Understanding the CVSS Base Score

The Base CVSS Score is calculated based on:

Metric Value Description

Access Vector(AV)

Requires Physical presence (P), requires Local access (L), requires access to an Adjacent network, or requires Network access (N)

Attack Complexity (AV)

Low(L) or High(H)

Privileges required (PR)

None (N), Low(L) or High(H)

User Interaction (UI)

None (N) or Required ®

Scope (S)

The exploit can affect resources beyond the intention of the vulnerable component, Changed (C) or it cannot Unchanged (U)

Confidentiality (C) requirement for the asset

None (N), Low (L) or High (H)

Integrity (I) requirement for the asset

None (N), Low (L) or High (H)

Availability (A) requirement for the asset

None (N), Low (L) or High (H)

For more details on the Common Vulnerability Scoring System v3.0, refer to the Specification Document here.

Understanding the CVSS Environmental Score

The Environmental CVSS Score is calculated based on the impact the vulnerability could have on Confidentiality, Integrity, and Availability of the system (none, low, or high) and on modifications of the base factors. These values can be set by your Sentinel Administrator to reflect your specific circumstances.

Modified Base Metric Displayed in Vector String

Modified Attack Vector

MAV

Modified Attack Complexity

MAC

Modified Privileges Required

MPR

Modified User Interaction

MUI

Modified Scope

MS

Modified Confidentiality

MC

Modified Integrity

MI

Modified Availability

MA

CVSS Vector String

When these factors are all defined, they will create a Vector String that provides this information in a compressed format. The Vector String begins with the CVSS version being used, and then each factor is represented by an abbreviation followed by a colon and the value for this particular vulnerability, and the factors are separated by forward slashes. For example:

CVSS:3.0/AV:L/AC:H/PR:l/UI:N/S:C/C:L/I:L/A:L/CR:H/IR:H/AR:L/MAV:L/MAC:H/MPR:H/MUI:N/MS:U/MC:L/MI:L/MA:L

That vector string says that in the CVSS v. 3.0 scoring system, for this vulnerability, the Attack Vector is local, the Attack Complexity is high, the Privileges Required are low, the User Interaction required is none, the Scope can be changed, the Confidentiality risk is low, the Integrity risk is low, and the availability risk is low. In addition, this string shows the Environmental data. The confidentiality requirement for this asset is high, the integrity requirement is high, the availability requirement is low, and the Modified attack vector, complexity, etc. are local, high, high, none, changed, low, low, and low. (You can see the CVSSv3 Vector by clicking on the CVSS score shown on the Findings tab. The Vector will reflect any value that has been set for this vulnerability.)

These values will result in a Base CVSS score of Medium, and an Environmental score that is also Medium. More details are available at https://www.first.org/cvss/calculator/3.0, where you can also see the results of possible changes.