IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [cvss]

use `cvss` if your question is related to Common Vulnerability Scoring System

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base group represents the intrinsic qualities of a vulnerability that are constant over time and across user environments, the Temporal group reflects the characteristics of a vulnerability that change over time, and the Environmental group represents the characteristics of a vulnerability that are unique to a user's environment.

59 questions
2
votes
3 answers

Deciding CVSS v3 scope parameter for a few OWASP top 10 vulnerabilities

I am trying to score owasp top 10 on cvss v3 and I am having difficulties assigning "scope" parameter for some. Please correct the below list if there are some faults. SQL Injection: Changed. Vulnerable component: Webserver/database server Impacted…
one
  • 1,781
  • 3
  • 18
  • 45
2
votes
1 answer

CVSS Remediation Level for Git Commit

What do you select as remediation level if only a Git commit is available? A very common scenario for this are vulnerabilities in the Linux kernel, before a fix becomes part of the stable branch it's only available as a commit. Options are: Not…
0lli.rocks
  • 143
  • 7
2
votes
1 answer

Difference between local and physical attack vector in CVSS version 3?

In CVSS version 3, there are four different attack vectors. I am not able to differentiate between local and physical. Say, if I want to report "absence of logout button" I will use physical as access vector. In which cases can I use local as…
one
  • 1,781
  • 3
  • 18
  • 45
1
vote
1 answer

Formal functional relationship between risk and CVSS

The Common Vulnerability Scoring System (CVSS) allows, among other things, to quantify the severity of software vulnerabilities. What is the functional relationship between a CVSS and the associated risk? In other words, what would be the shape of…
WoJ
  • 8,957
  • 2
  • 32
  • 51
1
vote
2 answers

CVSS Temporal guidance

I've recently been given a set of guidance notes on CVSS; but the guidance isn't making sense. I've sent a query off, but got no response. So asking here. Say you have an exploit (can ignore base for now – but if you want to replicate, I’ve got:…
Amiga500
  • 142
  • 5
1
vote
1 answer

Help me to understand "Low Integrity" scores for parameter tampering in CVSS 3.1

I am curious about the Integrity metric in CVSS 3.1. Low is: "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not…
Problem Child
  • 19
  • 3
1
vote
1 answer

What's the difference between Local and Physical attack vector in CVSS 3.1?

I'm reviewing CVSS 3.1 specification, recently. I encounter the example below: Sophos Login Screen Bypass Vulnerability (CVE-2014-2005) Sophos Disk Encryption (SDE) 5.x in Sophos Enterprise Console (SEC) 5.x before 5.2.2 does not enforce intended…
Mehran2021
  • 13
  • 2
1
vote
1 answer

How to rate a CVSS Score if OS/compiler vulnerablity mitigations are highly likely but not guaranteed?

Let's consider the following code in a hypothetical C library. uint8_t size; uint8_t buf[128]; read(untrusted_fd, &size, 1); read(untrusted_fd, buf, size); In the early 2000s, it would be a serious buffer overflow vulnerability that enables…
比尔盖子
  • 113
  • 6
1
vote
1 answer

Common practice when CVSS v2 score over represents severity

We're formalizing our vulnerability management process and decided to use CVSS V2 to help decide what vulnerabilities to remediate. We're running into a situation where a vulnerability's severity score has crossed our remediation threshold, but the…
anchovie
  • 23
  • 2
1
vote
2 answers

CVSS3.0 impact score and exploitability score

I'm having some trouble calculating CVSS v3.0 scores in some findings I've encountered. In particular, one finding is a simple server information disclosure via default error pages. It is very similar to the following:…
user1118764
  • 401
  • 5
  • 12
1
vote
1 answer

Penetration Testing of IaaS/PaaS environment - CVSS Score

How can I measure the effectiveness of a Penetration Testing carried out in a Cloud Environment (IaaS/PaaS) by a third Party Vendor ? Should I ask for a CVSS score or something else ? Any advise will be highly appreciated.
wonder
  • 103
  • 6
1
vote
1 answer

Why is CVE-2017-5461 rated Critical with CVSS Score 9.8?

A while ago I came across this CVE-2017-5461, which is rated 9.8 both on NVD and Redhat Portal, with a CVSS base string of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H for those who is not very familiar with CVSS scoring mechanism, let's break it…
Sajuuk
  • 271
  • 3
  • 11
1
vote
1 answer

Can CVSS score be different from that calculated from vector

In most databases, there two fields: CVSS vector and CVSS score. It's logical that if we calculate score from vector, it's supposed to be equal to the score field. But, can it be manually 'tuned' and therefore be different?
Nostr
  • 13
  • 2
1
vote
3 answers

Clarification regarding CVSS

I need clarifications regarding CVSS: What is better for the references? CVSSv2 or CVSSv3? V3 is new, but V2 is mature. Why there are differences in CVSS scores between NVD NIST repository and Red Hat repository? For…
Michael
  • 1,457
  • 1
  • 18
  • 36
1
vote
1 answer

CVSS score for no-input validation

During a security assesment I found that an application wrote JavaScript from input fields directly in the database. The application it self had good output sanitization so no XSS was possible in that application. A different application that used…
Wealot
  • 879
  • 2
  • 12
  • 25
1 2
3
4