Table 2.
The basic Common Vulnerability Scoring System (CVSS) metrics. Each qualitative factor for a metric (e.g., low) has a dedicated multiplier defined in CVSS that will then be used to calculate the CVSS score.
| Category | Metric | Potential Values | Comment |
|---|---|---|---|
| Exploitability | Attack vector (AV) | physical (P), local (L), adjacent network (A), network (N) | Names the attack vector for the vulnerability, i.e., if an attacker needs to be physically at the target system, needs access to the local system, needs to be in an adjacent network (e.g., Wifi) or if the vulnerability is remotely exploitable |
| Exploitability | Attack Complexity (AC) | low (L), high (H) | Details how complex the vulnerability would be to exploit |
| Exploitability | Privileges Required (PR) | none (N), low (L), high (H) | Details if the attacker requires special privileges to exploit a vulnerability |
| Exploitability | User Interaction (UI) | none (N), required (R) | Describes if the legitimate user of the system needs to take an action for an attack to be successful |
| Exploitability | Scope (S) | unchanged (U), changed (C) | Describes if an exploit of the vulnerability allows to affect components beyond the scope of the vulnerable component |
| Impact | Confidentiality Impact (C) | none (N), low (L), high (H) | Describes the potential loss of confidentiality in the vulnerable component (i.e., if the attacker can access data) |
| Impact | Integrity Impact (I) | none (N), low (L), high (H) | Describes the potential loss of integrity of the vulnerable component (e.g., if the component remains trustworthy despite an attack) |
| Impact | Availability Impact (A) | none (N), low (L), high (H) | Describes the impact on the vulnerable component’s availability |