Common Vulnerability Scoring System (CVSS)

The Common Vulnerability Scoring System (CVSS) is used to rate the severity and risk of computer system security.

In IBM® QRadar®7.5.0, QRadar Vulnerability Manager supports Common Vulnerability Scoring System (CVSS) 2.0, 3.0, and 3.1. Scores and metric values are returned for the highest version available in vulnerability data.

CVSS is an open framework that consists of the following metric groups:
  • Base
  • Temporal
  • Environmental

Base

The base score severity range is 0 - 10 and represents the inherent characteristics of the vulnerability. The base score has the largest bearing on the final CVSS score, and can be further divided into the following subscores:
  • Impact

    The impact subscore represents metrics for confidentiality impact, integrity impact, and the availability impact of a successfully exploited vulnerability.

  • Exploitability

    In CVSS v2, the exploitability subscore represents metrics for Access Vector, Access Complexity, and Authentication. The subscore measures how the vulnerability is accessed, the complexity of the attack, and the number of times an attacker must authenticate to successfully exploit a vulnerability.

    In CVSS v3, the exploitability subscore represents metrics for Attack Vector, Attack Complexity, Privileges Required, User Interaction, and Scope. The subscore measures how the vulnerability is accessed, the complexity of the attack, any required privileges, the interaction needed between the attacker and another user, and the impact on resources beyond the vulnerable component.

Temporal

The temporal score represents the characteristics of a vulnerability threat that change over time, and consists of the following metrics:
  • Exploitability (CVSS v2) or Exploit Code Maturity (CVSS v3)

    The availability of techniques or code that can be used to exploit the vulnerability, which changes over time.

  • Remediation Level

    The level of remediation that is available for a vulnerability.

  • Report Confidence

    The level of confidence in the existence of the vulnerability and the credibility of its technical details.

Environmental

The environmental score represents characteristics of the vulnerability that are impacted by the user's environment. Configure the following environmental metrics to highlight the vulnerabilities of important or critical assets by applying higher environmental metrics. Apply the highest scores to the most important assets because losses that are associated with these assets have greater consequences for the organization.

  • Collateral Damage Potential (CDP) (CVSS v2 only)

    The potential for loss of life or physical assets through the damage or theft of this asset, or the economic loss of productivity or revenue.

  • Target Distribution (TD) (CVSS v2 only)

    The proportion of vulnerable systems in your user's environment.

  • Confidentiality Requirement (CR)

    The level of impact to the loss of confidentiality when a vulnerability is exploited on this asset.

  • Integrity Requirement (IR)

    This metric indicates the level of impact to the loss of integrity when a vulnerability is successfully exploited on this asset.

  • Availability Requirement (AR)

    The level of impact to the asset's availability when a vulnerability is successfully exploited on this asset.