2005) - Initial release
  • CVSS v2 (2007) - Improved scoring accuracy
  • CVSS v3.0 (2015) - Major overhaul with Scope concept
  • CVSS v3.1 (2019) - Current standard, clarifications
  • CVSS v4.0 (2023) - Latest version, adds Supplemental metrics

Three Metric Groups

CVSS v3.1 organizes metrics into three groups. The Base Score is always calculated; Temporal and Environmental scores are optional adjustments.

Base Metrics

Intrinsic characteristics that remain constant over time and across environments.

  • Attack VectorAV
  • Attack ComplexityAC
  • Privileges RequiredPR
  • User InteractionUI
  • ScopeS
  • Confidentiality ImpactC
  • Integrity ImpactI
  • Availability ImpactA

Temporal Metrics

Characteristics that change over time as exploits mature and patches become available.

  • Exploit Code MaturityE
  • Remediation LevelRL
  • Report ConfidenceRC

These reduce the Base Score to reflect current exploit status.

Environmental Metrics

Organization-specific adjustments based on asset importance and existing controls.

  • Modified Base MetricsM*
  • Confidentiality Req.CR
  • Integrity RequirementIR
  • Availability RequirementAR

Customize score for YOUR environment's risk tolerance.

Base Metric Deep Dive

Exploitability Metrics

These measure how easily the vulnerability can be exploited:

MetricValues (Worst → Best)
Attack Vector (AV)Network → Adjacent → Local → Physical
Attack Complexity (AC)Low → High
Privileges Required (PR)None → Low → High
User Interaction (UI)None → Required

Impact Metrics

These measure damage to the CIA triad if exploited:

  • Confidentiality (C): None / Low / High
  • Integrity (I): None / Low / High
  • Availability (A): None / Low / High

The Scope Metric

Scope (S) indicates whether a vulnerability in one component can impact resources beyond its security scope. For example, a VM escape vulnerability has Scope: Changed because it affects the host system.

Interactive CVSS Calculator

Select values for each Base metric to calculate a CVSS score. Click each option to see how different settings affect the final score.

CVSS v3.1 Base Score Calculator

Click metrics to build your vector string

Attack Vector (AV)
Network
Adjacent
Local
Physical
Attack Complexity (AC)
Low
High
Privileges Required (PR)
None
Low
High
User Interaction (UI)
None
Required
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
0.0
None
Vector String:CVSS:3.1/AV:_/AC:_/PR:_/UI:_/S:_/C:_/I:_/A:_

Example Vectors

Click to analyze real-world vulnerability patterns:

CVE-2021-44228 (Log4Shell) - Score: 10.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Network exploitable, no auth needed, complete system compromise with scope change.
Typical Phishing RCE - Score: 8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Requires user to click a link, but full compromise once clicked.
Local Privilege Escalation (Info Disclosure) - Score: 5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Requires local access with low privileges, reads sensitive data only.

CVSS Knowledge Check

Test your understanding of CVSS terminology and scoring. You need 80% (4/5) to pass.

Q1. A CVSS score of 7.5 falls into which severity category?
Medium
High
Critical
Low
Q2. Which Attack Vector (AV) value indicates the HIGHEST exploitability?
Physical
Local
Network
Adjacent
Q3. What does the "Scope" metric measure in CVSS v3.1?
Whether exploitation impacts resources beyond the vulnerable component
The number of systems affected
The geographic scope of the attack
The size of the vulnerable code section
Q4. Which metric group changes based on YOUR organization's specific environment?
Base Metrics
Temporal Metrics
Exploitability Metrics
Environmental Metrics
Q5. A vulnerability requires no user interaction, no privileges, and is exploitable over the network. Which abbreviation represents this in a CVSS vector?
AV:L/AC:H/PR:H/UI:R
AV:N/AC:L/PR:N/UI:N
AV:P/AC:L/PR:N/UI:N
AV:N/AC:H/PR:L/UI:R