diff --git a/data/json/decision_points/basic/boundary_proximity_1_0_0.json b/data/json/decision_points/basic/boundary_proximity_1_0_0.json
new file mode 100644
index 00000000..6ac74b82
--- /dev/null
+++ b/data/json/decision_points/basic/boundary_proximity_1_0_0.json
@@ -0,0 +1,25 @@
+{
+ "namespace": "basic",
+ "key": "BP",
+ "version": "1.0.0",
+ "name": "Boundary Proximity",
+ "definition": "Indicates whether another value is near a boundary condition, indicating that special consideration may be needed.",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "NN",
+ "name": "Not Near Boundary",
+ "definition": "The value is not near a boundary condition"
+ },
+ {
+ "key": "JA",
+ "name": "Just Above Boundary",
+ "definition": "The value is just above a boundary condition"
+ },
+ {
+ "key": "JB",
+ "name": "Just Below Boundary",
+ "definition": "The value is just below a boundary condition"
+ }
+ ]
+}
diff --git a/data/json/decision_points/basic/cis_cti_words_of_estimative_probability_1_0_0.json b/data/json/decision_points/basic/cis_cti_words_of_estimative_probability_1_0_0.json
new file mode 100644
index 00000000..58c79f61
--- /dev/null
+++ b/data/json/decision_points/basic/cis_cti_words_of_estimative_probability_1_0_0.json
@@ -0,0 +1,45 @@
+{
+ "namespace": "basic",
+ "key": "CIS_WEP",
+ "version": "1.0.0",
+ "name": "CIS-CTI Words of Estimative Probability",
+ "definition": "A scale for expressing the likelihood of an event or outcome.",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "ANC",
+ "name": "Almost No Chance",
+ "definition": "Probability < 0.05. Almost no chance, remote"
+ },
+ {
+ "key": "VU",
+ "name": "Very Unlikely",
+ "definition": "0.05 <= Probability < 0.20. Very unlikely, highly improbable."
+ },
+ {
+ "key": "U",
+ "name": "Unlikely",
+ "definition": "0.20 <= Probability < 0.45. Unlikely, improbable."
+ },
+ {
+ "key": "REC",
+ "name": "Roughly Even Chance",
+ "definition": "0.45 <= Probability < 0.55. Roughly even chance, roughly even odds."
+ },
+ {
+ "key": "L",
+ "name": "Likely",
+ "definition": "0.55 <= Probability < 0.80. Likely, probable."
+ },
+ {
+ "key": "VL",
+ "name": "Very Likely",
+ "definition": "0.80 <= Probability < 0.95. Very likely, highly probable."
+ },
+ {
+ "key": "AC",
+ "name": "Almost Certain",
+ "definition": "0.95 <= Probability. Almost certain, nearly certain."
+ }
+ ]
+}
diff --git a/data/json/decision_points/basic/median_split_1_0_0.json b/data/json/decision_points/basic/median_split_1_0_0.json
new file mode 100644
index 00000000..b97933e8
--- /dev/null
+++ b/data/json/decision_points/basic/median_split_1_0_0.json
@@ -0,0 +1,20 @@
+{
+ "namespace": "basic",
+ "key": "MEDIAN",
+ "version": "1.0.0",
+ "name": "Median Split",
+ "definition": "A median split divides a distribution into two equal parts, with 50% of the values falling below the median and 50% above it.",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "B",
+ "name": "Below Median",
+ "definition": "Quantile < 0.50. The lower half of the range of possible values."
+ },
+ {
+ "key": "A",
+ "name": "Above Median",
+ "definition": "0.50 <= Quantile <= 1.0. The upper half of the range of possible values."
