NVD Banner
Vulnerabilities Checklists 800-53/800-53A Product Dictionary Impact Metrics Data Feeds Statistics
Home SCAP SCAP Validated Tools SCAP Events About Contact Vendor Comments

NVD Common Vulnerability Scoring System Support v2

NVD Now Supports CVSS Version 2.0 (June 20, 2007)!!

The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability impact scores. Two common uses of CVSS are prioritization of vulnerability remediation activities and in calculating the severity of vulnerabilities discovered on one's systems. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities.

In particular, NVD supports the Common Vulnerability Scoring System (CVSS) version 2 standard for all CVE vulnerabilities. NVD provides CVSS 'base scores' which represent the innate characteristics of each vulnerability. We do not currently provide 'temporal scores' (scores that change over time due to events external to the vulnerability). However, NVD does provide a CVSS score calculator to allow you to add temporal data and to even calculate environmental scores (scores customized to reflect the impact of the vulnerability on your organization). This calculator contains support for U.S. government agencies to customize vulnerability impact scores based on FIPS 199 System ratings.

Using CVSS support within NVD
1. NVD CVSS v2 Calculator
2. NVD CVSS v2 Concise Calculator (for CVSS experts, automatically generates CVSS vectors)
3. Click on a CVSS score while using NVD to customize that score for your environment
4. Download CVSS scores for all CVE vulnerabilities from the NVD XML feed

CVSS standards information:
1. FIRST CVSS Homepage.
2. CVSS v2 standard specification.
3. CVSS v2 impact vector specification: http://nvd.nist.gov/cvss.cfm?vectorinfo&version=2.


NVD Vulnerability Severity Ratings
NVD provides severity rankings of "Low," "Medium," and "High" in addition to the numeric CVSS scores
but these qualitative rankings are simply mapped from the numeric CVSS scores:
1. Vulnerabilities are labeled "Low" severity if they have a CVSS base score of 0.0-3.9.
2. Vulnerabilities will be labeled "Medium" severity if they have a base CVSS score of 4.0-6.9.
3. Vulnerabilities will be labeled "High" severity if they have a CVSS base score of 7.0-10.0.

Incomplete Data
With some vulnerabilities, all of the information needed to create CVSS scores may not be available. This typically happens when a vendor announces a vulnerability but declines to provide certain details. In such situations, NVD analysts assign CVSS scores using a worst case approach. Thus, if a vendor provides no details about a vulnerability, NVD will score that vulnerability as a 10.0 (the highest rating).

Collaboration with Industry
NVD staff are willing to work with the security community on CVSS impact scoring. If you wish to contribute additional information or corrections regarding the NVD CVSS impact scores, please send email to nvd@nist.gov. We actively work with users that provide us feedback.

Product Integration into CVSS V2 Calculator
CVSS compatible products may provide their users access to the NVD CVSS v2 calculator by creating a hyperlink that includes the CVSS vector and, optionally, the vulnerability name. This works for both base, temporal, and environmental vectors. The hyperlinks should take one of the following forms.

Example base vector hyperlinks to CVSS calculator (with and without vulnerability name):
1. http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:L/AC:H/Au:N/C:N/I:P/A:C)
2. http://nvd.nist.gov/cvss.cfm?version=2&name=example&vector=(AV:A/AC:L/Au:M/C:C/I:N/A:P)

Example environmental vector hyperlinks to CVSS calculator (with and without vulnerability name):
1. http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:L/AC:H/Au:N/C:N/I:P/A:C/E:P/RL:O/RC:C/CDP:L/TD:M/CR:L/IR:L/AR:H)
2. nvd.nist.gov/cvss.cfm?version=2&name=example&vector=(AV:LN/AC:L/Au:M/C:C/I:N/A:P/E:F/RL:T/RC:UR/CDP:MH/TD:H/CR:M/IR:L/AR:M)

Example temporal vector hyperlinks to CVSS calculator (with and without vulnerability name):
1. http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:L/AC:H/Au:N/C:N/I:P/A:C/E:P/RL:O/RC:C)
2. http://nvd.nist.gov/cvss.cfm?version=2&name=example&vector=(AV:A/AC:L/Au:M/C:C/I:N/A:P/E:F/RL:T/RC:UR)

Please see: http://nvd.nist.gov/cvss.cfm?vectorinfov2 for more details on the CVSS product integration.

CVSS Versioning

Scores for the CVE vulnerabilities published between to 11/10/2005 and 11/30/2006 have been upgraded from CVSS version 1 data. CVSS v1 metrics did not contain granularity of CVSS v2 and so these scores are marked as "Version 2.0 upgrade from v1.0" within NVD. While these scores are approximation, they are expected to be reasonably accurate CVSS v2 scores.

Scores provided for the 13,000 CVE vulnerabilities published prior to 11/9/2005 are approximated from only partially available CVSS metric data. Such scores are marked as "Version 2.0 Incomplete approximation" within NVD. In particular, the following CVSS metrics are only partially available for these vulnerabilities and NVD assumes certain values based on an approximation algorithm: AccessComplexity, Authentication, ConfImpact of 'partial', IntegImpact of 'partial', AvailImpact of 'partial', and the impact biases.

Disclaimer Notice & Privacy Statement / Security Notice

Send comments or suggestions to nvd@nist.gov

NIST Computer Security Resource Center (CSRC)

NIST is an Agency of the U.S. Dept. of Commerce

Full vulnerability listing