CERTCC · ahouseholder · Aug 11, 2025 · Aug 8, 2025 · Aug 8, 2025 · Aug 8, 2025
@@ -6,15 +6,15 @@
   "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
   "schemaVersion": "2.0.0",
   "values": [
-    {
-      "key": "L",
-      "name": "Low",
-      "description": "Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable."
-    },
     {
       "key": "H",
       "name": "High",
       "description": "Specialized access conditions exist; for example: the system is exploitable during specific windows of time (a race condition), the system is exploitable under specific circumstances (nondefault configurations), or the system is exploitable with victim interaction (vulnerability exploitable only if user opens e-mail)"
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable."
     }
   ]
 }
@@ -7,19 +7,19 @@
   "schemaVersion": "2.0.0",
   "values": [
     {
-      "key": "L",
-      "name": "Low",
-      "description": "Specialized access conditions or extenuating circumstances do not exist."
+      "key": "H",
+      "name": "High",
+      "description": "Specialized access conditions exist."
     },
     {
       "key": "M",
       "name": "Medium",
       "description": "The access conditions are somewhat specialized."
     },
     {
-      "key": "H",
-      "name": "High",
-      "description": "Specialized access conditions exist."
+      "key": "L",
+      "name": "Low",
+      "description": "Specialized access conditions or extenuating circumstances do not exist."
     }
   ]
 }
@@ -6,15 +6,15 @@
   "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.",
   "schemaVersion": "2.0.0",
   "values": [
-    {
-      "key": "L",
-      "name": "Low",
-      "description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
-    },
     {
       "key": "H",
       "name": "High",
       "description": "A successful attack depends on conditions beyond the attacker's control."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
     }
   ]
 }
@@ -6,15 +6,15 @@
   "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
   "schemaVersion": "2.0.0",
   "values": [
-    {
-      "key": "L",
-      "name": "Low",
-      "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
-    },
     {
       "key": "H",
       "name": "High",
       "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
     }
   ]
 }
@@ -6,15 +6,15 @@
   "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
   "schemaVersion": "2.0.0",
   "values": [
-    {
-      "key": "N",
-      "name": "None",
-      "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
-    },
     {
       "key": "P",
       "name": "Present",
       "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
+    },
+    {
+      "key": "N",
+      "name": "None",
+      "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
     }
   ]
 }
@@ -0,0 +1,25 @@
+{
+  "namespace": "cvss",
+  "key": "AR_NoX",
+  "version": "1.1.1",
+  "name": "Availability Requirement (without Not Defined)",
+  "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability. This version does not include the Not Defined (X) option.",
+  "schemaVersion": "2.0.0",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    }
+  ]
+}
@@ -0,0 +1,25 @@
+{
+  "namespace": "cvss",
+  "key": "CR_NoX",
+  "version": "1.1.1",
+  "name": "Confidentiality Requirement (without Not Defined)",
+  "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.",
+  "schemaVersion": "2.0.0",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    }
+  ]
+}
@@ -0,0 +1,25 @@
+{
+  "namespace": "cvss",
+  "key": "IR_NoX",
+  "version": "1.1.1",
+  "name": "Integrity Requirement (without Not Defined)",
+  "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.",
+  "schemaVersion": "2.0.0",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    }
+  ]
+}
@@ -6,16 +6,16 @@
   "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.",
   "schemaVersion": "2.0.0",
   "values": [
-    {
-      "key": "L",
-      "name": "Low",
-      "description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
-    },
     {
       "key": "H",
       "name": "High",
       "description": "A successful attack depends on conditions beyond the attacker's control."
     },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
+    },
     {
       "key": "X",
       "name": "Not Defined",

@@ -6,16 +6,16 @@
   "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
   "schemaVersion": "2.0.0",
   "values": [
-    {
-      "key": "L",
-      "name": "Low",
-      "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
-    },
     {
       "key": "H",
       "name": "High",
       "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
     },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
+    },
     {
       "key": "X",
       "name": "Not Defined",

@@ -6,16 +6,16 @@
   "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
   "schemaVersion": "2.0.0",
   "values": [
-    {
-      "key": "N",
-      "name": "None",
-      "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
-    },
     {
       "key": "P",
       "name": "Present",
       "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
     },
+    {
+      "key": "N",
+      "name": "None",
+      "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
+    },
     {
       "key": "X",
       "name": "Not Defined",

@@ -25,6 +25,11 @@
       "key": "X",
       "name": "Not Defined",
       "description": "This metric value is not defined. See CVSS documentation for details."
+    },
+    {
+      "key": "S",
+      "name": "Safety",
+      "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
     }
   ]
 }
@@ -0,0 +1,30 @@
+{
+  "namespace": "cvss",
+  "key": "MSA_NoX",
+  "version": "1.0.1",
+  "name": "Modified Availability Impact to the Subsequent System (without Not Defined)",
+  "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System. This version does not include the Not Defined (X) option.",
+  "schemaVersion": "2.0.0",
+  "values": [
+    {
+      "key": "N",
+      "name": "Negligible",
+      "description": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+    },
+    {
+      "key": "S",
+      "name": "Safety",
+      "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+    }
+  ]
+}
@@ -0,0 +1,30 @@
+{
+  "namespace": "cvss",
+  "key": "MSI_NoX",
+  "version": "1.0.1",
+  "name": "Modified Integrity Impact to the Subsequent System (without Not Defined)",
+  "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest. This version does not include the Not Defined (X) option.",
+  "schemaVersion": "2.0.0",
+  "values": [
+    {
+      "key": "N",
+      "name": "Negligible",
+      "description": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+    },
+    {
+      "key": "S",
+      "name": "Safety",
+      "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+    }
+  ]
+}