[ Japanese | English ]
JVNRSS
Home
  +main
JVNRSS Activity
  +CVE+
  +CVSS
  +RSS_dir
  +SIG_rdf
  +TRnotes
  +XSL_swf
Specification
  +JVNJS
  +JVNRSS
  +RSS mod_sec
  +VULDEF
Tool
  +toolbox
Document
  +docbox
Related Site
IPA/ISEC
JPCERT/CC

in Japanese
JVN
JVN FS Site
JVN iPedia
   Table of Contents[top]

   Overview[top]
CVSS
The Common Vulnerability Scoring System (CVSS)[1][2], the emerging standard in vulnerability scoring. This rating system is designed to provide open and universally standard severity ratings of software vulnerabilities. A metric is a constituent component or characteristic of a vulnerability that can be quantitatively or qualitatively measured. These atomic values are clustered together in three separate areas: a base group (Base Metrics), a temporal group (Temporal Metrics), and an environmental group (Environmental Metrics). The base group contains all of the qualities that are intrinsic and fundamental to any given vulnerability that do not change over time or in different environments. The temporal group contains the characteristics of a vulnerability that are time-dependent and change as the vulnerability ages. Finally, the environmental group contains the characteristics of vulnerabilities that are tied to implementation and environment. The final adjusted score represents the threat a vulnerability presents at a particular point in time for a specific environmental condition.
[1] FIRST: Common Vulnerability Scoring System (CVSS-SIG), http://www.first.org/cvss/
[2] NIST: National Vulnerability Database CVSS Scoring, http://nvd.nist.gov/cvss.cfm

   CVSS Calculator[top]
CVSS V1.0 Calculator for Server Version (Ver1.0)
CVSS V1.0 Calculator
Chinese | Dutch | English | German | Japanese | Korean | Portuguese | Spanish

CVSS V1.0 Calculator includes ...
File NameDescription
CVSSv1.htmlLoad ScoreCalc.js
ScoreCalc.jsLoad ScoreCalc.swf
ScoreCalc.swfCVSS V1.0 Calculator for Server Version Body
ScoreCalc.swf (Server Version) is enabled on JVNRSS Feasibility Study Site only.
parameter.xmlParameter description file for CVSS V1.0 Calculator (ScoreCalc.swf) by each language and UTF-8 encoding.
[ Ex. Chinese | Dutch | English | German | Japanese | Korean | Portuguese | Spanish ]

Acknowledgments
JVNRSS Feasibility Study Team thanks the following for working with us:
  • Spanish: Language translation is supported by paco.
  • Chinese: Language translation is supported by CNCERT/CC.
    CNCERT/CC
  • Korean: Language translation is supported by KrCERT/CC.
    KrCERT/CC
  • Portuguese: Language translation is supported by Antonio Marques.
    Faculdade de Engenharia da Universidade do Porto
  • Dutch: Language translation is supported by Arjen de Landgraaf. [ E-Secure-IT ]

parameter.xml
Parameter description file for CVSS V1.0 Calculator.

CVSS V1.0 Calculator for Server Version (Ver1.0) (cont.)
Demonstration Example
Chinese | Dutch | English | German | Japanese | Korean | Portuguese | Spanish

Parameters of Demonstration Example ScoreCalc.swf are "ScoreCalc.swf ?name=CVE-9999-9999-Example &vector=(AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N) &temp=(E:P/RL:O/RC:Co) &env=(C:M/T:H) &g=999"
ParameterDescription
?name=CVE-9999-9999-ExampleVulnerability Name
&vector=(AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N)CVSS Base Metrics [See Definition]
&temp=(E:P/RL:O/RC:Co)CVSS Temporal Metrics [See Definition]
&env=(C:M/T:H)CVSS Environmental Metrics [See Definition]
&g=999CVSS Calculator Themes (change the look)
0: Circle chart
1: Bar chart
2: Temperature meter
3: Bar chart (variant)
4: Judge
5: Gas meter
6: Slot meter
7: Stamp
8: Balloon meter
9: Patting
10: Bowling
11: KARATE
Other: Random selection mode