+ }
+ ]
+}
diff --git a/data/json/decision_points/basic/probability_scale_in_2_equal_levels_ascending_1_0_0.json b/data/json/decision_points/basic/probability_scale_in_2_equal_levels_ascending_1_0_0.json
new file mode 100644
index 00000000..b0ee12b3
--- /dev/null
+++ b/data/json/decision_points/basic/probability_scale_in_2_equal_levels_ascending_1_0_0.json
@@ -0,0 +1,20 @@
+{
+ "namespace": "basic",
+ "key": "P_2A",
+ "version": "1.0.0",
+ "name": "Probability Scale in 2 equal levels, ascending",
+ "definition": "A probability scale that divides between less than 50% and greater than or equal to 50%",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "LT50",
+ "name": "Less than 50%",
+ "definition": "0.0 <= Probability < 0.5"
+ },
+ {
+ "key": "GT50",
+ "name": "Greater than 50%",
+ "definition": "0.5 <= Probability <= 1.0"
+ }
+ ]
+}
diff --git a/data/json/decision_points/basic/probability_scale_in_5_equal_levels_ascending_1_0_0.json b/data/json/decision_points/basic/probability_scale_in_5_equal_levels_ascending_1_0_0.json
new file mode 100644
index 00000000..0929b714
--- /dev/null
+++ b/data/json/decision_points/basic/probability_scale_in_5_equal_levels_ascending_1_0_0.json
@@ -0,0 +1,35 @@
+{
+ "namespace": "basic",
+ "key": "P_5A",
+ "version": "1.0.0",
+ "name": "Probability Scale in 5 equal levels, ascending",
+ "definition": "A probability scale with 20% increments",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "P0_20",
+ "name": "Less than 20%",
+ "definition": "Probability < 0.2"
+ },
+ {
+ "key": "P20_40",
+ "name": "20% to 40%",
+ "definition": "0.2 <= Probability < 0.4"
+ },
+ {
+ "key": "P40_60",
+ "name": "40% to 60%",
+ "definition": "0.4 <= Probability < 0.6"
+ },
+ {
+ "key": "P60_80",
+ "name": "60% to 80%",
+ "definition": "0.6 <= Probability < 0.8"
+ },
+ {
+ "key": "P80_100",
+ "name": "Greater than 80%",
+ "definition": "0.8 <= Probability <= 1.0"
+ }
+ ]
+}
diff --git a/data/json/decision_points/basic/probability_scale_in_5_weighted_levels_ascending_1_0_0.json b/data/json/decision_points/basic/probability_scale_in_5_weighted_levels_ascending_1_0_0.json
new file mode 100644
index 00000000..b9e5803a
--- /dev/null
+++ b/data/json/decision_points/basic/probability_scale_in_5_weighted_levels_ascending_1_0_0.json
@@ -0,0 +1,35 @@
+{
+ "namespace": "basic",
+ "key": "P_5X",
+ "version": "1.0.0",
+ "name": "Probability Scale in 5 weighted levels, ascending",
+ "definition": "A probability scale with finer resolution at both extremes",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "VL",
+ "name": "Very Low",
+ "definition": "0% <= Probability < 5%. Highly unlikely."
+ },
+ {
+ "key": "L",
+ "name": "Low",
+ "definition": "5% <= Probability < 21%. Unlikely."
+ },
+ {
+ "key": "M",
+ "name": "Moderate",
+ "definition": "21% <= Probability < 80%. Somewhat likely."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "definition": "80% <= Probability < 96%. Highly likely."
+ },
+ {
+ "key": "VH",
+ "name": "Very High",
+ "definition": "96% <= Probability <= 100%. Almost certain."
+ }
+ ]
+}
diff --git a/data/json/decision_points/basic/quartiles_1_0_0.json b/data/json/decision_points/basic/quartiles_1_0_0.json
new file mode 100644
index 00000000..1766d02f
--- /dev/null
+++ b/data/json/decision_points/basic/quartiles_1_0_0.json
@@ -0,0 +1,30 @@
+{
+ "namespace": "basic",
+ "key": "QUARTILES",
+ "version": "1.0.0",
+ "name": "Quartiles",
+ "definition": "A quartile is one of four equal groups that a population can be divided into according to the distribution of values of a particular variable.",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "Q1",
+ "name": "First Quartile",
+ "definition": "Quantile < 0.25. The lowest 25% of the range of possible values."
+ },
+ {
+ "key": "Q2",
+ "name": "Second Quartile",
+ "definition": "0.25 <= Quantile < 0.50. The second lowest 25% of the range of possible values."
+ },
+ {
+ "key": "Q3",
+ "name": "Third Quartile",
+ "definition": "0.50 <= Quantile < 0.75. The second highest 25% of the range of possible values."
