Journey Through Time: Exploring the Evolution of CVSS Over the Years

Joshua Beaman 22/02/2024
Journey Through Time: Exploring the Evolution of CVSS Over the Years

CVSS, or Common Vulnerability Scoring System, is a standardized framework used to assess and communicate the severity of software vulnerabilities. It provides a numerical score representing the vulnerability’s potential impact, helping security professionals and organizations prioritize their responses to different security threats.

Introduction

CVSS, or Common Vulnerability Scoring System, is a standardized framework used to assess and communicate the severity of software vulnerabilities. It provides a numerical score representing the vulnerability’s potential impact, helping security professionals and organizations prioritize their responses to security threats.

The CVSS score is based on various metrics, including the vulnerability’s exploitability, impact on confidentiality, integrity, availability, and other factors like mitigating controls. CVSS enables consistent and objective evaluation of vulnerabilities, aiding in effective vulnerability management and response strategies.

CVSS Past Versions and Progress Throughout the Years CVSS was first owned and managed by FIRST Inc., a US-based non-profit organization whose mission is to help computer security incident response teams worldwide.

This project has evolved through several versions, each introducing improvements and refinements to assess the severity of vulnerabilities better.

Versions of CVSS

CVSS Version 1.0

Introduced in 2005, CVSS 1.0 provided a basic framework for assessing vulnerabilities. It had a limited set of metrics and did not cover all aspects of a vulnerability’s impact or exploitability.

CVSS Version 2.0

Released in 2007, CVSS 2.0 introduced enhancements like a more detailed scoring system, improved metric definitions, and better granularity in scoring, allowing for a more accurate assessment of vulnerabilities.

An image of CVSS which includes basic metric group, temporal metric group, and environmental metric group

In CVSS Version 2.0, several enhancements and improvements were introduced compared to Version 1.0. Some key additions in Version 2.0 that were not present in Version 1.0 include:

  1. Temporal Metrics: Introduced temporal metrics, which account for the characteristics of a vulnerability that may change over time but not across user environments. These metrics include exploitability (the current state of exploit techniques or code availability), remediation level (availability of a solution or workaround), and report confidence (degree of confidence in the existence of the vulnerability).
  2. Environmental Metrics: Included environmental metrics, allowing organizations to customize the severity score based on their specific IT environment. These metrics include the presence of security controls (measuring the impact of mitigating measures) and the impact on the affected user community.
  3. Base Metrics Refinement: Refined the base metrics introduced in Version 1.0, providing a more detailed and accurate scoring system. It improved metric definitions, offering better granularity in scoring and allowing for a more precise assessment of vulnerabilities.
  4. Vector String: Introduced the Vector String, a concise textual representation of the vulnerability’s metrics, which provides a standardized way to communicate the characteristics of a vulnerability.

These additions in CVSS Version 2.0 enhanced the framework’s ability to assess vulnerabilities, offering a more comprehensive and accurate method for evaluating their severity.

CVSS Version 3.0


Introduced in 2015, CVSS 3.0 was a significant update. It included additional metrics, such as scope (measuring the impact beyond the vulnerable component) and environmental metrics (considering specific user environments). CVSS 3.0 aimed to provide a more comprehensive and accurate representation of vulnerabilities, accounting for a broader range of factors.

This version 3.0 introduced several significant changes and improvements over Version 2.0, enhancing the accuracy and granularity of vulnerability assessments. Some key additions and changes are the following:

