CVSS Calculator
Calculate the base score for cybersecurity vulnerabilities using the Common Vulnerability Scoring System (CVSS).
How the vulnerability can be exploited (Network, Adjacent, Local, Physical).
Conditions beyond the attacker’s control required for exploitation (Low, High).
Level of privileges an attacker must possess before successful exploitation (None, Low, High).
Whether a user, other than the attacker, must participate (None, Required).
Whether the vulnerability impact is limited to the same security scope or affects other scopes (Unchanged, Changed).
Impact on confidentiality of data (None, Low, High).
Impact on integrity of data (None, Low, High).
Impact on availability of the affected component (None, Low, High).
CVSS Score Breakdown
CVSS Metrics Table
| Metric | Value | Description |
|---|---|---|
| Attack Vector (AV) | — | How the vulnerability can be exploited. |
| Attack Complexity (AC) | — | Conditions beyond the attacker’s control required. |
| Privileges Required (PR) | — | Level of privileges an attacker must possess. |
| User Interaction (UI) | — | Whether a user, other than the attacker, must participate. |
| Scope (S) | — | Whether the vulnerability impact affects other scopes. |
| Confidentiality (C) | — | Impact on confidentiality of data. |
| Integrity (I) | — | Impact on integrity of data. |
| Availability (A) | — | Impact on availability of the affected component. |
Understanding and Using the CVSS Calculator
A comprehensive guide to assessing cybersecurity vulnerability severity with the Common Vulnerability Scoring System (CVSS).
What is CVSS?
CVSS, or the Common Vulnerability Scoring System, is an industry standard for assessing the severity of computer system security vulnerabilities. It provides a numerical score (from 0.0 to 10.0) that reflects the characteristics and impact of a vulnerability. This score helps organizations prioritize their responses to vulnerabilities based on their criticality. The CVSS calculator is a tool that simplifies this process by taking the various vulnerability metrics as input and outputting the resulting score.
Who should use it? Cybersecurity professionals, IT managers, system administrators, security analysts, and anyone responsible for managing and mitigating security risks. It’s crucial for understanding the potential impact of discovered or reported vulnerabilities.
Common misunderstandings: A frequent misunderstanding is that a CVSS score represents the absolute risk to a specific organization. While it’s a standardized measure of intrinsic vulnerability severity, the actual risk depends on environmental factors (e.g., network exposure, existing security controls, asset criticality) which are captured by the Environmental metrics (not covered in the Base Score calculator).
CVSS v3.1 Formula and Explanation
The CVSS v3.1 standard defines several metric groups: Base, Temporal, and Environmental. This calculator focuses on the Base Score, which represents the intrinsic qualities of a vulnerability that are constant over time and across user environments.
The Base Score is calculated based on two sub-score groups: Exploitability and Impact. The Scope metric plays a crucial role in how these scores are combined.
Exploitability Sub-Score (E)
This sub-score reflects how easy it is to exploit the vulnerability. It depends on the Attack Vector (AV), Attack Complexity (AC), Privileges Required (PR), and User Interaction (UI) metrics.
Impact Sub-Score (I)
This sub-score reflects the potential consequences of a successful exploit on the impacted component. It depends on the Confidentiality (C), Integrity (I), and Availability (A) metrics, and is modified by the Scope (S) metric.
Base Score Calculation (Simplified Overview)
The exact formula is complex and involves piecewise calculations depending on the Scope metric and the Impact sub-score. In essence:
Base Score = Roundup(Minimum(Impact + Exploitability, 10))
Where Impact and Exploitability are themselves derived from the individual metric values according to specific formulas and lookup tables provided by FIRST.org.
