NVD Banner
Vulnerabilities Checklists 800-53/800-53A Product Dictionary Impact Metrics Data Feeds Statistics
Home SCAP SCAP Validated Tools SCAP Events About Contact Vendor Comments

CVSS v2 Vector Definitions

Every application or service that uses the Common Vulnerability Scoring System (CVSS) should provide not only the CVSS score, but also a vector describing the components from which the score was calculated. This provides users of the score confidence in its correctness and provides insight into the nature of the vulnerability.

CVSS vectors always include base metrics and may contain temporal metrics. See the CVSS standard's guide (this is the version 1.0 guide) for detailed descriptions of CVSS metrics and their possible values.

CVSS Base Vectors

CVSS vectors containing only base metrics take the following form:
(AV:[L,A,N]/AC:[H,M,L]/Au:[N,S,M]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C])

The letters within brackets represent possible values of a CVSS metric. Exactly one option must be chosen for each set of brackets. Letters not within brackets are mandatory and must be included in order to create a valid CVSS vector. Each letter or pair of letters is an abbreviation for a metric or metric value within CVSS. These abbreviations are defined below.

Example 1: (AV:L/AC:H/Au:N/C:N/I:P/A:C)
Example 2: (AV:A/AC:L/Au:M/C:C/I:N/A:P)

Metric: AV = AccessVector (Related exploit range)
Possible Values: L = Local access, A = Adjacent network, N = Network

Metric: AC = AccessComplexity (Required attack complexity)
Possible Values: H = High, M = Medium, L = Low

Metric: Au = Authentication (Level of authentication needed to exploit)
Possible Values: N= None required, S= Requires single instance, M= Requires multiple instances

Metric: C = ConfImpact (Confidentiality impact)
Possible Values: N = None, P = Partial, C = Complete

Metric: I = IntegImpact (Integrity impact)
Possible Values: N = None, P = Partial, C = Complete

Metric: A = AvailImpact (Availability impact)
Possible Values: N = None, P = Partial, C = Complete

CVSS Temporal Vectors

CVSS vectors containing temporal metrics are formed by appending the temporal metrics to the base vector. The temporal metrics appended to the base vector take the following form:
/E:[U,P,F,H,ND]/RL:[O,T,W,U,ND]/RC:[UC,UR,C,ND]

Example 1: (AV:L/AC:H/Au:N/C:N/I:P/A:C/E:P/RL:O/RC:C)
Example 2: (AV:LN/AC:L/Au:M/C:C/I:N/A:P/E:F/RL:T/RC:UR)

Metric: E = Exploitability (Availability of exploit)
Possible Values: U = Unproven, P = Proof-of-concept, F = Functional, H = High, ND = Not Defined

Metric: RL = RemediationLevel (Type of fix available)
Possible Values: O = Official-fix, T = Temporary-fix, W = Workaround, U = Unavailable, ND = Not Defined

Metric: RC = ReportConfidence (Level of verification that the vulnerability exists)
Possible Values: UC = Unconfirmed, UR = Uncorroborated, C = Confirmed, ND = Not Defined

CVSS Environmental Vectors

CVSS vectors containing environmental metrics are formed by appending the environmental metrics to the temporal vector. The environmental metrics appended to the temporal vector take the following form:
/CDP[N,L,LM,MH,H,ND]:/TD:[N,L,M,H,ND]/CR:[L,M,H,ND]/IR:[L,M,H,ND]/AR:[L,M,H,ND]

Example 1: (AV:L/AC:H/Au:N/C:N/I:P/A:C/E:P/RL:O/RC:C/CDP:L/TD:M/CR:L/IR:L/AR:H)
Example 2: (AV:LN/AC:L/Au:M/C:C/I:N/A:P/E:F/RL:T/RC:UR/CDP:MH/TD:H/CR:M/IR:L/AR:M)

Metric: CDP = Collateral Damage Potential (Organization specific potential for loss)
Possible Values: N = None, L = Low, LM = Low-Medium, MH = Medium-High, H = High, ND = Not Defined

Metric: TD = Target Distribution (Percentage of vulnerable systems)
Possible Values: N = None (0%), L = Low (1-25%), M = Medium (26-75%), H = High (76-100%), ND = Not Defined

Metric: CR = System Confidentiality Requirement (draft proposal)
Possible Values: L = Low, M = Medium, H = High, ND = Not Defined

Metric: IR = System Integrity Requirement (draft proposal)
Possible Values: L = Low, M = Medium, H = High, ND = Not Defined

Metric: AR = System Availability Requirement (draft proposal)
Possible Values: L = Low, M = Medium, H = High, ND = Not Defined

CVSS Vectors and CVSS Compatible Products

CVSS compatible products may provide their users access to the NVD CVSS v2 calculator by creating a hyperlink that includes the CVSS vector and, optionally, the vulnerability name. This works for both base and temporal vectors. The hyperlinks should take one of the following forms.

Example base vector hyperlinks to CVSS calculator (with and without vulnerability name):
1. http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:L/AC:H/Au:N/C:N/I:P/A:C)
2. http://nvd.nist.gov/cvss.cfm?version=2&name=example&vector=(AV:A/AC:L/Au:M/C:C/I:N/A:P)

Example temporal vector hyperlinks to CVSS calculator (with and without vulnerability name):
1. http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:L/AC:H/Au:N/C:N/I:P/A:C/E:P/RL:O/RC:C)
2. http://nvd.nist.gov/cvss.cfm?version=2&name=example&vector=(AV:A/AC:L/Au:M/C:C/I:N/A:P/E:F/RL:T/RC:UR)

Disclaimer Notice & Privacy Statement / Security Notice

Send comments or suggestions to nvd@nist.gov

NIST Computer Security Resource Center (CSRC)

NIST is an Agency of the U.S. Dept. of Commerce

Full vulnerability listing