+ },
+ {
+ "key": "Q4",
+ "name": "Fourth Quartile",
+ "definition": "0.75 <= Quantile <= 1.0. The highest 25% of the range of possible values."
+ }
+ ]
+}
diff --git a/data/json/decision_points/basic/quintiles_1_0_0.json b/data/json/decision_points/basic/quintiles_1_0_0.json
new file mode 100644
index 00000000..f044687c
--- /dev/null
+++ b/data/json/decision_points/basic/quintiles_1_0_0.json
@@ -0,0 +1,35 @@
+{
+ "namespace": "basic",
+ "key": "QUINTILES",
+ "version": "1.0.0",
+ "name": "Quintiles",
+ "definition": "A quintile is one of five equal groups that a population can be divided into according to the distribution of values of a particular variable.",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "Q1",
+ "name": "First Quintile",
+ "definition": "Quantile < 0.20. The lowest 20% of the range of possible values."
+ },
+ {
+ "key": "Q2",
+ "name": "Second Quintile",
+ "definition": "0.20 <= Quantile < 0.40. The second lowest 20% of the range of possible values."
+ },
+ {
+ "key": "Q3",
+ "name": "Third Quintile",
+ "definition": "0.40 <= Quantile < 0.60. The middle 20% of the range of possible values."
+ },
+ {
+ "key": "Q4",
+ "name": "Fourth Quintile",
+ "definition": "0.60 <= Quantile < 0.80. The second highest 20% of the range of possible values."
+ },
+ {
+ "key": "Q5",
+ "name": "Fifth Quintile",
+ "definition": "0.80 <= Quantile <= 1.0. The highest 20% of the range of possible values."
+ }
+ ]
+}
diff --git a/data/json/ssvc_object_registry.json b/data/json/ssvc_object_registry.json
index 70558bb9..453d2a19 100644
--- a/data/json/ssvc_object_registry.json
+++ b/data/json/ssvc_object_registry.json
@@ -6,1174 +6,1229 @@
"DecisionPoint": {
"type": "DecisionPoint",
"namespaces": {
- "cisa": {
- "namespace": "cisa",
+ "basic": {
+ "namespace": "basic",
"keys": {
- "KEV": {
- "key": "KEV",
+ "BP": {
+ "key": "BP",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
- "namespace": "cisa",
- "key": "KEV",
+ "namespace": "basic",
+ "key": "BP",
"version": "1.0.0",
- "name": "In KEV",
- "definition": "Denotes whether a vulnerability is in the CISA Known Exploited Vulnerabilities (KEV) list.",
+ "name": "Boundary Proximity",
+ "definition": "Indicates whether another value is near a boundary condition, indicating that special consideration may be needed.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "N",
- "name": "No",
- "definition": "Vulnerability is not listed in KEV."
+ "key": "NN",
+ "name": "Not Near Boundary",
+ "definition": "The value is not near a boundary condition"
},
{
- "key": "Y",
- "name": "Yes",
- "definition": "Vulnerability is listed in KEV."
+ "key": "JA",
+ "name": "Just Above Boundary",
+ "definition": "The value is just above a boundary condition"
+ },
+ {
+ "key": "JB",
+ "name": "Just Below Boundary",
+ "definition": "The value is just below a boundary condition"
}
]
},
"values": {
- "N": {
- "key": "N",
- "name": "No",
- "definition": "Vulnerability is not listed in KEV."
- },
- "Y": {
- "key": "Y",
- "name": "Yes",
- "definition": "Vulnerability is listed in KEV."
+ "NN": {
+ "key": "NN",
+ "name": "Not Near Boundary",
+ "definition": "The value is not near a boundary condition"
+ },
+ "JA": {
+ "key": "JA",
+ "name": "Just Above Boundary",
+ "definition": "The value is just above a boundary condition"
+ },
+ "JB": {
+ "key": "JB",
+ "name": "Just Below Boundary",
+ "definition": "The value is just below a boundary condition"
}
}
}
}
},
- "MP": {
- "key": "MP",
+ "CIS_WEP": {
+ "key": "CIS_WEP",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
- "namespace": "cisa",
- "key": "MP",
+ "namespace": "basic",
+ "key": "CIS_WEP",
"version": "1.0.0",
- "name": "Mission Prevalence",
- "definition": "Prevalence of the mission essential functions",
+ "name": "CIS-CTI Words of Estimative Probability",
+ "definition": "A scale for expressing the likelihood of an event or outcome.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "M",
- "name": "Minimal",
- "definition": "Neither Support nor Essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component, nor does it provide impactful support to mission-essential functions."
