Understanding the CVSS Base Score

The Base CVSS Score is calculated based on:

  • AV: Access Vector (requires physical presence, requires local access, requires access to an adjacent network, or requires network access)

  • AC: Attack Complexity (low or high)

  • PR: Privileges required (none, low, or high)

  • UI: User Interaction (none or required)

  • S: Scope (the exploit can affect resources beyond the intention of the vulnerable component (changed), or it cannot (unchanged))

  • C: Confidentiality requirement for the asset (none, low, or high)

  • I: Integrity requirement for the asset (none, low, or high)

  • A: Availability requirement for the asset (none, low, or high)

Understanding the CVSS Environmental Score

The Environmental CVSS Score is calculated based on the impact the vulnerability could have on Confidentiality, Integrity, and Availability of the system (none, low, or high) and on modifications of the base factors (Modified Attack Vector, Modified Attack Complexity, Modified Privileges Required, Modified User Interaction, Modified Scope, Modified Confidentiality, Modified Integrity, Modified Availability — shown in the vector string as MAV, MAC, MPR, MUI, MS, MC, MI, and MA). These values can be set by your Sentinel Administrator to reflect your specific circumstances.

CVSS Vector String

When these factors are all defined, they will create a Vector String that provides this information in a compressed format. The Vector String begins with the CVSS version being used, and then each factor is represented by an abbreviation followed by a colon and the value for this particular vulnerability, and the factors are separated by forward slashes. For example:

CVSS:3.0/AV:L/AC:H/PR:l/UI:N/S:C/C:L/I:L/A:L/CR:H/IR:H/AR:L/MAV:L/MAC:H/MPR:H/MUI:N/MS:U/MC:L/MI:L/MA:L

That vector string says that in the CVSS v. 3.0 scoring system, for this vulnerability, the Attack Vector is local, the Attack Complexity is high, the Privileges Required are low, the User Interaction required is none, the Scope can be changed, the Confidentiality risk is low, the Integrity risk is low, and the availability risk is low. In addition, this string shows the Environmental data. The confidentiality requirement for this asset is high, the integrity requirement is high, the availability requirement is low, and the Modified attack vector, complexity, etc. are local, high, high, none, changed, low, low, and low. (You can see the CVSSv3 Vector by clicking on the CVSS score shown on the Findings tab. The Vector will reflect any value that has been set for this vulnerability.)

These values will result in a Base CVSS score of Medium, and an Environmental score that is also Medium. More details are available at https://www.first.org/cvss/calculator/3.0, where you can also see the results of possible changes.