CERTCC · sei-vsarvepalli · Feb 17, 2025 · Feb 17, 2025 · Feb 17, 2025 · Feb 17, 2025
@@ -17,4 +17,4 @@
       "description": "Attackers can reliably automate steps 1-4 of the kill chain."
     }
   ]
-}
+}
@@ -0,0 +1,20 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "AC",
+  "name": "Access Complexity",
+  "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "Specialized access conditions exist; for example: the system is exploitable during specific windows of time (a race condition), the system is exploitable under specific circumstances (nondefault configurations), or the system is exploitable with victim interaction (vulnerability exploitable only if user opens e-mail)"
+    }
+  ]
+}
@@ -0,0 +1,25 @@
+{
+  "namespace": "cvss",
+  "version": "2.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "AC",
+  "name": "Access Complexity",
+  "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Specialized access conditions or extenuating circumstances do not exist."
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "The access conditions are somewhat specialized."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "Specialized access conditions exist."
+    }
+  ]
+}
@@ -0,0 +1,20 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "AV",
+  "name": "Access Vector",
+  "description": "This metric measures whether or not the vulnerability is exploitable locally or remotely.",
+  "values": [
+    {
+      "key": "L",
+      "name": "Local",
+      "description": "The vulnerability is only exploitable locally (i.e., it requires physical access or authenticated login to the target system)"
+    },
+    {
+      "key": "R",
+      "name": "Remote",
+      "description": "The vulnerability is exploitable remotely."
+    }
+  ]
+}
@@ -0,0 +1,25 @@
+{
+  "namespace": "cvss",
+  "version": "2.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "AV",
+  "name": "Access Vector",
+  "description": "This metric reflects the context by which vulnerability exploitation is possible.",
+  "values": [
+    {
+      "key": "L",
+      "name": "Local",
+      "description": "A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account."
+    },
+    {
+      "key": "A",
+      "name": "Adjacent Network",
+      "description": "A vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software."
+    },
+    {
+      "key": "N",
+      "name": "Network",
+      "description": "A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed 'remotely exploitable'."
+    }
+  ]
+}
@@ -17,4 +17,4 @@
       "description": "A successful attack depends on conditions beyond the attacker's control."
     }
   ]
-}
+}
@@ -17,4 +17,4 @@
       "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
     }
   ]
-}
+}
@@ -17,4 +17,4 @@
       "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
     }
   ]
-}
+}
@@ -27,4 +27,4 @@
       "description": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
     }
   ]
-}
+}
@@ -27,4 +27,4 @@
       "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
     }
   ]
-}
+}
@@ -17,4 +17,4 @@
       "description": "Authentication is required to access and exploit the vulnerability."
     }
   ]
-}
+}
@@ -22,4 +22,4 @@
       "description": "Authentication is not required to exploit the vulnerability."
     }
   ]
-}
+}
@@ -0,0 +1,20 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "AU",
+  "name": "Automatable",
+  "description": "The \"Automatable\" metric captures the answer to the question \"Can an attacker automate exploitation events for this vulnerability across multiple targets?\" based on steps 1-4 of the kill chain.",
+  "values": [
+    {
+      "key": "N",
+      "name": "No",
+      "description": "Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
+    },
+    {
+      "key": "Y",
+      "name": "Yes",
+      "description": "Attackers can reliably automate all 4 steps of the kill chain. These steps are reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is \"wormable\")."
+    }
+  ]
+}
@@ -22,4 +22,4 @@
       "description": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable."
     }
   ]
-}
+}
@@ -22,4 +22,4 @@
       "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
     }
   ]
-}
+}
@@ -22,4 +22,4 @@
       "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
     }
   ]
-}
+}
@@ -27,4 +27,4 @@
       "description": "This metric value is not defined. See CVSS documentation for details."
     }
   ]
-}
+}
@@ -27,4 +27,4 @@
       "description": "This metric value is not defined. See CVSS documentation for details."
     }
   ]
-}
+}
@@ -27,4 +27,4 @@
       "description": "This metric value is not defined. See CVSS documentation for details."
     }
   ]
-}
+}
@@ -27,4 +27,4 @@
       "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
     }
   ]
-}
+}
@@ -32,4 +32,4 @@
       "description": "This metric value is not defined. See CVSS documentation for details."
     }
   ]
-}
+}
@@ -22,4 +22,4 @@
       "description": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)."
     }
   ]
-}
+}
@@ -22,4 +22,4 @@
       "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
     }
   ]
-}
+}
@@ -22,4 +22,4 @@
       "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
     }
   ]
-}
+}
@@ -22,4 +22,4 @@
       "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
     }
   ]
-}
+}
@@ -27,4 +27,4 @@
       "description": "This metric value is not defined. See CVSS documentation for details."
     }
   ]
-}
+}
@@ -27,4 +27,4 @@
       "description": "This metric value is not defined. See CVSS documentation for details."
     }
   ]
-}
+}
@@ -27,4 +27,4 @@
       "description": "This metric value is not defined. See CVSS documentation for details."
     }
   ]
-}
+}
@@ -0,0 +1,25 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "EQ1",
+  "name": "Equivalence Set 1",
+  "description": "AV/PR/UI with 3 levels specified in Table 24",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "2: AV:P or not(AV:N or PR:N or UI:N)"
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "0: AV:N and PR:N and UI:N"
+    }
+  ]
+}
@@ -0,0 +1,20 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "EQ2",
+  "name": "Equivalence Set 2",
+  "description": "AC/AT with 2 levels specified in Table 25",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "1: not (AC:L and AT:N)"
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "0: AC:L and AT:N"
+    }
+  ]
+}
@@ -0,0 +1,25 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "EQ3",
+  "name": "Equivalence Set 3",
+  "description": "VC/VI/VA with 3 levels specified in Table 26",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "2: not (VC:H or VI:H or VA:H)"
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "0: VC:H and VI:H"
+    }
+  ]
+}
@@ -0,0 +1,25 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "EQ4",
+  "name": "Equivalence Set 4",
+  "description": "SC/SI/SA with 3 levels specified in Table 27",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "0: MSI:S or MSA:S"
+    }
+  ]
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -17,4 +17,4 @@ @@
           "description": "Attackers can reliably automate steps 1-4 of the kill chain."
         }
       ]
-    }
+    }