+ "key": "ANC",
+ "name": "Almost No Chance",
+ "definition": "Probability < 0.05. Almost no chance, remote"
},
{
- "key": "S",
- "name": "Support",
- "definition": "The vulnerable component only supports MEFs for two or more entities."
+ "key": "VU",
+ "name": "Very Unlikely",
+ "definition": "0.05 <= Probability < 0.20. Very unlikely, highly improbable."
},
{
- "key": "E",
- "name": "Essential",
- "definition": "The vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity; component failure may (but does not necessarily) lead to overall mission failure."
+ "key": "U",
+ "name": "Unlikely",
+ "definition": "0.20 <= Probability < 0.45. Unlikely, improbable."
+ },
+ {
+ "key": "REC",
+ "name": "Roughly Even Chance",
+ "definition": "0.45 <= Probability < 0.55. Roughly even chance, roughly even odds."
+ },
+ {
+ "key": "L",
+ "name": "Likely",
+ "definition": "0.55 <= Probability < 0.80. Likely, probable."
+ },
+ {
+ "key": "VL",
+ "name": "Very Likely",
+ "definition": "0.80 <= Probability < 0.95. Very likely, highly probable."
+ },
+ {
+ "key": "AC",
+ "name": "Almost Certain",
+ "definition": "0.95 <= Probability. Almost certain, nearly certain."
}
]
},
"values": {
- "M": {
- "key": "M",
- "name": "Minimal",
- "definition": "Neither Support nor Essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component, nor does it provide impactful support to mission-essential functions."
+ "ANC": {
+ "key": "ANC",
+ "name": "Almost No Chance",
+ "definition": "Probability < 0.05. Almost no chance, remote"
},
- "S": {
- "key": "S",
- "name": "Support",
- "definition": "The vulnerable component only supports MEFs for two or more entities."
+ "VU": {
+ "key": "VU",
+ "name": "Very Unlikely",
+ "definition": "0.05 <= Probability < 0.20. Very unlikely, highly improbable."
},
- "E": {
- "key": "E",
- "name": "Essential",
- "definition": "The vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity; component failure may (but does not necessarily) lead to overall mission failure."
+ "U": {
+ "key": "U",
+ "name": "Unlikely",
+ "definition": "0.20 <= Probability < 0.45. Unlikely, improbable."
+ },
+ "REC": {
+ "key": "REC",
+ "name": "Roughly Even Chance",
+ "definition": "0.45 <= Probability < 0.55. Roughly even chance, roughly even odds."
+ },
+ "L": {
+ "key": "L",
+ "name": "Likely",
+ "definition": "0.55 <= Probability < 0.80. Likely, probable."
+ },
+ "VL": {
+ "key": "VL",
+ "name": "Very Likely",
+ "definition": "0.80 <= Probability < 0.95. Very likely, highly probable."
+ },
+ "AC": {
+ "key": "AC",
+ "name": "Almost Certain",
+ "definition": "0.95 <= Probability. Almost certain, nearly certain."
}
}
}
}
},
- "CISA": {
- "key": "CISA",
+ "P_5A": {
+ "key": "P_5A",
"versions": {
- "1.1.0": {
- "version": "1.1.0",
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
- "namespace": "cisa",
- "key": "CISA",
- "version": "1.1.0",
- "name": "CISA Levels",
- "definition": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
+ "namespace": "basic",
+ "key": "P_5A",
+ "version": "1.0.0",
+ "name": "Probability Scale in 5 equal levels, ascending",
+ "definition": "A probability scale with 20% increments",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "T",
- "name": "Track",
- "definition": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines."
+ "key": "P0_20",
+ "name": "Less than 20%",
+ "definition": "Probability < 0.2"
},
{
- "key": "T*",
- "name": "Track*",
- "definition": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."
