Cvss Score Calculator

by
CVSS Score Calculator body { font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif; background-color: #f8f9fa; color: #333; line-height: 1.6; margin: 0; padding: 20px; } .cvss-calc-container { max-width: 800px; margin: 40px auto; background-color: #ffffff; padding: 30px; border-radius: 8px; box-shadow: 0 4px 15px rgba(0, 0, 0, 0.1); } h1, h2 { color: #004a99; text-align: center; margin-bottom: 25px; } .input-group { margin-bottom: 20px; padding: 15px; border: 1px solid #e0e0e0; border-radius: 5px; background-color: #fdfdfd; } .input-group label { display: block; margin-bottom: 10px; font-weight: bold; color: #0056b3; } .input-group select, .input-group input[type="number"] { width: 100%; padding: 10px; margin-top: 5px; border: 1px solid #ccc; border-radius: 4px; box-sizing: border-box; /* Ensures padding doesn't affect width */ } button { display: block; width: 100%; padding: 12px 20px; background-color: #004a99; color: white; border: none; border-radius: 5px; font-size: 16px; cursor: pointer; transition: background-color 0.3s ease; margin-top: 20px; } button:hover { background-color: #003f80; } #result { margin-top: 30px; padding: 20px; background-color: #e7f3ff; border: 1px solid #a3c4f3; border-radius: 5px; text-align: center; } #result h2 { margin-bottom: 15px; color: #004a99; } #score { font-size: 2.5em; font-weight: bold; color: #28a745; /* Success Green */ display: block; } #score-label { font-size: 1.2em; color: #555; } .article-section { margin-top: 40px; padding: 30px; background-color: #ffffff; border-radius: 8px; box-shadow: 0 4px 15px rgba(0, 0, 0, 0.1); } .article-section h2 { text-align: left; color: #004a99; } .article-section p, .article-section ul, .article-section ol { margin-bottom: 15px; } .article-section li { margin-bottom: 8px; } .article-section code { background-color: #f0f0f0; padding: 2px 5px; border-radius: 3px; font-family: Consolas, Monaco, 'Andale Mono', 'Ubuntu Mono', monospace; } /* Responsive adjustments */ @media (max-width: 600px) { .cvss-calc-container { padding: 20px; margin: 20px auto; } h1 { font-size: 24px; } button { font-size: 14px; } #score { font-size: 2em; } }

CVSS v3.1 Score Calculator

Calculate the Common Vulnerability Scoring System (CVSS) v3.1 Base Score for a given vulnerability.

Network (N) Adjacent (A) Local (L) Physical (P)
Low (L) High (H)
None (N) Low (L) High (H)
None (N) Required (R)
Unchanged (U) Changed (C)
None (N) Low (L) High (H)
None (N) Low (L) High (H)
None (N) Low (L) High (H)

CVSS v3.1 Base Score

N/A Score

Understanding the CVSS v3.1 Score

The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of computer system security vulnerabilities. It provides a way to capture the primary characteristics of a vulnerability and produce a numerical score reflecting its severity. CVSS v3.1 is the latest iteration, offering improved clarity and metrics.

CVSS Metrics

The CVSS Base score is composed of several metric groups:

Exploitability Metrics:

  • Attack Vector (AV): Describes the context by which vulnerability exploitation is possible.
    • Network (N): Vulnerable system is reachable remotely via the network.
    • Adjacent (A): Vulnerable system is reachable only from a network adjacent to the vulnerable system.
    • Local (L): Vulnerable system is reachable only via local access (e.g., keyboard, console).
    • Physical (P): Vulnerable system is reachable only via physical access.
  • Attack Complexity (AC): Represents the complexity of the attack required to exploit the vulnerability.
    • Low (L): Specialized access conditions or extenuating circumstances do not exist.
    • High (H): Significant hurdles must be overcome for exploitation.
  • Privileges Required (PR): Describes the level of privileges an attacker must possess before successful exploitation.
    • None (N): No privileges are required.
    • Low (L): Low privileges are required (e.g., user account).
    • High (H): High privileges are required (e.g., administrator, root).
  • User Interaction (UI): Measures whether a user must be involved in the exploitation.
    • None (N): No user interaction is required.
    • Required (R): A user must interact with the vulnerability for it to be exploited (e.g., clicking a link).
  • Scope (S): Indicates whether a vulnerability in one component can affect resources beyond its security scope.
    • Unchanged (U): Exploitation impacts only the security scope of the vulnerable component.
    • Changed (C): Exploitation impacts resources beyond the security scope of the vulnerable component.

Impact Metrics:

  • Confidentiality Impact (C): Measures the impact on the confidentiality of information.
    • None (N): No loss of confidentiality.
    • Low (L): Limited disclosure of information.
    • High (H): Total loss of confidentiality, all data is accessible.
  • Integrity Impact (I): Measures the impact on the integrity (trustworthiness and correctness) of information.
    • None (N): No loss of integrity.
    • Low (L): Modification of data is possible but limited.
    • High (H): Total loss of integrity, unauthorized modifications are possible.
  • Availability Impact (A): Measures the impact on the availability of the affected component.
    • None (N): No impact on availability.
    • Low (L): Reduced performance or degraded availability.
    • High (H): Total loss of availability, the component is unresponsive.

CVSS v3.1 Base Score Calculation (Simplified Overview)

The CVSS v3.1 score is calculated using a formula that first determines an Exploitability sub-score and then uses this, along with Scope and Impact metrics, to calculate the final Base Score. The formulas are complex and involve lookup tables and specific rules, particularly when Scope changes.

The core idea is to quantify risk based on how easily a vulnerability can be exploited and the severity of its consequences.

