The Common Vulnerability Scoring System (CVSS) v3 came out a while ago, as an enhancement for CVSS v2. The big question is: why do you need to calculate it, if it's already done by the tool (for example, Burp)? Let me give you an example. Suppose that you have found an SQL Injection vulnerability, and the report tells you that the score is high. In reality, the server that was tested was disconnected from the internet and available on a specific VLAN, and on top of that, the data stored in the database was not confidential. Should you still consider the score to be high? Of course not! That's why you always need to recalculate your score, to make sure that it matches the reality.
The CVSS takes the following variables into consideration (you will understand the meaning of each one of them later):
- Attack Vector (AV): Network (N), Adjacent (A), Local (L), Physical (P)
- Attack Complexity (AC): Low (L), High (H)
- Privileges Required (PR): None (N), Low (L), High (H)
- User Interaction (UI): None (N), Required (R)
- Scope (S): Unchanged (U), Changed (C)
- Confidentiality (C): None (N), Low (L), High (H)
- Integrity (I): None (N), Low (L), High (H)
- Availability (A): None (N), Low (L), High (H)
How can we say that a score of 9 is high, or critical? You don't need to bump your head against the wall; here's the score guidance:
CVSS V3 Base Score: 0-10
Severity | Base Score Range |
None | 0 |
Low | 0.1 - 3.9 |
Medium | |
High | 7.0 - 8.9 |
Critical | 9.0 - 10.0 |
Let's look at a practical example to calculate the CVSS scores of two vulnerabilities:
- SQL Injection
- Reflected XSS
The web server is accessible through the internet, and the database stores confidential data(Clients personal information).