The Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity. CVSS is not a measure of risk. CVSS v2.0 and CVSS v3.x consist of three metric groups: Base, Temporal, and Environmental. The Base metrics result in a numerical score ranging from 0 to 10, which can then be modified by assessing the Temporal and Environmental metrics. A CVSS assessment is also represented as a vector string, a compressed textual representation of the values used to derive the score. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability severity scores. Two common uses of CVSS are calculating the severity of vulnerabilities discovered on one's systems and as a factor in prioritization of vulnerability remediation activities. The National Vulnerability Database (NVD) provides CVSS assessments for all publishedCVE records.
The NVD supports Common Vulnerability Scoring System (CVSS) v2.0 and v3.x standards. However, per the NVD CVSS v2.0 Retirementannouncement, we no longer provide CVSS v2.0 assessments for newly published CVE records.The NVD provides CVSS assessments of Base metrics the innate characteristics of each vulnerability. The NVD does not currently provide assessments for Temporal metrics (metrics that change over time due to events external to the vulnerability) or Environmental metrics (metrics customized to reflect the impact of the vulnerability to a particular organization). However, the NVD does supply a CVSS calculator for both CVSS v2.0 and v3.x to allow you to add temporal and environmental data.
The CVSS specifications are owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. The official CVSS documentation can be found at https://www.first.org/cvss/.
NVD CVSS Calculators
| NVD CVSS v2.0 Calculator | NVD CVSS v3.x Calculator |
|---|
Qualitative Severity Ratings
NVD notates qualitative severity ratings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.x as they are defined in the CVSS v3.x specifications.
| CVSS v2.0 Ratings | CVSS v3.x Ratings | ||
|---|---|---|---|
| Severity | Severity Score Range | Severity | Severity Score Range |
| None* | 0.0 | ||
| Low | 0.0-3.9 | Low | 0.1-3.9 |
| Medium | 4.0-6.9 | Medium | 4.0-6.9 |
| High | 7.0-10.0 | High | 7.0-8.9 |
| Critical | 9.0-10.0 | ||
*Note: The CVSS specification allows for the application of vector strings that result in a 0.0 severity score. However, the NVD does not assess CVSS vector strings that have no impacts. Per the CVE Program's definition of a vulnerability, there should not be a CVE record counted that does not cause an impact to confidentiality, integrity, or availability.
NVD Specific CVSS Information
Incomplete Data
With some vulnerabilities, all of the information needed to assess CVSS vector strings may not be available. This typically happens when a vendor or maintainer announces a vulnerability but declines to provide certain details. In such situations, NVD analysts assign CVSS metric values using a worst case scenario approach. Thus, if a published vulnerability provides no details about the vulnerability, NVD analysts will assess that vulnerability as a 10.0 (the highest rating).
Collaboration with Industry
NVD staff are willing to work with the security community regarding CVSS assessment results. If you wish to contribute additional information or request amendments regarding NVD assessed CVSS vector strings, please send email to nvd@nist.gov. We actively work with users that provide us feedback.
Legacy CVSS Information
As of July 13th, 2022, the NVD no longer generates Vector Strings, Qualitative Severity Ratings, or Severity Scores for CVSS v2.0. Existing CVSS v2.0 information will remain in the database but the NVD will no longer actively populate CVSS v2.0 vector strings for newCVEs. This change comes as CISA policies that rely on NVD data fully transition away from CVSS v2.0. NVD analysts will continue to use the reference information provided with the CVE and any publicly available information at the time of analysis to associate Reference Tags, CVSS v3.1, CWE, and CPE Applicability statements.
The NVD began supporting the CVSS v3.1 guidance on September 10th, 2019. The NVD will not be offering CVSS v3.0 and v3.1 vector strings for the same CVE. All new and re-analyzed CVE assessments will be done using the CVSS v3.1 guidance.
Vector strings for the CVE vulnerabilities published between to 11/10/2005 and 11/30/2006 have been upgraded from CVSS version 1.0 data. CVSS v1.0 metrics did not contain the granularity of CVSS v2.0 and so they are marked as "Version 2.0 upgrade from v1.0" within NVD. While these are approximations, they are expected to be reasonably accurate CVSS v2.0 representations.
Vector strings provided for the 13,000 CVE vulnerabilities published prior to 11/9/2005 are approximated from only partially available CVSS metric data. In particular, the following CVSS metrics are only partially available for these vulnerabilities and NVD assumes certain values based on an approximation algorithm: Access Complexity, Authentication, Confidentiality Impact of 'partial', Integrity Impact of 'partial', Availability Impact of 'partial', and the impact biases.
