CVSS

One-liner: An industry-standard framework for assigning severity scores (0-10) to security vulnerabilities based on their exploitability and impact.

🎯 What Is It?

The Common Vulnerability Scoring System (CVSS) is a free, open framework maintained by FIRST that provides a standardized way to capture the principal characteristics of a vulnerability and produce a numerical severity score (0.0 to 10.0). This score helps organizations prioritize remediation efforts based on risk.

📊 CVSS Score Ranges

🔬 CVSS v3.1 Metric Groups

Base Score (Intrinsic Qualities)

Represents the characteristics of a vulnerability that remain constant over time and across environments.

Exploitability Metrics:

• Attack Vector (AV) — Network, Adjacent, Local, Physical
• Attack Complexity (AC) — Low or High
• Privileges Required (PR) — None, Low, High
• User Interaction (UI) — None or Required

Impact Metrics:

• Confidentiality (C) — None, Low, High
• Integrity (I) — None, Low, High
• Availability (A) — None, Low, High
• Scope (S) — Unchanged or Changed

Temporal Score (Current State)

Adjusts the base score based on time-sensitive factors like exploit availability.

• Exploit Code Maturity — Not Defined, Unproven, Proof-of-Concept, Functional, High
• Remediation Level — Not Defined, Official Fix, Temporary Fix, Workaround, Unavailable
• Report Confidence — Not Defined, Unknown, Reasonable, Confirmed

Environmental Score (Organization-Specific)

Allows organizations to customize the score based on their specific environment.

• Modified Base Metrics — Adjust impact based on specific deployment
• Confidentiality/Integrity/Availability Requirements — Not Defined, Low, Medium, High

🛠️ How It Works

CVSS Vector String

A compact representation of the metric values:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Breakdown:

• AV:N — Attack Vector: Network (remotely exploitable)
• AC:L — Attack Complexity: Low (no special conditions)
• PR:N — Privileges Required: None (unauthenticated)
• UI:N — User Interaction: None (no user action needed)
• S:U — Scope: Unchanged (no privilege escalation)
• C:H — Confidentiality Impact: High
• I:H — Integrity Impact: High
• A:H — Availability Impact: High

Base Score: 9.8 (Critical)

Real-World Example: SQL Injection

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score: 9.1 (Critical)

• Why Critical?
  • Network-based (internet-facing)
  • Low complexity (simple payload)
  • No privileges needed (unauthenticated)
  • High confidentiality impact (data breach)
  • High integrity impact (data modification)

🎤 Interview Angles

Common Questions

• "What is CVSS and why is it important?"
• "How do you calculate a CVSS score?"
• "What's the difference between CVSS base, temporal, and environmental scores?"
• "How would you prioritize vulnerabilities with the same CVSS score?"

STAR Story

Situation: Security team was overwhelmed with vulnerability scan results showing hundreds of findings with no clear prioritization.
Task: Establish a vulnerability management process based on risk.
Action: Implemented CVSS-based triage: Critical (9.0+) = 48hr SLA, High (7.0-8.9) = 1 week, Medium (4.0-6.9) = 1 month. Combined CVSS scores with environmental factors (internet-facing, contains PII). Trained team on reading CVSS vectors to understand exploitability vs. impact.
Result: Reduced critical vulnerability backlog from 200+ to zero within 2 months. Prevented potential breach by prioritizing internet-facing SQLi (CVSS 9.8) over local privilege escalation (CVSS 7.2).

✅ Best Practices

For Pentesters

• Rate vulnerabilities in isolation — Assume no other vulnerabilities exist
• Use base score for general assessments
• Document your scoring rationale in the report
• Include the vector string for transparency
• Highlight attack chains separately in findings summary

For Defenders

• Don't rely solely on CVSS — Combine with asset criticality and threat intel
• Environmental scores are crucial for accurate prioritization
• Update temporal scores as exploits emerge
• Track CVSS trends over time for metrics

📈 CVSS in the Wild

CVE Integration

Every CVE (Common Vulnerabilities and Exposures) entry includes a CVSS score:

CVE-2021-44228 (Log4Shell)
CVSS 3.1 Base Score: 10.0 (CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

NVD (National Vulnerability Database)

The NVD provides CVSS scores, vector strings, and detailed analysis for all CVEs. It's the canonical source for vulnerability scoring.

⚠️ Limitations of CVSS

What CVSS Doesn't Consider

• Business context — A critical vuln in a dev server ≠ critical vuln in production
• Asset value — Database with PII vs. test database
• Compensating controls — WAF, EDR, network segmentation
• Exploitability in practice — Theoretical max vs. real-world constraints
• Attack chains — Multiple low-severity findings combined

Risk ≠ CVSS Score

Risk = Likelihood × Impact × Asset Value

CVSS Score 9.0 on isolated dev server < CVSS Score 6.5 on internet-facing prod DB

❌ Common Misconceptions

• "CVSS 10.0 means the system will definitely be hacked" → It's a severity metric, not a probability
• "Higher CVSS always means higher priority" → Context matters: asset criticality, exposure, compensating controls
• "CVSS replaces risk assessment" → It's one input, not the entire risk picture
• "All scanners calculate CVSS correctly" → Vendors sometimes assign inflated scores

🔗 Related Concepts

• CVE
• NVD
• Vulnerability Management
• Risk Rating
• Penetration Testing Report
• Threat Intelligence

📚 References

• FIRST CVSS v3.1 Specification: https://www.first.org/cvss/v3.1/specification-document
• CVSS Calculator: https://www.first.org/cvss/calculator/3.1
• NVD CVSS Documentation: https://nvd.nist.gov/vuln-metrics/cvss
• NIST SP 800-126: Technical Specification for the Security Content Automation Protocol (SCAP)