CVSS v2 Vector Definitions
Every application or service that uses the Common Vulnerability Scoring System (CVSS) should provide not only the CVSS score, but also
a vector describing the components from which the score was calculated. This provides users of the score confidence
in its correctness and provides insight into the nature of the vulnerability.
CVSS vectors always include base metrics and may contain temporal metrics. See the
CVSS standard's guide (this is the version 1.0 guide) for detailed descriptions
of CVSS metrics and their possible values.
CVSS Base Vectors
CVSS vectors containing only base metrics take the following form:
(AV:[L,A,N]/AC:[H,M,L]/Au:[N,S,M]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C])
The letters within brackets represent possible values of a CVSS metric.
Exactly one option must be chosen for each set of brackets. Letters not within brackets are mandatory and must
be included in order to create a valid CVSS vector. Each letter or pair of letters is an abbreviation for a metric
or metric value within CVSS. These abbreviations are defined below.
Example 1:
(AV:L/AC:H/Au:N/C:N/I:P/A:C)
Example 2:
(AV:A/AC:L/Au:M/C:C/I:N/A:P)
Metric: AV = AccessVector (Related exploit range)
Possible Values: L = Local access, A = Adjacent network, N = Network
Metric: AC = AccessComplexity (Required attack complexity)
Possible Values: H = High, M = Medium, L = Low
Metric: Au = Authentication (Level of authentication needed to exploit)
Possible Values: N= None required, S= Requires single instance, M= Requires multiple instances
Metric: C = ConfImpact (Confidentiality impact)
Possible Values: N = None, P = Partial, C = Complete
Metric: I = IntegImpact (Integrity impact)
Possible Values: N = None, P = Partial, C = Complete
Metric: A = AvailImpact (Availability impact)
Possible Values: N = None, P = Partial, C = Complete
CVSS Temporal Vectors
CVSS vectors containing temporal metrics are formed by appending the temporal metrics to the base vector. The temporal
metrics appended to the base vector take the following form:
/E:[U,P,F,H,ND]/RL:[O,T,W,U,ND]/RC:[UC,UR,C,ND]
Example 1:
(AV:L/AC:H/Au:N/C:N/I:P/A:C/E:P/RL:O/RC:C)
Example 2:
(AV:LN/AC:L/Au:M/C:C/I:N/A:P/E:F/RL:T/RC:UR)
Metric: E = Exploitability (Availability of exploit)
Possible Values: U = Unproven, P = Proof-of-concept, F = Functional, H = High, ND = Not Defined
Metric: RL = RemediationLevel (Type of fix available)
Possible Values: O = Official-fix, T = Temporary-fix, W = Workaround, U = Unavailable, ND = Not Defined
Metric: RC = ReportConfidence (Level of verification that the vulnerability exists)
Possible Values: UC = Unconfirmed, UR = Uncorroborated, C = Confirmed, ND = Not Defined
CVSS Environmental Vectors
CVSS vectors containing environmental metrics are formed by appending the environmental metrics to the temporal vector. The environmental
metrics appended to the temporal vector take the following form:
/CDP[N,L,LM,MH,H,ND]:/TD:[N,L,M,H,ND]/CR:[L,M,H,ND]/IR:[L,M,H,ND]/AR:[L,M,H,ND]
Example 1:
(AV:L/AC:H/Au:N/C:N/I:P/A:C/E:P/RL:O/RC:C/CDP:L/TD:M/CR:L/IR:L/AR:H)
Example 2:
(AV:LN/AC:L/Au:M/C:C/I:N/A:P/E:F/RL:T/RC:UR/CDP:MH/TD:H/CR:M/IR:L/AR:M)
Metric: CDP = Collateral Damage Potential (Organization specific potential for loss)
Possible Values: N = None, L = Low, LM = Low-Medium, MH = Medium-High, H = High, ND = Not Defined
Metric: TD = Target Distribution (Percentage of vulnerable systems)
Possible Values: N = None (0%), L = Low (1-25%), M = Medium (26-75%), H = High (76-100%), ND = Not Defined
Metric: CR = System Confidentiality Requirement (draft proposal)
Possible Values: L = Low, M = Medium, H = High, ND = Not Defined
Metric: IR = System Integrity Requirement (draft proposal)
Possible Values: L = Low, M = Medium, H = High, ND = Not Defined
Metric: AR = System Availability Requirement (draft proposal)
Possible Values: L = Low, M = Medium, H = High, ND = Not Defined
CVSS Vectors and CVSS Compatible Products
CVSS compatible products may provide their users access to the NVD CVSS v2 calculator by creating a hyperlink that includes
the CVSS vector and, optionally, the vulnerability name. This works for both base and temporal vectors. The hyperlinks
should take one of the following forms.
Example base vector hyperlinks to CVSS calculator (with and without vulnerability name):
1.
http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:L/AC:H/Au:N/C:N/I:P/A:C)
2.
http://nvd.nist.gov/cvss.cfm?version=2&name=example&vector=(AV:A/AC:L/Au:M/C:C/I:N/A:P)
Example temporal vector hyperlinks to CVSS calculator (with and without vulnerability name):
1.
http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:L/AC:H/Au:N/C:N/I:P/A:C/E:P/RL:O/RC:C)
2.
http://nvd.nist.gov/cvss.cfm?version=2&name=example&vector=(AV:A/AC:L/Au:M/C:C/I:N/A:P/E:F/RL:T/RC:UR)