Every security vulnerability is unique. Different vulnerabilities impact different systems, involve different exploit techniques, and require different remediations. These differences can make it challenging for teams to determine which vulnerabilities are most serious and require prioritization.
But with the help of the Common Vulnerability Scoring System (CVSS), comparing vulnerabilities becomes much easier. CVSS provides a consistent, standardized approach to measuring the potential impact of vulnerabilities. When used in conjunction with other sources of insight, CVSS scores help teams make informed decisions about which vulnerabilities to prioritize.
Keep reading for an overview of CVSS, including how it works, how CVSS scores are calculated, and how CVSS relates to other vulnerability assessment techniques and resources.
CVSS in cybersecurity
The Common Vulnerability Scoring System (CVSS) is a standardized framework for evaluating the severity of software security vulnerabilities.
CVSS was introduced in the mid-2000s based on research by the National Infrastructure Advisory Council, a U.S. government agency. The purpose of the CVSS is to provide a systematic approach to assessing the potential impact of every known software vulnerability.
The importance of CVSS scores
On a typical day, dozens of new vulnerabilities are announced. With so many new risks appearing on a regular basis, organizations may not be able to remediate every vulnerability that affects their systems as soon as it’s announced. Instead, they must decide which ones to fix first.
CVSS scores are important because they give a quantitative assessment of the ease of exploiting a vulnerability and the potential damage it could cause to an affected system. In turn, CVSS scores allow teams to better prioritize vulnerability remediation.
What are the versions of CVSS?
The CVSS system has undergone four major iterations since it debuted.
The latest version of CVSS is 4.0, which was published in late 2023 and is yet to be officially implemented by the industry. . However, CVSS version 3.0, which went live in 2015 and received a major update in 2019.
A detailed comparison of the different CVSS versions is beyond the scope of this article, but suffice it to say that newer versions of the framework include broader sets of criteria for calculating severity scores. Although you shouldn’t ignore a CVSS score just because it wasn’t calculated using the latest CVSS version, more recent CVSS versions generate the most meaningful scores.
The main components of CVSS for calculating CVSS scores
CVSS scores are calculated based using a scoring formula that takes into account a number of metrics, including:
- Attack vector: The vector through which exploiting the vulnerability is possible. For example, vulnerabilities subject to network-based attacks are considered more severe than those that require local access to a system (since local access is harder for threat actors to obtain).
- Attack complexity: How complex the attack is to carry out. For instance, do attackers need special skills or can they simply execute a few basic commands?
- Privileges required: Does the attack only work if attackers have elevated privileges inside a system, or can they exploit the vulnerability as unprivileged users?
- Confidentiality: How many confidential resources (meaning resources not available to the public at large) can the attack expose?
- Availability: Will the attack result in critical components of a system becoming unavailable?
This is only a partial list of criteria used to calculate CVSS scores. The complete list of components, and the weights assigned to them, varies depending on which version of the scoring framework researchers use to calculate scores. The latest version of CVSS, 4.0, includes the broadest set of scoring metrics.
Based on the metrics described above, the CVSS system assigns a numeric score to each vulnerability. Scores range from 0 to 10, with 10 representing the greatest level of severity.
To experiment with CVSS scores and generate your own CVSS scoring examples, you can use a CVSS calculator.
CVSS vs. CVE vs. NVD
CVSS, CVE, NVD, and CWE are four acronyms related to the identification and assessment of vulnerabilities in software and systems. CVSS relates to, but is distinct from the other acronyms:
- CVE (Common Vulnerabilities and Exposures) is a standardized system that assigns a unique identifier and a brief description to each publicly known vulnerability.
- NVD (National Vulnerability Database) is a central repository that collects and provides information about CVEs, such as CVSS scores, references, and analysis.
- CWE (Common Weakness Enumeration) is a community-developed list that categorizes and describes common software weaknesses that could lead to vulnerabilities.
Limitations of CVSS
While CVSS scores are powerful information for teams that need to assess risks quickly, they shouldn’t be the sole basis for vulnerability prioritization and remediation. You should also consider factors like exploitability, which refers to how easy it is for threat actors to carry out attacks based on a vulnerability in your specific environment.
This is important because CVSS scores are calculated based on generic metrics, not assessments tied to any particular organization or configuration. Your environment may have settings in place that make a given vulnerability more or less serious than its CVSS score implies.
For instance, a vulnerability that is considered severe because it can be exploited over the network may not be as serious for an organization that uses air-gapping to isolate a vulnerable system from the network. For that particular organization, the vulnerability would not be easily exploitable via the network because the vulnerable system is not connected to a public network.
A second limitation is that it lacks granularity in several metrics, which may result in CVSS scores that do not properly distinguish vulnerabilities of different types and risk profiles.
A third CVSS limitation is that it doesn’t consider if a vulnerability is already exploited in the wild, or the potential of a vulnerability being exploited soon. Exploited vulnerabilities are more likely to have public exploits or proof-of-concept code available, which lowers the barrier for entry for less sophisticated attackers and increases the chances of opportunistic attacks.
Using Checkmarx to manage risks
CVSS is a great way to assess the impact of some risks. But because not all vulnerabilities come with CVSS scores, and because CVSS scores don’t always reflect the actual risk that a given threat poses to your company in particular, you need additional insights to react as effectively as possible to security threats.
That’s where Checkmarx comes in. By scanning applications for risks of all types, Checkmarx helps teams identify every potential vulnerability and security flaw – including but not limited to those that are publicly known. In addition, Checkmarx supports custom risk weighting and scoring, so you’ll know at a glance how serious each threat is for your organization in particular – as opposed to the public at large.
To learn more, schedule a demo.