|
|
Table of Contents | [top] |
|
|
Overview | [top] |
|
The Common Vulnerability Scoring System (CVSS)[1][2], the emerging standard in vulnerability scoring.
This rating system is designed to provide open and universally standard severity ratings of software vulnerabilities.
A metric is a constituent component or characteristic of a vulnerability that can be quantitatively or qualitatively measured.
These atomic values are clustered together in three separate areas: a base group (Base Metrics), a temporal group (Temporal Metrics), and an environmental group (Environmental Metrics).
The base group contains all of the qualities that are intrinsic and fundamental to any given vulnerability that do not change over time or in different environments.
The temporal group contains the characteristics of a vulnerability that are time-dependent and change as the vulnerability ages.
Finally, the environmental group contains the characteristics of vulnerabilities that are tied to implementation and environment.
The final adjusted score represents the threat a vulnerability presents at a particular point in time for a specific environmental condition.
|
[1] FIRST: Common Vulnerability Scoring System (CVSS-SIG), http://www.first.org/cvss/
[2] NIST: National Vulnerability Database CVSS Scoring, http://nvd.nist.gov/cvss.cfm
|
|
|
CVSS Calculator | [top] |
CVSS V1.0 Calculator for Server Version (Ver1.0)
CVSS V1.0 Calculator
Chinese
| Dutch
| English
| German
| Japanese
| Korean
| Portuguese
| Spanish
CVSS V1.0 Calculator includes ...
File Name | Description |
CVSSv1.html | Load ScoreCalc.js |
ScoreCalc.js | Load ScoreCalc.swf |
ScoreCalc.swf | CVSS V1.0 Calculator for Server Version Body ScoreCalc.swf (Server Version) is enabled on JVNRSS Feasibility Study Site only. |
parameter.xml | Parameter description file for CVSS V1.0 Calculator (ScoreCalc.swf) by each language and UTF-8 encoding.
[ Ex.
Chinese
| Dutch
| English
| German
| Japanese
| Korean
| Portuguese
| Spanish
]
|
Acknowledgments
JVNRSS Feasibility Study Team thanks the following for working with us:
- Spanish: Language translation is supported by paco.
- Chinese: Language translation is supported by CNCERT/CC.
- Korean: Language translation is supported by KrCERT/CC.
- Portuguese: Language translation is supported by Antonio Marques.
- Dutch: Language translation is supported by Arjen de Landgraaf. [ E-Secure-IT ]
parameter.xml
|
|
|
CVSS V1.0 Calculator for Server Version (Ver1.0) (cont.)
Demonstration Example
Chinese
| Dutch
| English
| German
| Japanese
| Korean
| Portuguese
| Spanish
Parameters of Demonstration Example ScoreCalc.swf are "ScoreCalc.swf ?name=CVE-9999-9999-Example &vector=(AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N) &temp=(E:P/RL:O/RC:Co) &env=(C:M/T:H) &g=999"
Parameter | Description |
?name=CVE-9999-9999-Example | Vulnerability Name |
&vector=(AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N) | CVSS Base Metrics [See Definition] |
&temp=(E:P/RL:O/RC:Co) | CVSS Temporal Metrics [See Definition] |
&env=(C:M/T:H) | CVSS Environmental Metrics [See Definition] |
&g=999 | CVSS Calculator Themes (change the look)
0: Circle chart
1: Bar chart
2: Temperature meter
3: Bar chart (variant)
4: Judge
5: Gas meter
6: Slot meter
7: Stamp
8: Balloon meter
9: Patting
10: Bowling
11: KARATE
Other: Random selection mode
|
|
|
|
CVSS V1.0 Calculator for Server Version (Ver1.0) (cont.)
CVSSv1 CGI
Chinese
| Dutch
| English
| German
| Japanese
| Korean
| Portuguese
| Spanish
CVSSv1 CGI (cvss1.cgi) invokes ScoreCalc.swf with a stream of name=value pairs.
Parameters of cvss1.cgi are "cvss1.cgi?name=CVE-9999-9999-Example &vector=(AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N) &temp=(E:P/RL:O/RC:Co) &env=(C:M/T:H) &g=999 &lang=en"
Parameter | Description |
?name=CVE-9999-9999-Example | Vulnerability Name (Acceptable characters are a-z, A-Z, 0-9 and minus(-). ) |
&vector=(AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N) | CVSS Base Metrics [See Definition] |
&temp=(E:P/RL:O/RC:Co) | CVSS Temporal Metrics [See Definition] |
&env=(C:M/T:H) | CVSS Environmental Metrics [See Definition] |
&g=999 | CVSS Calculator Themes (change the look)
0: Circle chart
1: Bar chart
2: Temperature meter
3: Bar chart (variant)
4: Judge
5: Gas meter
6: Slot meter
7: Stamp
8: Balloon meter
9: Patting
10: Bowling
11: KARATE
Other: Random selection mode
|
&lang=en | Language of parameter.xml
cn: Chinese
nl: Dutch
en: English
de: German
ja: Japanese
ko: Korean
pt: Portuguese
es: Spanish
|
|
|
|
CVSS V1.0 Calculator for PC Version (Ver1.0)
- About PC Version
PC Version (ScoreCalcPC.swf) is enabled on your PC.