+ "key": "P20_40",
+ "name": "20% to 40%",
+ "definition": "0.2 <= Probability < 0.4"
},
{
- "key": "AT",
- "name": "Attend",
- "definition": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."
+ "key": "P40_60",
+ "name": "40% to 60%",
+ "definition": "0.4 <= Probability < 0.6"
},
{
- "key": "AC",
- "name": "Act",
- "definition": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
+ "key": "P60_80",
+ "name": "60% to 80%",
+ "definition": "0.6 <= Probability < 0.8"
+ },
+ {
+ "key": "P80_100",
+ "name": "Greater than 80%",
+ "definition": "0.8 <= Probability <= 1.0"
}
]
},
"values": {
- "T": {
- "key": "T",
- "name": "Track",
- "definition": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines."
- },
- "T*": {
- "key": "T*",
- "name": "Track*",
- "definition": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."
- },
- "AT": {
- "key": "AT",
- "name": "Attend",
- "definition": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."
- },
- "AC": {
- "key": "AC",
- "name": "Act",
- "definition": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
+ "P0_20": {
+ "key": "P0_20",
+ "name": "Less than 20%",
+ "definition": "Probability < 0.2"
+ },
+ "P20_40": {
+ "key": "P20_40",
+ "name": "20% to 40%",
+ "definition": "0.2 <= Probability < 0.4"
+ },
+ "P40_60": {
+ "key": "P40_60",
+ "name": "40% to 60%",
+ "definition": "0.4 <= Probability < 0.6"
+ },
+ "P60_80": {
+ "key": "P60_80",
+ "name": "60% to 80%",
+ "definition": "0.6 <= Probability < 0.8"
+ },
+ "P80_100": {
+ "key": "P80_100",
+ "name": "Greater than 80%",
+ "definition": "0.8 <= Probability <= 1.0"
}
}
}
}
- }
- }
- },
- "cvss": {
- "namespace": "cvss",
- "keys": {
- "AC": {
- "key": "AC",
+ },
+ "P_5W": {
+ "key": "P_5W",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
- "namespace": "cvss",
- "key": "AC",
+ "namespace": "basic",
+ "key": "P_5W",
"version": "1.0.0",
- "name": "Access Complexity",
- "definition": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
+ "name": "Probability Scale in 5 weighted levels, ascending",
+ "definition": "A probability scale with higher resolution as probability increases",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "H",
- "name": "High",
- "definition": "Specialized access conditions exist; for example: the system is exploitable during specific windows of time (a race condition), the system is exploitable under specific circumstances (nondefault configurations), or the system is exploitable with victim interaction (vulnerability exploitable only if user opens e-mail)"
+ "key": "P0_30",
+ "name": "Less than 30%",
+ "definition": "Probability < 0.3"
},
{
- "key": "L",
- "name": "Low",
- "definition": "Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable."
+ "key": "P30_55",
+ "name": "30% to 55%",
+ "definition": "0.3 <= Probability < 0.55"
+ },
+ {
+ "key": "P55_75",
+ "name": "55% to 75%",
+ "definition": "0.55 <= Probability < 0.75"
+ },
+ {
+ "key": "P75_90",
+ "name": "75% to 90%",
+ "definition": "0.75 <= Probability < 0.9"
+ },
+ {
+ "key": "P90_100",
+ "name": "Greater than 90%",
+ "definition": "0.9 <= Probability <= 1.0"
}
]
},
"values": {
- "H": {
- "key": "H",
- "name": "High",
- "definition": "Specialized access conditions exist; for example: the system is exploitable during specific windows of time (a race condition), the system is exploitable under specific circumstances (nondefault configurations), or the system is exploitable with victim interaction (vulnerability exploitable only if user opens e-mail)"
- },
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable."
