In a Nessus output file, does the Risk Level (e.g. Critical, High, Medium, Low, None) depend on the CVSS score? What relationship, if any, do the Risk Level and CVSS have?
Thank yo
Asked
Active
Viewed 8,619 times
1 Answers
6
generally Nessus severity ratings will line up to the brackets outlined here for CVSS Score --> severity mappping so
NVD Vulnerability Severity Ratings NVD provides severity rankings of "Low," "Medium," and "High" in addition to the numeric CVSS scores but these qualitative rankings are simply mapped from the numeric CVSS base scores:
- Vulnerabilities are labeled "Low" severity if they have a CVSS base score of 0.0-3.9.
- Vulnerabilities will be labeled "Medium" severity if they have a base CVSS score of 4.0-6.9.
- Vulnerabilities will be labeled "High" severity if they have a CVSS base score of 7.0-10.0.
However on top of that Nessus has a "critical" rating which according to this blog post they use for CVSS 10 vulnerabilities
Rory McCune
- 60,923
- 14
- 136
- 217
-
1Given this information, are the CVE code and the CVSS score also dependent? – silverlight Mar 01 '15 at 17:39
-
2AFAIK CVE codes are just handed out sequentially without specific regard to the severity of the issue. – Rory McCune Mar 01 '15 at 17:50
-
1Correct, CVE IDs are assigned sequentially – schroeder Mar 01 '15 at 18:16