Cvss Calculator

by

CVSS v3.1 Calculator

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a reproducible temporal and environmental score. This calculator uses CVSS v3.1 metrics.

Base Metrics

These metrics represent the intrinsic characteristics of a vulnerability that are constant over time and across user environments.

Network (N) Adjacent (A) Local (L) Physical (P)
Low (L) High (H)
None (N) Low (L) High (H)
None (N) Required (R)
Unchanged (U) Changed (C)
High (H) Low (L) None (N)
High (H) Low (L) None (N)
High (H) Low (L) None (N)

Temporal Metrics (Optional)

These metrics reflect the characteristics of a vulnerability that change over time but not across user environments.

Not Defined (X) High (H) Functional (F) Proof-of-Concept (P) Unproven (U)
Not Defined (X) Official Fix (O) Temporary Fix (T) Workaround (W) Unavailable (U)
Not Defined (X) Confirmed (C) Reasonable (R) Unknown (U)

Environmental Metrics (Optional)

These metrics allow for customization of the CVSS score depending on the importance of the affected IT asset to a user's organization.

Not Defined (X) High (H) Medium (M) Low (L)
Not Defined (X) High (H) Medium (M) Low (L)
Not Defined (X) High (H) Medium (M) Low (L)
Not Defined (X) Network (N) Adjacent (A) Local (L) Physical (P)
Not Defined (X) Low (L) High (H)
Not Defined (X) None (N) Low (L) High (H)
Not Defined (X) None (N) Required (R)
Not Defined (X) Unchanged (U) Changed (C)
Not Defined (X) High (H) Low (L) None (N)
Not Defined (X) High (H) Low (L) None (N)
Not Defined (X) High (H) Low (L) None (N)

CVSS Scores:

Base Score: 0.0

Temporal Score: N/A

Environmental Score: N/A

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score Breakdown and Interpretation

CVSS scores range from 0.0 to 10.0, with higher scores indicating greater severity. The scores are categorized as follows:

  • None: 0.0
  • Low: 0.1 – 3.9
  • Medium: 4.0 – 6.9
  • High: 7.0 – 8.9
  • Critical: 9.0 – 10.0

The calculator provides three types of scores:

  • Base Score: Represents the intrinsic severity of a vulnerability, constant over time and across user environments.
  • Temporal Score: Modifies the Base Score to reflect the current state of exploit techniques, remediation availability, and confidence in the vulnerability report.
  • Environmental Score: Customizes the Temporal Score based on the specific importance of the affected IT asset to an organization, considering factors like confidentiality, integrity, and availability requirements.

Understanding CVSS Metrics

Each metric contributes to the overall score, providing a detailed picture of the vulnerability's characteristics:

  • Attack Vector (AV): How the vulnerability is exploited (Network, Adjacent, Local, Physical).
  • Attack Complexity (AC): The difficulty of exploiting the vulnerability (Low, High).
  • Privileges Required (PR): The level of privileges an attacker needs (None, Low, High).
  • User Interaction (UI): Whether a user must perform an action for the attack to succeed (None, Required).
  • Scope (S): Whether the vulnerability can impact resources beyond the vulnerable component's security scope (Unchanged, Changed).
  • Confidentiality (C), Integrity (I), Availability (A): The impact on these security properties if the vulnerability is exploited (High, Low, None).
  • Exploit Code Maturity (E): The current state of exploit techniques (Not Defined, High, Functional, Proof-of-Concept, Unproven).
  • Remediation Level (RL): The availability of a fix (Not Defined, Official Fix, Temporary Fix, Workaround, Unavailable).
  • Report Confidence (RC): The degree of confidence in the existence and exploitability of the vulnerability (Not Defined, Confirmed, Reasonable, Unknown).
  • Confidentiality/Integrity/Availability Requirement (CR/IR/AR): The importance of these security properties to the organization (Not Defined, High, Medium, Low).
  • Modified Attack Vector/Complexity/Privileges/User Interaction/Scope/Confidentiality/Integrity/Availability (MAV/MAC/MPR/MUI/MS/MC/MI/MA): These metrics allow an analyst to override the Base Metrics to reflect the specific environmental conditions.

