Common Vulnerability Scoring System (CVSS) and the National Vulnerability Database (NVD database) help you to properly assess which software vulnerabilities should be your top priority.
Here, we explain what is the National Vulnerability Database (NVD), what is the Common Vulnerability Scoring System, and how CVSS is used to calculate risk.
Read along or jump to the section that interests you the most:
➡️ efficiently identify high-risk vulnerabilities
Back to topWhat Is NVD (NVD Database)?
The National Vulnerability Database (NVD) database is the U.S. government repository of standards-based vulnerability management data.
The National Vulnerability Database is synchronized with the CVE list and provides additional content, including how to fix vulnerabilities, severity scores, and impact ratings. In order to calculate severity scores, the Common Vulnerability Scoring System (CVSS) must be used.
Back to topWhat Is CVSS?
The Common Vulnerability Scoring System (CVSS) is an open industry standard for assessing the severity of software vulnerabilities.
For each vulnerability, the CVSS standard assigns a severity score from 0.0 (the lowest amount of risk) to 10.0 (the highest amount of risk), which enables you to more effectively prioritize remediation of vulnerabilities.
CVSS v3.0 Ratings | |
Severity | Base Score Range |
None | 0.0 |
Low | 0.1 – 3.9 |
Medium | 4.0 – 6.9 |
High | 7.0 – 8.9 |
Critical | 9.0 – 10.0 |
To calculate the base score, you need to input CVSS metrics into the NVD CVSS Calculator. For detailed guidance on how to use the calculator, be sure to refer to the CVSS standards guide.
Back to topWhat Are Common Vulnerability Scoring System (CVSS) Metrics?
Common Vulnerability Scoring System (CVSS) is made up of three groups of metrics: base, temporal, and environmental.
Base Metrics for CVSS
Base metrics for CVSS are divided into two groups: exploitability and impact.
Exploitability Metrics for CVSS
Exploitability metrics for CVSS refer to the characteristics of the piece of software or product that make it vulnerable.
- Attack Vector — Shows how a vulnerability may be exploited.
- Attack Complexity — Refers to how easy or difficult it is to exploit the discovered vulnerability.
- Authentication — Refers to the number of times that an attacker must authenticate to a target to exploit it.
- User Interaction (UI) — Refers to the requirement for a human user — other than the attacker — to participate in the successful compromise of the vulnerable component.
- Privileges Required (PR) — Refers to the level of privileges an attacker must possess before successfully exploiting the vulnerability.
Impact Metrics for CVSS
Impact metrics for CVSS deal with the worst-case scenario if the piece of software or product were to be attacked and the effects of a successfully exploited vulnerability.
- Confidentiality — Refers to the impact on the confidentiality of data processed by the system.
- Integrity — Refers to the impact on the integrity of the exploited system.
- Availability — Refers to the impact on the availability of the target system.
Temporal Metrics for CVSS
Unlike the other CVSS metrics, the value of temporal metrics for CVSS changes over the lifetime of the vulnerability. This is due to exploits being developed, disclosed, and automated along with mitigations and fixes being made available.
- Exploitability — Refers to the current state of exploitation techniques or automated exploitation code.
- Remediation Level — Refers to the amount of mitigations and official fixes that are available to decrease the number of vulnerabilities.
- Report Confidence — Refers to the level of confidence in the existence of the vulnerability and the credibility of the technical details for the vulnerability.
Environmental Metrics for CVSS
The environmental metrics for CVSS use the base metrics score and the temporal metrics score to assess the severity of a vulnerability to the piece of software or product that is currently in development.
- Collateral Damage Potential — Measures the potential loss or impact on either physical assets — such as equipment, hardware, and users — or the financial impact, if the vulnerability is exploited.
- Target Distribution — Measures the proportion of vulnerable systems.
- Impact Subscore Modifier — Measures the specific security requirements for confidentiality, integrity, and availability. This metric enables you to customize the environmental score based upon your environment.
What Are the Top 10 Most Exploited Vulnerabilities?
There are hundreds of vulnerabilities on the CVE list, but these are the top 10 most exploited.
Vulnerability ID | Vulnerability Summary | CVSS Severity |
CVE-2019-19781 | Citrix Application Delivery Controller Vulnerability | 9.8 — Critical |
CVE-2018-7600 | Drupal Remote Code Execution Vulnerability | 9.8 — Critical |
CVE-2015-1641 | Microsoft Office Memory Corruption Vulnerability | 9.3 — Critical |
CVE-2017-8759 | Microsoft .NET Framework Remote Code Execution Vulnerability | 7.8 — High |
CVE-2018-4878 | Adobe Flash Player Vulnerability | 9.8 — Critical |
CVE-2017-0143 | SMB Server Vulnerability in Older Versions of Windows and Windows Server | 8.1 — High |
CVE-2019-0604 | Remote Code Execution Vulnerability in all Modern Versions of Sharepoint | 9.8 — Critical |
CVE-2012-0158 | Microsoft Office Vulnerability | 9.3 — Critical |
CVE-2017-5638 | Apache Struts Vulnerability | 10.0 — Critical |
CVE-2017-0199 | Microsoft Office Remote Code Execution | 7.8 — High |
How SAST Tools Identify High-Risk CVSS Vulnerabilities
A SAST tool, like Klocwork, is the best way to ensure that your code is secure. SAST tools identify and eliminate CVSS vulnerabilities and software defects early on in development. That helps to ensure that your software is secure, reliable, and compliant.
Klocwork helps you:
- Identify and analyze security risks and prioritize severity.
- Fulfill compliance standard requirements.
- Apply and enforce coding standards, including CWE, CERT C/CERT C++, and OWASP/OWASP Top 10.
- Verify and validate through testing.
- Achieve compliance and get certified faster.
📕 Related Content: Visit the SAST tutorial for additional resources.
Use Klocwork to Ensure Software Security
See for yourself how Klocwork can help you enforce software security standards, register for a free trial.