  1. Scope, Vulnerable Component, and Impacted Component: Introduced the concept of Scope, which assesses whether the impact of a vulnerability is limited to the vulnerable component or if it extends to other components within the system. This distinction provides a more precise evaluation of the vulnerability’s potential impact.
  2. Access Vector: The Access Vector from version 2.0 has been renamed to Attack Vector. It assesses the attacker’s remoteness from the vulnerable component, with a higher Base score indicating a more remote attacker. This metric now differentiates between local attacks (requiring system access, like desktop applications) and physical attacks (requiring physical platform access, like firewire or USB attacks).
  3. Attack Complexity: Access Complexity from version 2.0 has been divided into two separate metrics: Attack Complexity and User Interaction. Attack Complexity assesses software, hardware, or networking conditions beyond the attacker’s control required for exploitation. User Interaction evaluates the need for human interaction, such as executing a malicious file. This separation clarifies the assessment of vulnerability conditions, providing a more precise evaluation.
  4. Privileges Required: Introduced the “Privileges Required” metric, which evaluates the level of privileges an attacker must possess to exploit the vulnerability. This metric accounts for the varying degrees of access an attacker might need, allowing for a more detailed analysis of the vulnerability’s exploitability.
  5. Impact Subscore: Introduced separate impact subscores for Confidentiality, Integrity, and Availability, allowing for a more detailed assessment of the impact on each of these security aspects. This enhancement provides a more granular view of the vulnerability’s consequences.
  6. Temporal Metrics: The impact of Temporal metrics on vulnerability scoring has been diminished compared to version 2.0. This change signifies a shift towards emphasizing other aspects of vulnerabilities in the scoring process. Additionally, the metric previously known as “Exploitability” in version 2.0 has been renamed to “Exploit Code Maturity” in version 3.0. This change aims to provide a more accurate representation of what the metric is measuring, reflecting the maturity level of available exploit code and its relevance to the vulnerability being assessed.
  7. Environmental Metrics: The Environmental metrics Target Distribution and Collateral Damage Potential have been replaced by Modified factors which accommodate mitigating controls or control weaknesses that may exist within the user’s environment that could reduce or raise the impact of a successfully exploited vulnerability.
  8. Qualitative Rating Scale:

In CVSS version 2.0, the qualitative scoring mapped the 0–10 score ranges to three severities:

  • Low: 0.0–3.9
  • Medium: 4.0–6.9
  • High: 7.0–10.0

In CVSS version 3.x, the same 0–10 scoring range is mapped to five different qualitative severity ratings:

  • None: 0.0
    Low: 0.1–3.9
    Medium: 4.0–6.9
    High: 7.0–8.9
    Critical: 9.0–10.0

Here’s the summary of changes from version 2.0 and 3.0

CVSS Version 3.1

Released in 2019, CVSS 3.1 included further refinements and clarifications to the scoring system. It addressed certain vulnerabilities in the previous version and provided a more precise and consistent method for assessing security threats.

This version introduced several refinements and improvements over Versions 2.0 and 3.0, enhancing the accuracy and flexibility of vulnerability assessments.

“Changes between CVSS versions 3.0 and 3.1 focus on clarifying and improving the existing standard without introducing new metrics or metric values, and without making major changes to existing formulas.“ — FIRST

Here are the major changes in CVSS version 3.1:

  1. CVSS Measured Severity, not RISK: CVSS measures vulnerability severity and should not be used alone to assess risk. It clarifies that the CVSS Base Score only reflects the intrinsic characteristics of a vulnerability, remaining constant over time and across environments. To assess risk comprehensively, the Base Score should be supplemented with contextual analysis and other metrics like Temporal and Environmental Metrics. Comprehensive risk assessment systems, considering factors beyond CVSS such as exposure and threat, are recommended for a thorough evaluation.
  2. Changes to Attack Vector and Modified Attack Vector : In CVSS v3.0, the metric values for Attack Vector (AV) were described using the OSI model, which might be unfamiliar to many users. To enhance clarity, the wording has been revised. Additionally, the usage of the metric value “Adjacent (A)” was limited in CVSS v3.0. To address ambiguity related to logically adjacent or trusted networks (such as MPLS, VPNs), the definition of “Adjacent” has been expanded to include these limited access networks.
  3. Changes to Scoring Guidance : “The CVSS Specification Document and User Guide have been updated with additional guidance to help CVSS analysts produce scores that are consistent and defensible across various situations that were previously considered ambiguous.” — FIRST
  4. Guidance for Scoring Attack Vector — When assessing Attack Vector, use Network if a network connection is required, even if the attack starts locally (e.g., local program sending data over a network). Score as Local if malicious data received over a network affects a separate component. If the vulnerable function is part of the receiving component, score it as Network (e.g., vulnerable web browser triggered by received data).
  5. The CVSS Extensions Framework — The CVSS Extensions Framework in CVSS 3.1 allows users to extend the standard CVSS metrics and scores to incorporate specific requirements or criteria for different contexts. It provides flexibility by enabling organizations to define custom metrics, accommodating factors such as regulatory compliance or industry-specific needs. These extensions enhance vulnerability assessments, allowing organizations to prioritize security issues based on their unique priorities and risk factors, leading to more tailored and accurate assessments.
  6. Formula Changes — In CVSS 3.1, there have been notable changes to the formulas used for calculating the Base Score, Temporal Score, and Environmental Score, which are essential components of the Common Vulnerability Scoring System. These changes aim to enhance the accuracy and relevance of vulnerability assessments.
  7. Update to the Version Identifier in the Vector String — In CVSS v3.1 starts with “CVSS:3.1” instead of “CVSS:3.0”. Although the format remains the same, there are changes in metric values and formulas in CVSS v3.1. It’s crucial to specify the correct CVSS version due to these modifications for accurate vulnerability assessments.
  8. Changes in Scoring Guides — In CVSS 3.1, the scoring guide has been updated to improve the accuracy of vulnerability assessments. Changes include refined guidelines for exploitability, clarified definitions for the Scope metric, and emphasis on temporal and environmental metrics. The guide also allows greater customization, enabling organizations to tailor assessments based on their specific environment and security needs. These modifications enhance the precision and relevance of vulnerability scores, supporting better decision-making and prioritization of security measures.
  9. Glossary of Terms — In CVSS v3.1 provides clear definitions of key terminology used in the framework. It acts as a comprehensive guide for users, ensuring a consistent understanding of CVSS language. This standardized terminology enhances communication among security professionals, aiding effective vulnerability assessment and management. By clarifying complex concepts, the glossary promotes a common understanding of terms across diverse organizations and roles involved in vulnerability assessment and scoring.
  10. Scoring Rubrics — In CVSS 3.1 it provides detailed guidelines for security analysts to assign scores to vulnerabilities accurately. These guidelines break down the evaluation process, ensuring consistency and aiding analysts in assessing various metrics. By standardizing the assessment, organizations can prioritize responses effectively and address critical vulnerabilities promptly.

Conclusion

The transition from CVSS 2.0 to CVSS 3.1 marks a significant leap forward in the realm of vulnerability assessment and management. With this major update, the scoring guide has been meticulously refined, introducing crucial enhancements that address complexities present in earlier versions. The new guidelines provide more nuanced and accurate evaluations, accounting for real-time factors, exploitability considerations, and organizational contexts. Moreover, the increased customizability empowers organizations to tailor their assessments, ensuring relevance to their unique security landscapes.

These advancements not only enhance the precision of vulnerability assessments but also enable security professionals to make more informed decisions and prioritize their response strategies effectively. CVSS 3.1’s adaptability to diverse contexts and its ability to reflect the ever-evolving threat landscape make it an invaluable tool in the hands of cybersecurity experts, ensuring a more robust defense against potential security threats. As organizations navigate the complexities of modern cybersecurity challenges, the updated CVSS 3.1 framework stands as a beacon, guiding them towards a more secure and resilient future.

If you found this topic interesting and you don’t have any exposure to vulnerability management, why not take a look at our entry-level free vulnerability management course.

About Joshua Beaman

Joshua Beaman

Joshua is the CEO at Security Blue Team with a background in security operations and DFIR for critical national infrastructure and e-commerce organizations.