Example Scenario: Web Application SQL Injection

Consider a SQL Injection vulnerability in a public-facing web application. Let's calculate its CVSS score:

  • Attack Vector (AV): Network (N) – The vulnerability can be exploited remotely over the network.
  • Attack Complexity (AC): Low (L) – No specialized conditions or extensive prior knowledge are required.
  • Privileges Required (PR): None (N) – An attacker does not need any special privileges to exploit it.
  • User Interaction (UI): None (N) – No user interaction is required for the attack.
  • Scope (S): Changed (C) – A successful SQL injection might allow an attacker to access or modify data outside the web application's immediate security context (e.g., the underlying database).
  • Confidentiality (C): High (H) – Sensitive data in the database could be fully disclosed.
  • Integrity (I): High (H) – Data in the database could be fully modified or deleted.
  • Availability (A): High (H) – The database or application could be rendered unavailable.

Using these Base Metrics, the calculator would yield a Base Score of 10.0 (Critical). The vector string would be: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Now, let's add some Temporal Metrics:

  • Exploit Code Maturity (E): Functional (F) – Publicly available exploit code exists.
  • Remediation Level (RL): Official Fix (O) – The vendor has released a patch.
  • Report Confidence (RC): Confirmed (C) – The vulnerability has been confirmed by the vendor.

With these Temporal Metrics, the Temporal Score would be slightly reduced from the Base Score, reflecting the availability of a fix and confirmed status, but still very high.

Finally, for Environmental Metrics, if the web application handles highly sensitive customer data (e.g., financial information), the organization might set:

  • Confidentiality Requirement (CR): High (H)
  • Integrity Requirement (IR): High (H)
  • Availability Requirement (AR): High (H)

These requirements would likely keep the Environmental Score very high, potentially matching the Base Score if the impact is already high, or even slightly increasing it if the base impact was lower but the requirement is high.