CVSS V1.0 Calculator for Server Version (Ver1.0) (cont.)
CVSSv1 CGI
Chinese | Dutch | English | German | Japanese | Korean | Portuguese | Spanish

CVSSv1 CGI (cvss1.cgi) invokes ScoreCalc.swf with a stream of name=value pairs. Parameters of cvss1.cgi are "cvss1.cgi?name=CVE-9999-9999-Example &vector=(AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N) &temp=(E:P/RL:O/RC:Co) &env=(C:M/T:H) &g=999 &lang=en"
ParameterDescription
?name=CVE-9999-9999-ExampleVulnerability Name (Acceptable characters are a-z, A-Z, 0-9 and minus(-). )
&vector=(AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N)CVSS Base Metrics [See Definition]
&temp=(E:P/RL:O/RC:Co)CVSS Temporal Metrics [See Definition]
&env=(C:M/T:H)CVSS Environmental Metrics [See Definition]
&g=999CVSS Calculator Themes (change the look)
0: Circle chart
1: Bar chart
2: Temperature meter
3: Bar chart (variant)
4: Judge
5: Gas meter
6: Slot meter
7: Stamp
8: Balloon meter
9: Patting
10: Bowling
11: KARATE
Other: Random selection mode
&lang=enLanguage of parameter.xml
cn: Chinese
nl: Dutch
en: English
de: German
ja: Japanese
ko: Korean
pt: Portuguese
es: Spanish

CVSS V1.0 Calculator for PC Version (Ver1.0)
  1. About PC Version
    PC Version (ScoreCalcPC.swf) is enabled on your PC.

  2. License
    General License in Feasibility Study Site for JVNRSS and RSS Extension

  3. Download
    PC Version (Ver1.0) [ cvss1.0calc_forPC_1.0.zip (rev20070430) ] 
        MD5 = B4 B4 1A DA B0 CF 99 73 37 34 AB AF C7 B6 22 8C
   SHA1 = 2214 1E24 5C0C CD4E 4108 4744 3961 00C8 C821 C193
 RMD160 = 2AC1 7D1D C6D2 97A5 469E FE92 4441 EB8A 4A0C FBAD
 SHA256 = ED541736 6BDD52F9 C4DC0106 824C6EBE
          1B1769AA 210F97FA 8FE75CD3 3D2FE1AE
 SHA384 = 1929355E 978D4F39 FB0C29D9 5B54CB21
          EFCF15CA 9E60E2E7 F68E3DA8 ED6A5D1D
          37DFF38D DDFFC626 7348046D 5F4E0DCD
 SHA512 = 7E5249B6 9F67A7B1 15D9AF9C 8CD3EF0D
          26BF7520 395DBFD4 CE37E911 1182BF81
          137DF584 5B91683C E561909B 36363A2E
          244A4CE5 7CFCDBBE B43BE331 E6322A6E

   Definition of CVSS Calculator parameters[top]
Note: Currently, abbreviation of parameters is localized definition. The next version of CVSS calculator will support a standard of abbreviation of parameters. [1][2]
The letters within brackets represent possible values of CVSS Base, Temporal and Environmental Metrics. Exactly one option must be chosen for each set of brackets. Letters not within brackets are mandatory and must be included in order to create valid CVSS Base, Temporal and Score Environmental Metrics. Each letter or pair of letters is an abbreviation for a metric or metric value within CVSS.

CVSS Base Metrics

CVSS Base Metrics take the following form:
vector=(AV:[R,L]/AC:[H,L]/Au:[R,NR]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C]/B:[N,C,I,A])

Metric: AV = AccessVector (Related exploit range)
Possible Values: R = Remote, L = Local

Metric: AC = AccessComplexity (Required attack complexity)
Possible Values: H = High, L = Low

Metric: Au = Authentication (Level of authentication needed to exploit)
Possible Values: R = Required, NR = Not Required

Metric: C = ConfImpact (Confidentiality impact)
Possible Values: N = None, P = Partial, C = Complete

Metric: I = IntegImpact (Integrity impact)
Possible Values: N = None, P = Partial, C = Complete