+ "P0_30": {
+ "key": "P0_30",
+ "name": "Less than 30%",
+ "definition": "Probability < 0.3"
+ },
+ "P30_55": {
+ "key": "P30_55",
+ "name": "30% to 55%",
+ "definition": "0.3 <= Probability < 0.55"
+ },
+ "P55_75": {
+ "key": "P55_75",
+ "name": "55% to 75%",
+ "definition": "0.55 <= Probability < 0.75"
+ },
+ "P75_90": {
+ "key": "P75_90",
+ "name": "75% to 90%",
+ "definition": "0.75 <= Probability < 0.9"
+ },
+ "P90_100": {
+ "key": "P90_100",
+ "name": "Greater than 90%",
+ "definition": "0.9 <= Probability <= 1.0"
}
}
- },
- "2.0.0": {
- "version": "2.0.0",
+ }
+ }
+ },
+ "P_5X": {
+ "key": "P_5X",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
- "namespace": "cvss",
- "key": "AC",
- "version": "2.0.0",
- "name": "Access Complexity",
- "definition": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
+ "namespace": "basic",
+ "key": "P_5X",
+ "version": "1.0.0",
+ "name": "Probability Scale in 5 weighted levels, ascending",
+ "definition": "A probability scale with finer resolution at both extremes",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "H",
- "name": "High",
- "definition": "Specialized access conditions exist."
+ "key": "VL",
+ "name": "Very Low",
+ "definition": "0% <= Probability < 5%. Highly unlikely."
+ },
+ {
+ "key": "L",
+ "name": "Low",
+ "definition": "5% <= Probability < 21%. Unlikely."
},
{
"key": "M",
- "name": "Medium",
- "definition": "The access conditions are somewhat specialized."
+ "name": "Moderate",
+ "definition": "21% <= Probability < 80%. Somewhat likely."
},
{
- "key": "L",
- "name": "Low",
- "definition": "Specialized access conditions or extenuating circumstances do not exist."
+ "key": "H",
+ "name": "High",
+ "definition": "80% <= Probability < 96%. Highly likely."
+ },
+ {
+ "key": "VH",
+ "name": "Very High",
+ "definition": "96% <= Probability <= 100%. Almost certain."
}
]
},
"values": {
- "H": {
- "key": "H",
- "name": "High",
- "definition": "Specialized access conditions exist."
- },
- "M": {
- "key": "M",
- "name": "Medium",
- "definition": "The access conditions are somewhat specialized."
+ "VL": {
+ "key": "VL",
+ "name": "Very Low",
+ "definition": "0% <= Probability < 5%. Highly unlikely."
},
"L": {
"key": "L",
"name": "Low",
- "definition": "Specialized access conditions or extenuating circumstances do not exist."
+ "definition": "5% <= Probability < 21%. Unlikely."
+ },
+ "M": {
+ "key": "M",
+ "name": "Moderate",
+ "definition": "21% <= Probability < 80%. Somewhat likely."
+ },
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "80% <= Probability < 96%. Highly likely."
+ },
+ "VH": {
+ "key": "VH",
+ "name": "Very High",
+ "definition": "96% <= Probability <= 100%. Almost certain."
}
}
- },
- "3.0.0": {
- "version": "3.0.0",
+ }
+ }
+ },
+ "P_2A": {
+ "key": "P_2A",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
- "namespace": "cvss",
- "key": "AC",
- "version": "3.0.0",
- "name": "Attack Complexity",
- "definition": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.",
+ "namespace": "basic",
+ "key": "P_2A",
+ "version": "1.0.0",
+ "name": "Probability Scale in 2 equal levels, ascending",
+ "definition": "A probability scale that divides between less than 50% and greater than or equal to 50%",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "H",
- "name": "High",
- "definition": "A successful attack depends on conditions beyond the attacker's control."
+ "key": "LT50",
+ "name": "Less than 50%",
+ "definition": "0.0 <= Probability < 0.5"
},
{
- "key": "L",
- "name": "Low",
- "definition": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
+ "key": "GT50",
+ "name": "Greater than 50%",
+ "definition": "0.5 <= Probability <= 1.0"
}
]
},
"values": {
- "H": {
- "key": "H",
- "name": "High",
- "definition": "A successful attack depends on conditions beyond the attacker's control."
