CVSS Vector Strings
CVSS Base and Temporal scores are represented as a numeric value and also as a vector string. The vector string is a textual representation of the metric values used to determine the score.
You'll see CVSS scores and vector strings when you view Vulnerability Information for any QID in the KnowledgeBase and in your scan reports.
Not seeing CVSS scores? CVSS Scoring must be enabled for the subscription by a Manager user.
Sample Vector Strings
Here are sample CVSS scores followed by vector strings. (Note: CVSS represents CVSS version 2 and CVSS3.1 represents CVSS version 3.1.)
CVSS Base: 5.5 AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSS Temporal: 4.3 E:POC/RL:OF/RC:C
CVSS3 Base: 6.4 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CVSS3 Temporal: 5.8 E:P/RL:O/RC:C
Vector string format
metric:value/metric:value/metric:value/metric:value/metric:value/metric:value
where / is the separator between metric:value pairs
Use the table below to look up metric values in a vector string
For example, the CVSS v2 base vector string "AV:N/AC:L/Au:S/C:P/I:P/A:N" has these values:
AV:N indicates the Access Vector metric has a value of Network.
AC:L indicates the Access Complexity metric has a value of Low.
Au:S indicates the Authentication metric has a value of Single.
C:P indicates the Confidentiality Impact metric has a value of Partial.
I:P indicates the Integrity Impact metric has a value of Partial.
A:N indicates the Availability Impact metric has a value of None.
Metric Values
The CVSS v2 and v3.1 metric values as defined by the CVSS standard are listed below.
CVSS v2: Base Score Metrics
|
Metric Value |
Displayed as |
|
Access Vector (AV) |
|
|
Local |
L |
|
Adjacent Network |
A |
|
Network |
N |
|
Access Complexity (AC) |
|
|
Low |
L |
|
Medium |
M |
|
High |
H |
|
Authentication (Au) |
|
|
None |
N |
|
Single |
S |
|
Multiple |
M |
|
Confidentiality Impact (C) |
|
|
None |
N |
|
Partial |
P |
|
Complete |
C |
|
Integrity Impact (I) |
|
|
None |
N |
|
Partial |
P |
|
Complete |
C |
|
Availability Impact (A) |
|
|
None |
N |
|
Partial |
P |
|
Complete |
C |
CVSS v2: Temporal Score Metrics
|
Metric Value |
Displayed as |
|
Exploitability (E) |
|
|
Not Defined |
ND |
|
Unproven |
U |
|
Proof-of-Concept |
POC |
|
Functional |
F |
|
High |
H |
|
Remediation Level (RL) |
|
|
Not Defined |
ND |
|
Official Fix |
OF |
|
Temporary Fix |
TF |
|
Workaround |
W |
|
Unavailable |
U |
|
Report Confidence (RC) |
|
|
Not Defined |
ND |
|
Unconfirmed |
UC |
|
Uncorroborated |
UR |
|
Confirmed |
C |
CVSS v3.1: Base Score Metrics
|
Metric Value |
Displayed as |
|
Attack Vector (AV) |
|
|
Network |
N |
|
Adjacent Network |
A |
|
Local |
L |
|
Physical |
P |
|
Attack Complexity (AC) |
|
|
Low |
L |
|
High |
H |
|
Privileges Required (PR) |
|
|
None |
N |
|
Low |
L |
|
High |
H |
|
User Interaction (UI) |
|
|
None |
N |
|
Required |
R |
|
Scope |
|
|
Unchanged |
U |
|
Changed |
C |
|
Confidentiality Impact (C) |
|
|
None |
N |
|
Low |
L |
|
High |
H |
|
Integrity Impact (I) |
|
|
None |
N |
|
Low |
L |
|
High |
H |
|
Availability Impact (A) |
|
|
None |
N |
|
Low |
L |
|
High |
H |
CVSS v3.1: Temporal Score Metrics
|
Metric Value |
Displayed as |
|
Exploit Code Maturity (E) |
|
|
Not Defined |
X |
|
Unproven |
U |
|
Proof-of-Concept |
P |
|
Functional |
F |
|
High |
H |
|
Remediation Level (RL) |
|
|
Not Defined |
X |
|
Official Fix |
O |
|
Temporary Fix |
T |
|
Workaround |
W |
|
Unavailable |
U |
|
Report Confidence (RC) |
|
|
Not Defined |
X |
|
Unknown |
U |
|
Reasonable |
R |
|
Confirmed |
C |