Metric: A = AvailImpact (Availability impact)
Possible Values: N = None, P = Partial, C = Complete

Metric: B = ImpactBias (Impact value weighting)
Possible Values: N = Normal, C = Confidentiality, I = Integrity, A = Availability

CVSS Temporal Metrics

CVSS Temporal Metrics take the following form:
temp=(E:[U,P,F,H]/RL:[O,T,W,U]/RC:[U,Co,C])

Metric: E = Exploitability (Availability of exploit)
Possible Values: U = Unproven, P = Proof-of-concept, F = Functional, H = High

Metric: RL = RemediationLevel (Type of fix available)
Possible Values: O = Official-fix, T = Temporary-fix, W = Workaround, U = Unavailable

Metric: RC = ReportConfidence (Level of verification that the vulnerability exists)
Possible Values: U = Unconfirmed, Co = Uncorroborated, C = Confirmed

CVSS Environmental Metrics

CVSS Environmental Metrics take the following form:
env=(C:[N,L,M,H]/T:[N,L,M,H])

Metric: C = CollateralDamagePotential (Organization specific potential for loss)
Possible Values: N = None. L = Low (light loss), M = Medium (significant loss), H = High (catastrophic loss)

Metric: T = TargetDistribution (Percentage of vulnerable systems)
Possible Values: N = None (0%), L = Low (1-15%), M = Medium (16-49%), H = High (50-100%)

[1] NIST: National Vulnerability Database CVSS Scoring, http://nvd.nist.gov/cvss.cfm?vectorinfo
[2] NIST: CVSS v2 Vector Definitions, http://nvd.nist.gov/cvss.cfm?vectorinfov2

   Collaboration possibilities between JVNRSS and CVSS[top]
Collaboration possibilities between JVNRSS and CVSS.
[1] OVAL: Open Vulnerability and Assessment Language, http://oval.mitre.org/
[2] Feasibility Study of OVAL based Vulnerability Management Extension, SIGIIV Activity Product Security Teams Meeting (November 14-16, 2005), http://www.first.org/vendor-sig/pstm-2005-11.html#p6

   Revisions[top]
  • Published.: 2006-09-17T14:33+00:00
  • parameter.xml of Spanish version released.: 2006-10-05T13:49+00:00
  • Link "NIST CVSS v2 Vector Definitions" added.: 2006-10-08T02:09+00:00
  • parameter.xml of Chinese version released.: 2006-10-10T06:02+00:00
  • parameter.xml of Korean version released.: 2006-10-11T09:29+00:00
  • Figure "parameter.xml" added.: 2006-10-13T07:34+00:00
  • Section "Collaboration passibilities bewteen JVNRSS and CVSS" added.: 2006-10-13T07:34+00:00
  • JVNRSS FS team signs parameter.xml by SIG_rdf.: 2006-10-14T08:30+00:00
  • CVSS V1.0 PC Version (Ver1.0 rev20061014) released.: 2006-10-29T07:22+00:00
  • CVSSv1 CGI released.: 2006-11-10T02:07+00:00
  • CVSS V1.0 PC Version (Ver1.0 rev20061113) released.: 2006-11-13T14:07+00:00
  • parameter.xml of Portuguese version released.: 2007-02-15T12:26+00:00
  • CVSS V1.0 PC Version (Ver1.0 rev20070215) released.: 2007-02-15T12:26+00:00
  • CVSS V1.0 Server Version New Theme (10. Bowling) added.: 2007-03-10T03:31+00:00
  • CVSS V1.0 Server Version New Theme (11. KARATE) added.: 2007-03-24T16:09+00:00
  • parameter.xml of German version released.: 2007-04-20T17:30+00:00
  • parameter.xml of Dutch version released.: 2007-04-30T15:14+00:00
  • CVSS V1.0 PC Version (Ver1.0 rev20070430) released.: 2007-05-07T22:40+00:00
  • Updated (index.02.html).: 2007-06-05T21:31+00:00
Last updated: 2007-06-05T21:31+00:00
Valid HTML 4.01! Valid CSS!