CVSS Base and Temporal scores are represented as a numeric value and also as a vector string. The vector string is a textual representation of the metric values used to determine the score.
You'll see CVSS scores and vector strings when you view Vulnerability Information for any QID in the KnowledgeBase and in your scan reports.
Not seeing CVSS scores? CVSS Scoring must be enabled for the subscription by a Manager user.
Here are sample CVSS scores followed by vector strings. (Note: CVSS represents CVSS version 2 and CVSS3.1 represents CVSS version 3.1.)
CVSS Base: 5.5 AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSS Temporal: 4.3 E:POC/RL:OF/RC:C
CVSS3 Base: 6.4 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CVSS3 Temporal: 5.8 E:P/RL:O/RC:C
metric:value/metric:value/metric:value/metric:value/metric:value/metric:value
where / is the separator between metric:value pairs
For example, the CVSS v2 base vector string "AV:N/AC:L/Au:S/C:P/I:P/A:N" has these values:
AV:N indicates the Access Vector metric has a value of Network.
AC:L indicates the Access Complexity metric has a value of Low.
Au:S indicates the Authentication metric has a value of Single.
C:P indicates the Confidentiality Impact metric has a value of Partial.
I:P indicates the Integrity Impact metric has a value of Partial.
A:N indicates the Availability Impact metric has a value of None.
The CVSS v2 and v3.1 metric values as defined by the CVSS standard are listed below.
|
Metric Value |
Displayed as |
|
Access Vector (AV) |
|
|
Local |
L |
|
Adjacent Network |
A |
|
Network |
N |
|
Access Complexity (AC) |
|
|
Low |
L |
|
Medium |
M |
|
High |
H |
|
Authentication (Au) |
|
|
None |
N |
|
Single |
S |
|
Multiple |
M |
|
Confidentiality Impact (C) |
|
|
None |
N |
|
Partial |
P |
|
Complete |
C |
|
Integrity Impact (I) |
|
|
None |
N |
|
Partial |
P |
|
Complete |
C |
|
Availability Impact (A) |
|
|
None |
N |
|
Partial |
P |
|
Complete |
C |
|
Metric Value |
Displayed as |
|
Exploitability (E) |
|
|
Not Defined |
ND |
|
Unproven |
U |
|
Proof-of-Concept |
POC |
|
Functional |
F |
|
High |
H |
|
Remediation Level (RL) |
|
|
Not Defined |
ND |
|
Official Fix |
OF |
|
Temporary Fix |
TF |
|
Workaround |
W |
|
Unavailable |
U |
|
Report Confidence (RC) |
|
|
Not Defined |
ND |
|
Unconfirmed |
UC |
|
Uncorroborated |
UR |
|
Confirmed |
C |
|
Metric Value |
Displayed as |
|
Attack Vector (AV) |
|
|
Network |
N |
|
Adjacent Network |
A |
|
Local |
L |
|
Physical |
P |
|
Attack Complexity (AC) |
|
|
Low |
L |
|
High |
H |
|
Privileges Required (PR) |
|
|
None |
N |
|
Low |
L |
|
High |
H |
|
User Interaction (UI) |
|
|
None |
N |
|
Required |
R |
|
Scope |
|
|
Unchanged |
U |
|
Changed |
C |
|
Confidentiality Impact (C) |
|
|
None |
N |
|
Low |
L |
|
High |
H |
|
Integrity Impact (I) |
|
|
None |
N |
|
Low |
L |
|
High |
H |
|
Availability Impact (A) |
|
|
None |
N |
|
Low |
L |
|
High |
H |
|
Metric Value |
Displayed as |
|
Exploit Code Maturity (E) |
|
|
Not Defined |
X |
|
Unproven |
U |
|
Proof-of-Concept |
P |
|
Functional |
F |
|
High |
H |
|
Remediation Level (RL) |
|
|
Not Defined |
X |
|
Official Fix |
O |
|
Temporary Fix |
T |
|
Workaround |
W |
|
Unavailable |
U |
|
Report Confidence (RC) |
|
|
Not Defined |
X |
|
Unknown |
U |
|
Reasonable |
R |
|
Confirmed |
C |