Common Vulnerability Scoring Systemm, Version 4.0

Intro

The CVSS, or Common Vulnerability Scoring System, is a tool that provides numerical scores to evaluate the severity of software, hardware, and firmware vulnerabilities. The system consists of four metric groups: Base, Threat, Environmental, and Supplemental. The Base Score reflects the vulnerability's constant characteristics, while the Threat Metrics adjust the severity based on factors such as proof-of-concept code or active exploitation. The Environmental Metrics further refine the score to a specific computing environment, taking into account the presence of mitigations and the criticality attributes of the vulnerable system. Finally, the Supplemental Metrics provide additional context about the vulnerability. The CVSS v4 framework is a renewal of the old version 3.1.

Metrics

The base metrics group denotes the intrinsic properties of a vulnerability that are unchanging over time and across different user contexts. This group is composed of two sets of metrics: exploitability metrics and impact metrics. The exploitability metrics indicate how easily and through what technical methods the vulnerability can be exploited. These metrics focus on the characteristics of the "vulnerable system" specifically. The impact metrics, on the other hand, denote the direct effects of a successful attack which can have a repercussion on the vulnerable system and/or any subsequent systems, known as "downstream systems".

CVSS v3.0 introduced the concept of "scope" to measure the impact of a vulnerability on downstream systems in addition to the vulnerable system. This helps to capture the true impact of the vulnerability and enables organizations to better assess the risk posed by a given vulnerability. The scope metric group separates the impact on the vulnerable system from the impact on downstream systems. This feature enables organizations to more accurately assess the risk posed by a vulnerability, as well as the impact of potential remediation efforts.

The Environment and Supplemental Metrics Groups of the Common Vulnerability Scoring System (CVSS) provide important characteristics of a vulnerability which are relevant and unique to the user's environment. These metrics consider existing security controls that can mitigate the consequences of a successful attack, the relative importance of a vulnerable system within a technology infrastructure, and additional extrinsic characteristics of the vulnerability. The response to each metric within the additional metrics group is at the discretion of the user, allowing them to assess the metrics and values locally significant. User organizations can then define the significance and/or effective impact of each metric or combination of metrics to determine the categorization, prioritization and assessment of the vulnerability.

Conclusion

We are excited to see how the new scoring method in CVSS V4.0 will improve vulnerability analysis. It has the potential to provide vulnerability analysts with a more effective assessment and address the previous shortcomings of CVSS. This could lead to a better assessment of the impact of vulnerabilities. However, we should remain cautiously optimistic until the assessment itself shows significant improvements.

Source

cvss v4.0 specification document