|
|
Table of Contents | [top] |
|
|
Overview | [top] |
|
The Common Vulnerability Scoring System (CVSS)[1][2], the emerging standard in vulnerability scoring.
This rating system is designed to provide open and universally standard severity ratings of software vulnerabilities.
A metric is a constituent component or characteristic of a vulnerability that can be quantitatively or qualitatively measured.
These atomic values are clustered together in three separate areas: a base group (Base Metrics), a temporal group (Temporal Metrics), and an environmental group (Environmental Metrics).
The base group contains all of the qualities that are intrinsic and fundamental to any given vulnerability that do not change over time or in different environments.
The temporal group contains the characteristics of a vulnerability that are time-dependent and change as the vulnerability ages.
Finally, the environmental group contains the characteristics of vulnerabilities that are tied to implementation and environment.
The final adjusted score represents the threat a vulnerability presents at a particular point in time for a specific environmental condition.
|
[1] FIRST: Common Vulnerability Scoring System (CVSS-SIG), http://www.first.org/cvss/
[2] NIST: National Vulnerability Database CVSS Scoring, http://nvd.nist.gov/cvss.cfm
|
|
|
CVSS Calculator | [top] |
Language Translation With XML for CVSS V2.0 Calculator
|
Arabic
| Azeri
| Azeri (Cyrillic)
| Chinese
| Dutch
| English
| French
| German
| Japanese
| Korean
| Portuguese
| Russian
| Spanish
|
CVSS V2.0 Calculator for Server
|
CVSS V2.0 Calculator
Arabic
| Azeri
| Azeri (Cyrillic)
| Chinese
| Dutch
| English
| French
| German
| Japanese
| Korean
| Portuguese
| Russian
| Spanish
|
CVSS V2.0 Calculator CGI
Arabic
| Azeri
| Azeri (Cyrillic)
| Chinese
| Dutch
| English
| French
| German
| Japanese
| Korean
| Portuguese
| Russian
| Spanish
CVSSv2 CGI (cvss2.cgi) invokes ScoreCalc2.swf with a stream of name=value pairs.
Parameters of cvss2.cgi are "cvss2.cgi?name=CVE-9999-9999-Example &vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:TF/RC:UC/CDP:L/TD:H/CR:M/IR:M/AR:H) &g=999 &lang=en"
Parameter | Description |
?name=CVE-9999-9999-Example | Vulnerability Name (Acceptable characters are a-z, A-Z, 0-9 and minus(-). ) |
&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C/
E:POC/RL:TF/RC:UC/
CDP:L/TD:H/CR:M/IR:M/AR:H) | Base, Temporal, Environmental Vectors
[See CVSS V2.0 Vector Definitions] |
&g=999 | CVSS Calculator Themes (change the look)
d: Debug Version
0: Circle chart
1: Bar chart
2: Circle chart (variant)
3: Bar chart (variant)
Other: Random selection mode
|
&lang=en | Language of parameter.xml
ar: Arabic
az: Azeri
az-cyrl: Azeri (Cyrillic)
cn: Chinese
de: German
en: English
es: Spanish
fr: French
ja: Japanese
kr: Korean
ru: Russian
|
|
CVSS V2.0 Calculator for PC
|
Please download CVSS Calculator from our toolbox !
|
CVSS V2.0 Vector Definitions
|
Each metric in the vector consists of the abbreviated metric name, followed by a ":" (colon), then the abbreviated metric value. The vector lists these metrics in a predetermined order, using the "/" (slash) character to separate the metrics. If a temporal or environmental metric is not to be used, it is given a value of "ND" (not defined). The base, temporal, and environmental vectors are shown below in Table.
Metric Type | Description |
Base | AV:[L,A,N]/AC:[H,M,L]/Au:[M,S,N] /C:[N,P,C]/I:[N,P,C]/A:[N,P,C] |
Temporal | E:[U,POC,F,H,ND]/RL:[OF,TF,W,U,ND]/RC:[UC,UR,C,ND] |
Environmental | CDP:[N,L,LM,MH,H,ND]/TD:[N,L,M,H,ND] /CR:[L,M,H,ND]/IR:[L,M,H,ND]/AR:[L,M,H,ND] |
|
[1] FIRST CVSS-SIG: A Complete Guide to the Common Vulnerability Scoring System Version 2.0, http://www.first.org/cvss/cvss-guide.html#i2.4
[2] NIST NVD: CVSS v2 Vector Definitions, http://nvd.nist.gov/cvss.cfm?vectorinfov2
|
|
|
Recurring decimal issue in CVSS V2.0 calculator | [top] |
The recurring decimal value exists under a specific condition in CVSS V2.0 calculator.
This value affects the ENVIRONMENTAL SCORE.
|
|
|
|
Acknowledgments | [top] |
JVNRSS Feasibility Study Team thanks the following for working with us:
- Arabic: Language translation is supported by Helmi Rais.
- French: Language translation is supported by Helmi Rais.
- German: Language translation is supported by Fahim Nawabi and Akira Yamada.
- Spanish: Language translation is supported by paco.
- Korean: Language translation is supported by KISA.
- Chinese: Language translation reference is X.1521 : Common vulnerability scoring system (http://www.itu.int/rec/T-REC-X.1521-201104-I).
- Russian: Language translation reference is X.1521 : Common vulnerability scoring system (http://www.itu.int/rec/T-REC-X.1521-201104-I).
- Azeri and Azeri (Cyrillic): Language translation is supported by CERT.GOV.AZ.
|
|
|
Revisions | [top] |
- Published (index.01.html).: 2006-09-17T14:33+00:00
- CVSS V2.0 Calculator for Server (Development Version) published.: 2007-06-05T21:31+00:00
- parameter2.xml of German version released.: 2007-07-27T16:02+00:00
- New Theme (2. Circle chart, 3. Bar chart) added in CVSS V2.0 Calculator for Server.: 2007-07-27T16:02+00:00
- CVSS V2.0 Calculator for PC released.: 2007-08-21T07:10+00:00
- parameter2.xml of French version released.: 2007-11-14T01:34+00:00
- parameter2.xml of Spanish version released.: 2007-11-14T01:34+00:00
- parameter2.xml of Arabic version released.: 2008-02-01T00:11+00:00
- parameter2.xml of Korean version released.: 2009-10-30T00:00+00:00
- Recurring decimal issue published.: 2010-04-08T15:12+00:00
- parameter2.xml of Chinese version released.: 2014-06-01T01:35+00:00
- parameter2.xml of Russian version released.: 2014-06-01T01:35+00:00
- parameter2.xml of Azeri and Azeri (Cyrillic) version released.: 2014-06-22T18:47+00:00
|
|
|
|
|