6

Consider these two cases:
1) Impact on Confidentiality as High
2) Impact on Confidentiality as Low
Please note all other parameters are unchanged and environmental parameters are set as High.

Now, the score for Case 1 is 9.0, but Case 2 is 9.1. This is very strange as impact on C as high should ideally have a higher score value.

Does anyone have an explanation for this?

C: Impact on Confidentiality as High = 9.0 enter image description here

C: Impact on Confidentiality as Low = 9.1

enter image description here

Edit 1: Please visit these links. Refer to the score below shown against the Environmental score.
Link 1: Impact on Confidentiality as Low. https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N/CR:H/IR:H/AR:H enter image description here

Link 2: Impact on Confidentiality as High. https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N/CR:H/IR:H/AR:H

enter image description here

Sjoerd
  • 28,707
  • 12
  • 74
  • 102
one
  • 1,781
  • 3
  • 18
  • 45
  • 1
    your environmentals are higher in the 2nd case - confidentiality affects the base score, which is lower in the 2nd case, as you would expect. Why are the environmentals different? – schroeder May 08 '17 at 09:40
  • @schroeder I have added the links and the screenshots. Please look at the score mentioned against the environmental score (this is the final score for each case considering all the defined parameters). You can see I have only changed impact on confidentiality and all other parameters are same. But the scores talk of a different story. – one May 08 '17 at 10:01
  • This looks like a bug in the calculator, maybe it is best to send them a bug report. (unless someone can explain this off course :D) It is the same with integrity. Most likely there is something a bit off on how the calculator rounds the numbers on the environmental part of the calculation. – Wealot May 08 '17 at 12:57

1 Answers1

4

I sent this to FIRST and I got this response from the their team.

We agree that this is a problem, and we plan to address it in a future revision to the standard. We used a set of test cases to ensure intuitive scores for all inputs during the creation of the CVSS v3.0 formulas, but we missed this case. I don't believe people often set CR, IR and AR to High, so I don't think the problem often causes issues in practice. Thanks for taking the time to ensure we knew about the problem.

Attached the mail image. enter image description here

one
  • 1,781
  • 3
  • 18
  • 45