CVSS v3.1 Base Score Components
CVSS Base Metric Groups
| Metric Group | Metric | Possible Values | Description |
|---|---|---|---|
| Exploitability | Attack Vector (AV) | Network (N), Adjacent (A), Local (L), Physical (P) | The ‘path’ an attacker takes to exploit the vulnerability. |
| Attack Complexity (AC) | Low (L), High (H) | The difficulty of exploiting the vulnerability once the attacker has access. | |
| Privileges Required (PR) | None (N), Low (L), High (H) | The level of privileges the attacker needs to possess before exploitation. | |
| User Interaction (UI) | None (N), Required (R) | Whether a user must take action for the exploit to succeed. | |
| Impact | Scope (S) | Unchanged (U), Changed (C) | Indicates if the vulnerability impacts resources beyond its own security scope. |
| Confidentiality (C) | None (N), Low (L), High (H) | Impact on the confidentiality of information. | |
| Integrity (I) | None (N), Low (L), High (H) | Impact on the integrity (trustworthiness and correctness) of information. | |
| Availability (A) | None (N), Low (L), High (H) | Impact on the availability of the affected component. |
Practical Examples
Example 1: Remote Code Execution via Web Server
Scenario: A critical vulnerability in a popular web server allows an unauthenticated attacker to upload and execute arbitrary code by sending a specially crafted HTTP request.
- Attack Vector (AV): Network (N) – Exploitable over the internet.
- Attack Complexity (AC): Low (L) – No special conditions required.
- Privileges Required (PR): None (N) – No login needed.
- User Interaction (UI): None (N) – No user involvement.
- Scope (S): Changed (C) – Attacker gains control over the server, impacting other processes/data.
- Confidentiality (C): High (H) – Attacker can access all data.
- Integrity (I): High (H) – Attacker can modify any data or code.
- Availability (A): High (H) – Attacker can easily take down the service.
Input: AV:N, AC:L, PR:N, UI:N, S:C, C:H, I:H, A:H
Result: Using the CVSS calculator with these inputs yields a Base Score of 9.8 (Critical).
Example 2: Information Disclosure via Local File Read
Scenario: A vulnerability in a desktop application allows a logged-in user on the same machine to read sensitive configuration files that they should not have access to.
- Attack Vector (AV): Local (L) – Requires access to the local system.
- Attack Complexity (AC): Low (L) – Simple exploit.
- Privileges Required (PR): User (Low) (L) – Attacker needs to be logged in as a standard user.
- User Interaction (UI): None (N) – Attacker doesn’t need the victim to do anything.
- Scope (S): Unchanged (U) – Impact is limited to the application’s own data scope.
- Confidentiality (C): High (H) – Sensitive files are fully exposed.
- Integrity (I): None (N) – Attacker can only read, not modify.
- Availability (A): None (N) – Service remains available.
Input: AV:L, AC:L, PR:L, UI:N, S:U, C:H, I:N, A:N
Result: Using the CVSS calculator with these inputs yields a Base Score of 5.0 (Medium).
How to Use This CVSS Calculator
Using this CVSS calculator is straightforward:
- Identify the Vulnerability Metrics: Gather information about the specific vulnerability you are assessing. This typically comes from security advisories, vulnerability reports, or penetration test findings.
- Select Metrics: For each metric (Attack Vector, Attack Complexity, etc.), choose the value that best describes the vulnerability from the dropdown menus. Refer to the small helper text below each label for a brief explanation.
- Calculate: Click the “Calculate Base Score” button.
- Interpret Results: The calculator will display the calculated CVSS Base Score, its corresponding severity rating (None, Low, Medium, High, Critical), the Exploitability Score, and the Impact Score.
- Understand the Breakdown: The table below the results shows each metric selected and its definition, helping you confirm your choices.
- Copy Results: Use the “Copy Results” button to easily share the calculated score and metrics.
- Reset: Click “Reset” to clear all selections and start over.
Selecting Correct Units: CVSS metrics are unitless and categorical. Ensure you understand the definition of each category (e.g., ‘Network’ vs ‘Adjacent’ Attack Vector) before selecting.