.cvss-calculator-container { font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif; max-width: 900px; margin: 20px auto; padding: 25px; border: 1px solid #e0e0e0; border-radius: 10px; background-color: #fdfdfd; box-shadow: 0 4px 12px rgba(0, 0, 0, 0.05); color: #333; } .cvss-calculator-container h2, .cvss-calculator-container h3 { color: #2c3e50; border-bottom: 2px solid #3498db; padding-bottom: 10px; margin-top: 25px; margin-bottom: 20px; } .cvss-calculator-container p { line-height: 1.6; margin-bottom: 15px; } .cvss-section { margin-bottom: 30px; padding: 15px; background-color: #f9f9f9; border-radius: 8px; border: 1px solid #eee; } .cvss-metric-group { display: grid; grid-template-columns: repeat(auto-fit, minmax(250px, 1fr)); gap: 15px; } .cvss-metric { display: flex; flex-direction: column; } .cvss-metric label { font-weight: bold; margin-bottom: 5px; color: #555; font-size: 0.95em; } .cvss-metric select { padding: 10px; border: 1px solid #ccc; border-radius: 5px; background-color: #fff; font-size: 1em; width: 100%; box-sizing: border-box; -webkit-appearance: none; -moz-appearance: none; appearance: none; background-image: url('data:image/svg+xml;charset=US-ASCII,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20width%3D%22292.4%22%20height%3D%22292.4%22%3E%3Cpath%20fill%3D%22%23000000%22%20d%3D%22M287%2069.4a17.6%2017.6%200%200%200-13-5.4H18.4c-6.5%200-12.3%203.2-16.1%208.1-3.8%204.9-4.6%2011-2.9%2017.2l139.3%20139.3c3.9%203.9%209.2%206.1%2014.7%206.1s10.8-2.2%2014.7-6.1L289.9%2094.7c3.3-3.3%204.3-7.9%203.8-12.7-.5-4.7-2.3-9-5.9-12.7z%22%2F%3E%3C%2Fsvg%3E'); background-repeat: no-repeat; background-position: right 10px top 50%; background-size: 12px auto; } .cvss-calculator-container button { display: block; width: auto; padding: 12px 25px; margin: 30px auto; background-color: #3498db; color: white; border: none; border-radius: 5px; font-size: 1.1em; cursor: pointer; transition: background-color 0.3s ease, transform 0.2s ease; } .cvss-calculator-container button:hover { background-color: #2980b9; transform: translateY(-2px); } .cvss-result { background-color: #e8f4f8; border: 1px solid #b3e0f2; border-radius: 8px; padding: 20px; margin-top: 30px; } .cvss-result h3 { color: #2c3e50; margin-top: 0; border-bottom: 1px solid #b3e0f2; padding-bottom: 10px; } .cvss-result p { font-size: 1.1em; margin-bottom: 10px; } .cvss-result strong { color: #34495e; } .cvss-result span { font-weight: normal; color: #007bff; } .cvss-score-breakdown ul { list-style-type: disc; margin-left: 20px; padding-left: 0; } .cvss-score-breakdown li { margin-bottom: 8px; } @media (max-width: 768px) { .cvss-metric-group { grid-template-columns: 1fr; } } function calculateCVSS() { // Helper function to round up to one decimal place var roundUp = function(value) { if (value === 0) return 0; return Math.ceil(value * 10) / 10; }; // Metric weights for CVSS v3.1 var metricWeights = { AV: { N: 0.85, A: 0.62, L: 0.55, P: 0.20 }, AC: { L: 0.77, H: 0.44 }, PR: { U: { N: 0.85, L: 0.62, H: 0.27 }, // Unchanged Scope C: { N: 0.85, L: 0.68, H: 0.50 } // Changed Scope }, UI: { N: 0.85, R: 0.62 }, S: { U: 6.42, C: 7.52 }, // Used in Impact calculation C: { H: 0.56, L: 0.22, N: 0.00 }, I: { H: 0.56, L: 0.22, N: 0.00 }, A: { H: 0.56, L: 0.22, N: 0.00 }, E: { X: 1.0, H: 1.0, F: 0.97, P: 0.94, U: 0.91 }, RL: { X: 1.0, O: 0.95, T: 0.96, W: 0.97, U: 1.0 }, RC: { X: 1.0, C: 0.92, R: 0.96, U: 0.92 }, CR: { X: 1.0, H: 1.5, M: 1.0, L: 0.5 }, IR: { X: 1.0, H: 1.5, M: 1.0, L: 0.5 }, AR: { X: 1.0, H: 1.5, M: 1.0, L: 0.5 }, // Modified metrics use the same weights as base, but are applied conditionally MAV: { N: 0.85, A: 0.62, L: 0.55, P: 0.20 }, MAC: { L: 0.77, H: 0.44 }, MPR: { U: { N: 0.85, L: 0.62, H: 0.27 }, C: { N: 0.85, L: 0.68, H: 0.50 } }, MUI: { N: 0.85, R: 0.62 }, MS: { U: 6.42, C: 7.52 }, MC: { H: 0.56, L: 0.22, N: 0.00 }, MI: { H: 0.56, L: 0.22, N: 0.00 }, MA: { H: 0.56, L: 0.22, N: 0.00 } }; // Get selected values var av = document.getElementById("av").value; var ac = document.getElementById("ac").value; var pr = document.getElementById("pr").value; var ui = document.getElementById("ui").value; var s = document.getElementById("s").value; var c = document.getElementById("c").value; var i = document.getElementById("i").value; var a = document.getElementById("a").value; var e = document.getElementById("e").value; var rl = document.getElementById("rl").value; var rc = document.getElementById("rc").value; var cr = document.getElementById("cr").value; var ir = document.getElementById("ir").value; var ar = document.getElementById("ar").value; var mav = document.getElementById("mav").value; var mac = document.getElementById("mac").value; var mpr = document.getElementById("mpr").value; var