The Calculation Process:

  1. Map discrete metric values to numerical weights. Each option (e.g., "Network" for AV) has an associated numerical value.
  2. Calculate the Exploitability Score (E):
    E = 8.47 * AV * AC * PR * UI
    Where AV, AC, PR, and UI are the numerical weights corresponding to the selected values.
  3. Determine the Impact Score (SI):
    If Scope (S) is Unchanged (U):
    SI = 6.42 * Impact
    Where Impact = 1 - [(1 - C) * (1 - I) * (1 - A)] (C, I, A are numerical weights for Confidentiality, Integrity, Availability).
    If Scope (S) is Changed (C):
    SI = 7.52 * [SI_Unchanged - 0.029] - 3.25 * [SI_Unchanged - 0.02]^15
    Where SI_Unchanged is calculated as above.
  4. Calculate the Base Score (BS):
    If SI is 0:
    BS = 0
    Else if Scope is Unchanged (U):
    BS = RoundUp(Minimum(Exploitability + Impact, 10))
    Else if Scope is Changed (C):
    BS = RoundUp(Minimum(1.08 * (Exploitability + Impact), 10))

The scores are then mapped to qualitative ratings:

  • None: 0.0
  • Low: 0.1 – 3.9
  • Medium: 4.0 – 6.9
  • High: 7.0 – 8.9
  • Critical: 9.0 – 10.0

Use Cases

The CVSS score is crucial for:

  • Prioritization: Helping organizations prioritize vulnerability remediation efforts based on severity.
  • Risk Assessment: Providing a common language and framework for discussing and understanding security risks.
  • Communication: Enabling consistent communication about vulnerability severity between different stakeholders (e.g., vendors, security teams, management).
  • Compliance: Assisting in meeting regulatory and compliance requirements.
// CVSS v3.1 Metric Values (Simplified mapping for calculation) // Source: FIRST.org CVSS v3.1 Specification var metricValues = { AV: { N: 0.85, A: 0.62, L: 0.55, P: 0.2 }, AC: { L: 0.77, H: 0.44 }, PR: { N: 0.85, L: 0.62, H: 0.27 }, // Note: PR values differ for Scope Unchanged vs Changed UI: { N: 0.85, R: 0.62 }, C: { N: 0, L: 0.22, H: 0.56 }, I: { N: 0, L: 0.22, H: 0.56 }, A: { N: 0, L: 0.22, H: 0.56 } }; // CVSS v3.1 values for Scope Changed var metricValuesScopeChanged = { PR: { N: 0.84, L: 0.61, H: 0.39 }, // PR values are different when Scope is Changed C: { N: 0, L: 0.24, H: 0.77 }, I: { N: 0, L: 0.24, H: 0.77 }, A: { N: 0, L: 0.24, H: 0.77 } }; function calculateCvssScore() { var av = document.getElementById("AttackVector").value; var ac = document.getElementById("AttackComplexity").value; var pr = document.getElementById("PrivilegesRequired").value; var ui = document.getElementById("UserInteraction").value; var scope = document.getElementById("Scope").value; var c = document.getElementById("ConfidentialityImpact").value; var i = document.getElementById("IntegrityImpact").value; var a = document.getElementById("AvailabilityImpact").value; var baseScore; var exploitability; var impact; var scopeMultiplier = 1.0; // Default for Scope Unchanged var exploitabilityMultiplier_PR = metricValues.PR[pr]; // Default PR values // Adjust PR and Impact values based on Scope if (scope === "C") { exploitabilityMultiplier_PR = metricValuesScopeChanged.PR[pr]; impact = 1.0 – ( (1.0 – metricValuesScopeChanged.C[c]) * (1.0 – metricValuesScopeChanged.I[i]) * (1.0 – metricValuesScopeChanged.A[a]) ); scopeMultiplier = 1.08; } else { // Scope Unchanged impact = 1.0 – ( (1.0 – metricValues.C[c]) * (1.0 – metricValues.I[i]) * (1.0 – metricValues.A[a]) ); } exploitability = 8.47 * metricValues.AV[av] * metricValues.AC[ac] * exploitabilityMultiplier_PR * metricValues.UI[ui]; var rawBaseScore; if (scope === "U") { rawBaseScore = exploitability + impact; if (rawBaseScore 10) { rawBaseScore = 10; } // Cap at 10 baseScore = Math.min(rawBaseScore, 10.0); } else { // Scope Changed rawBaseScore = (scopeMultiplier * (exploitability + impact)); if (rawBaseScore 10) { rawBaseScore = 10; } // Cap at 10 baseScore = Math.min(rawBaseScore, 10.0); } // Apply the RoundUp function equivalent (add 0.99 and floor, or use ceil) // A common way is to round to one decimal place using toFixed, then convert to float baseScore = parseFloat(Math.ceil(baseScore * 10) / 10).toFixed(1); document.getElementById("score").innerText = baseScore; document.getElementById("score-label").innerText = "Score"; // Optionally, you could add logic here to change the color of the score based on its value. var scoreElement = document.getElementById("score"); if (parseFloat(baseScore) >= 9.0) { scoreElement.style.color = "#dc3545"; // Critical – Red } else if (parseFloat(baseScore) >= 7.0) { scoreElement.style.color = "#ffc107"; // High – Orange } else if (parseFloat(baseScore) >= 4.0) { scoreElement.style.color = "#fd7e14"; // Medium – Orange-ish } else if (parseFloat(baseScore) >= 0.1) { scoreElement.style.color = "#28a745"; // Low – Green } else { scoreElement.style.color = "#6c757d"; // None – Gray } }

Leave a Comment