CVSS Score Calculator (v3.1)
An expert tool to calculate the Common Vulnerability Scoring System v3.1 Base Score for assessing the severity of security vulnerabilities.
What is a CVSS Score?
The Common Vulnerability Scoring System (CVSS) is an open industry standard for assessing the severity of computer system security vulnerabilities. A cvss score calculator provides a way to assign a numerical score to a vulnerability, ranging from 0.0 to 10.0, with higher scores representing greater severity. It’s used by security analysts, developers, and IT managers to prioritize responses and resources.
It’s important to understand that CVSS measures technical severity, not risk. A high-severity vulnerability on a non-critical, isolated system may pose less risk than a medium-severity vulnerability on a mission-critical, internet-facing system. The cvss score calculator focuses on the intrinsic qualities of the vulnerability itself.
CVSS 3.1 Formula and Explanation
The CVSS v3.1 Base Score is calculated from two main sub-scores: the Impact Score and the Exploitability Score. The formula is complex, taking into account how a change in Scope (S) impacts the final calculation.
1. Impact Sub-Score (ISS): This measures the impact on confidentiality, integrity, and availability. It is calculated as:
ISS = 1 - [(1 - Confidentiality) × (1 - Integrity) × (1 - Availability)]
2. Impact Score: The ISS is then adjusted based on whether the Scope has changed.
- If Scope is Unchanged:
Impact = 6.42 × ISS - If Scope is Changed:
Impact = 7.52 × (ISS - 0.029) - 3.25 × (ISS - 0.02)^15
3. Exploitability Score: This measures the ease of exploiting the vulnerability.
Exploitability = 8.22 × AttackVector × AttackComplexity × PrivilegesRequired × UserInteraction
4. Base Score: Finally, the Impact and Exploitability scores are combined.
- If Impact Score ≤ 0:
Base Score = 0 - If Scope is Unchanged:
Base Score = Roundup(Minimum(Impact + Exploitability, 10)) - If Scope is Changed:
Base Score = Roundup(Minimum(1.08 × (Impact + Exploitability), 10))
For more detailed information on scoring, check out this guide on understanding cybersecurity threats.
Variables Table
| Variable | Meaning | Unit | Typical Range (Metric Values) |
|---|---|---|---|
| Attack Vector (AV) | The context by which vulnerability exploitation is possible. | Categorical | Network, Adjacent, Local, Physical |
| Attack Complexity (AC) | The presence of conditions beyond the attacker’s control. | Categorical | Low, High |
| Privileges Required (PR) | The level of privileges an attacker must possess before exploiting. | Categorical | None, Low, High |
| User Interaction (UI) | The requirement for a user to participate in the attack. | Categorical | None, Required |
| Scope (S) | Whether a vulnerability can affect a separate component. | Categorical | Unchanged, Changed |
| Confidentiality (C) | The degree of data disclosure. | Categorical | High, Low, None |
| Integrity (I) | The degree of data modification. | Categorical | High, Low, None |
| Availability (A) | The degree of impact to the availability of the service. | Categorical | High, Low, None |
Practical Examples
Example 1: Critical Remote Code Execution
Consider a vulnerability in a web server that allows an unauthenticated attacker over the internet to execute arbitrary code, gaining full control over the server and its data.
- Inputs: AV:N, AC:L, PR:N, UI:N, S:C, C:H, I:H, A:H
- Result: This configuration typically results in a Critical score (e.g., 10.0), as it’s the worst-case scenario. It requires no privileges or user interaction and completely compromises the system.
Example 2: Local Privilege Escalation
Imagine a vulnerability in a desktop application where a user with basic, non-administrative privileges can exploit a flaw to gain administrator rights, but it requires the user to open a malicious file.
- Inputs: AV:L, AC:L, PR:L, UI:R, S:U, C:H, I:H, A:H
- Result: This scenario would yield a High score (e.g., 7.8). The score is high due to the full impact on CIA, but it’s lowered because the attacker needs local access and low privileges, and must trick a user into an action.
A good next step after finding a vulnerability is to use a CVE lookup tool to find its official score.