- License
General License in Feasibility Study Site for JVNRSS and RSS Extension
- Download
PC Version (Ver1.0) [ cvss1.0calc_forPC_1.0.zip (rev20070430) ]
MD5 = B4 B4 1A DA B0 CF 99 73 37 34 AB AF C7 B6 22 8C
SHA1 = 2214 1E24 5C0C CD4E 4108 4744 3961 00C8 C821 C193
RMD160 = 2AC1 7D1D C6D2 97A5 469E FE92 4441 EB8A 4A0C FBAD
SHA256 = ED541736 6BDD52F9 C4DC0106 824C6EBE
1B1769AA 210F97FA 8FE75CD3 3D2FE1AE
SHA384 = 1929355E 978D4F39 FB0C29D9 5B54CB21
EFCF15CA 9E60E2E7 F68E3DA8 ED6A5D1D
37DFF38D DDFFC626 7348046D 5F4E0DCD
SHA512 = 7E5249B6 9F67A7B1 15D9AF9C 8CD3EF0D
26BF7520 395DBFD4 CE37E911 1182BF81
137DF584 5B91683C E561909B 36363A2E
244A4CE5 7CFCDBBE B43BE331 E6322A6E
|
|
|
Definition of CVSS Calculator parameters | [top] |
Note: Currently, abbreviation of parameters is localized definition.
The next version of CVSS calculator will support a standard of abbreviation of parameters.
[1][2]
|
The letters within brackets represent possible values of CVSS Base, Temporal and Environmental Metrics.
Exactly one option must be chosen for each set of brackets.
Letters not within brackets are mandatory and must be included in order to create valid CVSS Base, Temporal and Score Environmental Metrics.
Each letter or pair of letters is an abbreviation for a metric or metric value within CVSS.
CVSS Base Metrics
CVSS Base Metrics take the following form:
vector=(AV:[R,L]/AC:[H,L]/Au:[R,NR]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C]/B:[N,C,I,A])
Metric: AV = AccessVector (Related exploit range)
Possible Values: R = Remote, L = Local
Metric: AC = AccessComplexity (Required attack complexity)
Possible Values: H = High, L = Low
Metric: Au = Authentication (Level of authentication needed to exploit)
Possible Values: R = Required, NR = Not Required
Metric: C = ConfImpact (Confidentiality impact)
Possible Values: N = None, P = Partial, C = Complete
Metric: I = IntegImpact (Integrity impact)
Possible Values: N = None, P = Partial, C = Complete
Metric: A = AvailImpact (Availability impact)
Possible Values: N = None, P = Partial, C = Complete
Metric: B = ImpactBias (Impact value weighting)
Possible Values: N = Normal, C = Confidentiality, I = Integrity, A = Availability
CVSS Temporal Metrics
CVSS Temporal Metrics take the following form:
temp=(E:[U,P,F,H]/RL:[O,T,W,U]/RC:[U,Co,C])
Metric: E = Exploitability (Availability of exploit)
Possible Values: U = Unproven, P = Proof-of-concept, F = Functional, H = High
Metric: RL = RemediationLevel (Type of fix available)
Possible Values: O = Official-fix, T = Temporary-fix, W = Workaround, U = Unavailable
Metric: RC = ReportConfidence (Level of verification that the vulnerability exists)
Possible Values: U = Unconfirmed, Co = Uncorroborated, C = Confirmed
CVSS Environmental Metrics
CVSS Environmental Metrics take the following form:
env=(C:[N,L,M,H]/T:[N,L,M,H])
Metric: C = CollateralDamagePotential (Organization specific potential for loss)
Possible Values: N = None. L = Low (light loss), M = Medium (significant loss), H = High (catastrophic loss)
Metric: T = TargetDistribution (Percentage of vulnerable systems)
Possible Values: N = None (0%), L = Low (1-15%), M = Medium (16-49%), H = High (50-100%)
|
[1] NIST: National Vulnerability Database CVSS Scoring, http://nvd.nist.gov/cvss.cfm?vectorinfo
[2] NIST: CVSS v2 Vector Definitions, http://nvd.nist.gov/cvss.cfm?vectorinfov2
|
|
|
Collaboration possibilities between JVNRSS and CVSS | [top] |
|
|
Revisions | [top] |
- Published.: 2006-09-17T14:33+00:00
- parameter.xml of Spanish version released.: 2006-10-05T13:49+00:00
- Link "NIST CVSS v2 Vector Definitions" added.: 2006-10-08T02:09+00:00
- parameter.xml of Chinese version released.: 2006-10-10T06:02+00:00
- parameter.xml of Korean version released.: 2006-10-11T09:29+00:00
- Figure "parameter.xml" added.: 2006-10-13T07:34+00:00
- Section "Collaboration passibilities bewteen JVNRSS and CVSS" added.: 2006-10-13T07:34+00:00
- JVNRSS FS team signs parameter.xml by SIG_rdf.: 2006-10-14T08:30+00:00
- CVSS V1.0 PC Version (Ver1.0 rev20061014) released.: 2006-10-29T07:22+00:00
- CVSSv1 CGI released.: 2006-11-10T02:07+00:00
- CVSS V1.0 PC Version (Ver1.0 rev20061113) released.: 2006-11-13T14:07+00:00
- parameter.xml of Portuguese version released.: 2007-02-15T12:26+00:00
- CVSS V1.0 PC Version (Ver1.0 rev20070215) released.: 2007-02-15T12:26+00:00
- CVSS V1.0 Server Version New Theme (10. Bowling) added.: 2007-03-10T03:31+00:00
- CVSS V1.0 Server Version New Theme (11. KARATE) added.: 2007-03-24T16:09+00:00
- parameter.xml of German version released.: 2007-04-20T17:30+00:00
- parameter.xml of Dutch version released.: 2007-04-30T15:14+00:00
- CVSS V1.0 PC Version (Ver1.0 rev20070430) released.: 2007-05-07T22:40+00:00
- Updated (index.02.html).: 2007-06-05T21:31+00:00
|
|
|
|
|