Interpreting Results: The Base Score provides a standardized severity. Remember that the true risk to your organization also depends on your specific environment and the potential impact on your critical assets.
Key Factors That Affect CVSS Base Score
- Exploitability Ease (AV, AC, PR, UI): Vulnerabilities that are easier to exploit remotely, without special privileges, and without user interaction will naturally receive higher scores. A vulnerability exploitable over the network with low complexity and no required privileges is inherently more dangerous than one requiring physical access and complex conditions.
- Impact Scope (S): If a vulnerability allows an attacker to affect components beyond the vulnerable component itself (Scope Changed), the potential impact is significantly higher, leading to a higher score.
- Severity of Impact (C, I, A): The degree of damage to Confidentiality, Integrity, and Availability directly influences the score. A vulnerability that leads to total data compromise (High C, High I, High A) will score much higher than one with minimal impact.
- Combination of Metrics: The score isn’t just an average; it’s a calculated value where certain combinations can have disproportionately higher or lower impacts. For example, high impact metrics are more significant when combined with high exploitability metrics.
- Attack Path Complexity: While Attack Complexity (AC) is a direct metric, the overall “attack path” involving multiple conditions (even if individually Low) can conceptually increase the difficulty, though the Base Score formula itself uses fixed values.
- Privilege Escalation Potential: A vulnerability that allows an attacker to escalate from a low-privilege user to a high-privilege one, or gain administrative access, significantly increases the perceived threat and thus the score.
FAQ
What is the difference between CVSS v3.0 and v3.1?
CVSS v3.1 is primarily a clarification and refinement of v3.0. It aims to improve the consistency and clarity of metric definitions and scoring, particularly around Scope and user interaction, without fundamentally changing the scoring methodology.
Can a CVSS score predict if a vulnerability WILL be exploited?
No. A CVSS score indicates the *potential* severity and exploitability if exploited. Actual exploitation depends on factors like attacker interest, availability of exploits, and the target’s specific environment.
What is the difference between Base, Temporal, and Environmental scores?
The Base Score measures intrinsic qualities. The Temporal Score adjusts the Base Score based on factors like exploit availability and patch status. The Environmental Score tailors the score to a specific user’s environment, considering mitigations and asset criticality.
How are the score ranges (e.g., 7.0-8.9 for High) determined?
These ranges are defined by the FIRST.org (Forum of Incident Response and Security Teams) standard for CVSS v3.1 to provide consistent qualitative severity ratings (Low, Medium, High, Critical) based on the numerical Base Score.
What if a vulnerability has multiple ways to be exploited?
You should score the vulnerability based on the *most severe* characteristics that can be exploited. This typically means choosing the metrics that result in the highest possible Base Score.
Does a score of 10.0 mean it’s the absolute worst vulnerability possible?
A score of 10.0 indicates the highest possible severity within the CVSS Base Score framework. It signifies a vulnerability that is easily exploitable and has a severe impact across confidentiality, integrity, and availability.
Can I use this calculator for older CVSS versions like v2.0?
No, this calculator is specifically for CVSS v3.1. CVSS v2.0 uses different metrics and formulas. You would need a dedicated v2.0 calculator for accurate scoring.
What does “Scope: Changed” really mean?
“Scope: Changed” means that the vulnerability impacts security authority or control beyond the security scope of the vulnerable component. For example, a web application vulnerability that allows an attacker to access backend system data or execute code on the server it connects to would have a Changed scope.
Related Tools and Resources
- CVSS Calculator – Quickly assess vulnerability severity.
- Vulnerability Management Best Practices – Learn how to effectively handle identified risks.
- OWASP Top 10 Guide – Understand common web application security risks.
- Threat Modeling Explained – Proactively identify and address potential security threats.
- Penetration Testing Services – Discover vulnerabilities before attackers do.
- Security Incident Response Plan – Prepare your organization for security breaches.
// outside the