How to Use This CVSS Score Calculator
Using this cvss score calculator is straightforward:
- Select Exploitability Metrics: For each dropdown in the top section (Attack Vector, Complexity, etc.), choose the value that best describes the vulnerability. The helper text below each input provides a brief explanation.
- Define Scope: Choose whether the scope is “Unchanged” or “Changed”. This is a critical factor in the final score.
- Select Impact Metrics: Choose the impact on Confidentiality, Integrity, and Availability, from “High” to “None”.
- Review the Results: The Base Score, severity rating (e.g., “High”), and sub-scores will update in real-time. The vector string, which is a textual representation of your selections, is also generated automatically.
- Interpret the Chart: The bar chart visually breaks down the score, making it easy to see the contributions of Impact vs. Exploitability.
Key Factors That Affect the CVSS Score
- Attack Vector (AV): A vulnerability exploitable over the Network will always score higher than one requiring Physical access.
- Privileges Required (PR): Vulnerabilities requiring None are the most dangerous and lead to higher scores than those requiring High (admin) privileges.
- Scope (S): A Changed scope, where a vulnerability in one component can compromise another, significantly increases the score. This is one of the most impactful metrics.
- Impact Metrics (C, I, A): A “High” impact on all three (Confidentiality, Integrity, and Availability) will maximize the Impact sub-score. If any of these are “None,” the impact decreases significantly.
- User Interaction (UI): Requiring user interaction (e.g., clicking a link, opening a file) lowers the score, as it presents an obstacle for the attacker.
- Attack Complexity (AC): A “High” complexity implies the attacker needs to overcome specific conditions, which lowers the overall score. A low-complexity attack is easier to perform.
Frequently Asked Questions (FAQ)
Q: What is a CVSS vector string?
A: The vector string (e.g., AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) is a shorthand way to represent all the metric values that were used to generate a score. This calculator creates it for you automatically. It’s essential for sharing and documenting how a score was derived.
Q: Is a high CVSS score always a high risk?
A: Not necessarily. CVSS measures technical severity. Risk is severity combined with environmental context. A 9.8 “Critical” vulnerability on a system with no sensitive data and no internet connection is lower risk than a 7.5 “High” vulnerability on your primary, internet-facing payment server. For better risk assessment, consider using a risk assessment matrix.
Q: What are the CVSS severity ratings?
A: The numerical scores map to qualitative ratings: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0).
Q: What is the difference between CVSS v3.1 and v4.0?
A: CVSS v4.0 was introduced to provide more granularity. It adds new metrics like Attack Requirements (AT) and separates the Base metrics into Threat and Impact categories. This v3.1 cvss score calculator uses the most widely adopted standard today.
Q: What does a “Changed” Scope mean?
A: It means exploiting the vulnerability allows an attacker to impact a different “authority” or component than the vulnerable one. For example, a vulnerability in a web application that allows the attacker to control the underlying operating system would be a Scope change. This usually leads to a much higher score.
Q: Where can I find official CVSS scores?
A: The National Vulnerability Database (NVD) is the primary source for official CVSS scores for publicly disclosed vulnerabilities (CVEs). You can search for them using a CVE lookup tool.
Q: Can a CVSS score change over time?
A: The Base Score, which this calculator computes, is designed to be constant. However, CVSS also defines Temporal scores, which can change over time based on factors like the availability of an exploit or a patch. Applying strong patch management best practices can mitigate the real-world risk, even if the Base Score remains high.
Q: Why did my score not change when I changed an impact metric?
A: If Scope is Unchanged, the Impact Score is directly proportional to the Impact Sub-Score (ISS). However, if Scope is Changed, the formula is more complex. Also, due to the rounding mechanism, small changes in sub-scores might not always be enough to push the final Base Score to the next decimal point.
Related Tools and Internal Resources
Explore these other tools and guides to enhance your security analysis workflow:
- Risk Assessment Matrix: Evaluate overall risk by combining severity with likelihood.
- Understanding Cybersecurity Threats: A deep dive into different types of cyber threats.
- CVE Lookup: Quickly find official details and scores for known vulnerabilities.
- Patch Management Best Practices: Learn how to effectively manage and deploy security patches.
- Password Strength Checker: Analyze the strength of passwords as part of your security posture.
- Introduction to Threat Modeling: Proactively identify security threats in your applications.