mui = document.getElementById("mui").value; var ms = document.getElementById("ms").value; var mc = document.getElementById("mc").value; var mi = document.getElementById("mi").value; var ma = document.getElementById("ma").value; // — Base Score Calculation — var avWeight = metricWeights.AV[av]; var acWeight = metricWeights.AC[ac]; var prWeight = metricWeights.PR[s][pr]; // PR depends on Scope var uiWeight = metricWeights.UI[ui]; var cWeight = metricWeights.C[c]; var iWeight = metricWeights.I[i]; var aWeight = metricWeights.A[a]; var impactSubscore = 1 – ((1 – cWeight) * (1 – iWeight) * (1 – aWeight)); var impact; if (s === 'U') { // Unchanged Scope impact = metricWeights.S.U * impactSubscore; } else { // Changed Scope impact = metricWeights.S.C * (impactSubscore – 0.029) – 3.25 * Math.pow(impactSubscore – 0.02, 15); } var exploitability = 8.22 * avWeight * acWeight * prWeight * uiWeight; var baseScore; if (impact <= 0) { baseScore = 0; } else if (s === 'U') { baseScore = roundUp(Math.min((impact + exploitability), 10)); } else { // Changed Scope baseScore = roundUp(Math.min(1.08 * (impact + exploitability), 10)); } // — Temporal Score Calculation — var eWeight = metricWeights.E[e]; var rlWeight = metricWeights.RL[rl]; var rcWeight = metricWeights.RC[rc]; var temporalScore = roundUp(baseScore * eWeight * rlWeight * rcWeight); // — Environmental Score Calculation — var crWeight = metricWeights.CR[cr]; var irWeight = metricWeights.IR[ir]; var arWeight = metricWeights.AR[ar]; // Determine effective C, I, A values for environmental score var mcEffective = (mc === 'X') ? cWeight : metricWeights.MC[mc]; var miEffective = (mi === 'X') ? iWeight : metricWeights.MI[mi]; var maEffective = (ma === 'X') ? aWeight : metricWeights.MA[ma]; // Adjust C, I, A based on requirements var cAdjusted = Math.min(mcEffective * crWeight, 0.915); // Max value for H*H var iAdjusted = Math.min(miEffective * irWeight, 0.915); var aAdjusted = Math.min(maEffective * arWeight, 0.915); var modifiedImpactSubscore = 1 – ((1 – cAdjusted) * (1 – iAdjusted) * (1 – aAdjusted)); // Determine effective AV, AC, PR, UI for environmental score var mavEffective = (mav === 'X') ? avWeight : metricWeights.MAV[mav]; var macEffective = (mac === 'X') ? acWeight : metricWeights.MAC[mac]; var msEffective = (ms === 'X') ? s : ms; // Use base scope if modified is X var mprEffective = (mpr === 'X') ? metricWeights.PR[s][pr] : metricWeights.MPR[msEffective][mpr]; // MPR depends on Modified Scope var muiEffective = (mui === 'X') ? uiWeight : metricWeights.MUI[mui]; var modifiedExploitability = 8.22 * mavEffective * macEffective * mprEffective * muiEffective; var modifiedImpact; if (modifiedImpactSubscore <= 0) { modifiedImpact = 0; } else if (msEffective === 'U') { modifiedImpact = metricWeights.S.U * modifiedImpactSubscore; } else { // Changed Scope modifiedImpact = metricWeights.S.C * (modifiedImpactSubscore – 0.029) – 3.25 * Math.pow(modifiedImpactSubscore – 0.02, 15); } var modifiedBaseScore; if (modifiedImpact <= 0) { modifiedBaseScore = 0; } else if (msEffective === 'U') { modifiedBaseScore = roundUp(Math.min((modifiedImpact + modifiedExploitability), 10)); } else { // Changed Scope modifiedBaseScore = roundUp(Math.min(1.08 * (modifiedImpact + modifiedExploitability), 10)); } var environmentalScore = roundUp(modifiedBaseScore * eWeight * rlWeight * rcWeight); // — CVSS Vector String Generation — var vector = "CVSS:3.1"; vector += "/AV:" + av + "/AC:" + ac + "/PR:" + pr + "/UI:" + ui + "/S:" + s + "/C:" + c + "/I:" + i + "/A:" + a; if (e !== 'X') vector += "/E:" + e; if (rl !== 'X') vector += "/RL:" + rl; if (rc !== 'X') vector += "/RC:" + rc; if (cr !== 'X') vector += "/CR:" + cr; if (ir !== 'X') vector += "/IR:" + ir; if (ar !== 'X') vector += "/AR:" + ar; if (mav !== 'X') vector += "/MAV:" + mav; if (mac !== 'X') vector += "/MAC:" + mac; if (mpr !== 'X') vector += "/MPR:" + mpr; if (mui !== 'X') vector += "/MUI:" + mui; if (ms !== 'X') vector += "/MS:" + ms; if (mc !== 'X') vector += "/MC:" + mc; if (mi !== 'X') vector += "/MI:" + mi; if (ma !== 'X') vector += "/MA:" + ma; // Display results document.getElementById("baseScore").innerText = baseScore.toFixed(1); document.getElementById("temporalScore").innerText = (e === 'X' && rl === 'X' && rc === 'X') ? "N/A" : temporalScore.toFixed(1); document.getElementById("environmentalScore").innerText = (cr === 'X' && ir === 'X' && ar === 'X' && mav === 'X' && mac === 'X' && mpr === 'X' && mui === 'X' && ms === 'X' && mc === 'X' && mi === 'X' && ma === 'X') ? "N/A" : environmentalScore.toFixed(1); document.getElementById("cvssVector").innerText = vector; } // Calculate on page load with default values window.onload = calculateCVSS;

Leave a Comment