Overview of Common Vulnerability Scoring System (CVSS)

If you’re new to cybersecurity, here’s a useful tool you should understand.

It’s called the Common Vulnerability Scoring System, also referred to as the CVSS score. In this post, I’ll be specifically referring to the latest version, CVSS 3.1.

CVSS is a way of calculating a metric that can be used to prioritize the potential impact of an exploited vulnerability. The score is calculated by factoring in several base metrics, as well as temporal and environmental metrics. For the sake of brevity, I’ll only be covering the base metrics.

If you’d like to understand more details about the score calculation and additional metrics, check out FIRST.org/cvss

There are eight factors included in the base metric:

  1. Attack Vector (AV): Network, Adjacent, Local, Physical
  2. Attack Complexity (AC) : Low / High
  3. Privileges Required (PR): None, Low, High
  4. User Interaction (UI): None, Required
  5. Scope (S): Unchanged, Changed
  6. Confidentiality (C ): None, Low, High
  7. Integrity (I): None, Low, High
  8. Availability (A): None, Low, High

These are commonly reported in what is called a Vector String. It looks like this:


Attack Vector reports how wide the context of the vulnerability is.

Attack Complexity explains how much additional work or information an attacker must perform to be successful.

Privileges Required describes the necessary privileges an attacker must have to exploit a vulnerability.

User Interaction refers to whether or not an additional user must be involved (e.g., internal user grants access via malware or phishing).

Scope reports whether the vulnerability affects additional components outside of the defined vulnerability.

Confidentiality, Integrity and Availability are the three pillars of cybersecurity. In this context, they report the degree to which the relevant pillar is impacted should the vulnerability be successfully exploited.