What is CVSS 3.0?
The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures consistent and accurate measurement, while enabling users to see the underlying vulnerability characteristics that were used to generate the scores.
The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
CVSS 2.0 vs CVSS 3.0
NVD provides qualitative severity rankings of “Low”, “Medium”, and “High” for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as defined in the CVSS v3.0 specifications.
The newer version of CVSS introduces a number of changes in the scoring system that reflect more accurately vulnerabilities that fall under the web application domain.
While all three metric groups: the Base Score, the Temporal Score and the Environmental Score remained the same, new metrics such as Scope (S) and User Interaction (UI) were added. In addition, old metrics such as Authentication (Au) were changed to newer ones such as Privileges Required (PR).
The Scope metric differentiates between an exploited vulnerability that can only affect resources managed by the same authority. In this case, the vulnerable component and the impacted component are the same.
The Environmental Metrics group also saw a new addition with the Modified Base Metrics—allowing analysts to customize CVSS scores based on the host that has been affected in the analyst’s organisation, making it contextual when necessary.
CVSS v2.0 Ratings
CVSS v3.0 Ratings
Base Score Range
Base Score Range
*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by David Habusha. Read the original post at: https://resources.whitesourcesoftware.com/blog-whitesource/whitesource-announces-extended-support-for-cvss-3-0-scores-to-its-vulnerabilities-database