- },
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
+ "LT50": {
+ "key": "LT50",
+ "name": "Less than 50%",
+ "definition": "0.0 <= Probability < 0.5"
+ },
+ "GT50": {
+ "key": "GT50",
+ "name": "Greater than 50%",
+ "definition": "0.5 <= Probability <= 1.0"
}
}
- },
- "3.0.1": {
- "version": "3.0.1",
+ }
+ }
+ },
+ "MEDIAN": {
+ "key": "MEDIAN",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
- "namespace": "cvss",
- "key": "AC",
- "version": "3.0.1",
- "name": "Attack Complexity",
- "definition": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
+ "namespace": "basic",
+ "key": "MEDIAN",
+ "version": "1.0.0",
+ "name": "Median Split",
+ "definition": "A median split divides a distribution into two equal parts, with 50% of the values falling below the median and 50% above it.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "H",
- "name": "High",
- "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
+ "key": "B",
+ "name": "Below Median",
+ "definition": "Quantile < 0.50. The lower half of the range of possible values."
},
{
- "key": "L",
- "name": "Low",
- "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
+ "key": "A",
+ "name": "Above Median",
+ "definition": "0.50 <= Quantile <= 1.0. The upper half of the range of possible values."
}
]
},
"values": {
- "H": {
- "key": "H",
- "name": "High",
- "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
+ "B": {
+ "key": "B",
+ "name": "Below Median",
+ "definition": "Quantile < 0.50. The lower half of the range of possible values."
},
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
+ "A": {
+ "key": "A",
+ "name": "Above Median",
+ "definition": "0.50 <= Quantile <= 1.0. The upper half of the range of possible values."
}
}
}
}
},
- "AT": {
- "key": "AT",
+ "QUARTILES": {
+ "key": "QUARTILES",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
- "namespace": "cvss",
- "key": "AT",
+ "namespace": "basic",
+ "key": "QUARTILES",
"version": "1.0.0",
- "name": "Attack Requirements",
- "definition": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
+ "name": "Quartiles",
+ "definition": "A quartile is one of four equal groups that a population can be divided into according to the distribution of values of a particular variable.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "P",
- "name": "Present",
- "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
+ "key": "Q1",
+ "name": "First Quartile",
+ "definition": "Quantile < 0.25. The lowest 25% of the range of possible values."
},
{
- "key": "N",
- "name": "None",
- "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
+ "key": "Q2",
+ "name": "Second Quartile",
+ "definition": "0.25 <= Quantile < 0.50. The second lowest 25% of the range of possible values."
+ },
+ {
+ "key": "Q3",
+ "name": "Third Quartile",
+ "definition": "0.50 <= Quantile < 0.75. The second highest 25% of the range of possible values."
+ },
+ {
+ "key": "Q4",
+ "name": "Fourth Quartile",
+ "definition": "0.75 <= Quantile <= 1.0. The highest 25% of the range of possible values."
}
]
},
"values": {
- "P": {
- "key": "P",
- "name": "Present",
- "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
- },
- "N": {
- "key": "N",
- "name": "None",
- "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
+ "Q1": {
+ "key": "Q1",
+ "name": "First Quartile",
+ "definition": "Quantile < 0.25. The lowest 25% of the range of possible values."
+ },
+ "Q2": {
+ "key": "Q2",
+ "name": "Second Quartile",
+ "definition": "0.25 <= Quantile < 0.50. The second lowest 25% of the range of possible values."
+ },
+ "Q3": {
+ "key": "Q3",
+ "name": "Third Quartile",
+ "definition": "0.50 <= Quantile < 0.75. The second highest 25% of the range of possible values."
+ },
+ "Q4": {
+ "key": "Q4",
+ "name": "Fourth Quartile",
+ "definition": "0.75 <= Quantile <= 1.0. The highest 25% of the range of possible values."
}
}
}
}
},
- "AV": {
- "key": "AV",
+ "QUINTILES": {
+ "key": "QUINTILES",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
- "namespace": "cvss",
- "key": "AV",
+ "namespace": "basic",
+ "key": "QUINTILES",
"version": "1.0.0",
- "name": "Access Vector",
- "definition": "This metric measures whether or not the vulnerability is exploitable locally or remotely.",
+ "name": "Quintiles",
+ "definition": "A quintile is one of five equal groups that a population can be divided into according to the distribution of values of a particular variable.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "L",
- "name": "Local",
- "definition": "The vulnerability is only exploitable locally (i.e., it requires physical access or authenticated login to the target system)"
+ "key": "Q1",
+ "name": "First Quintile",
+ "definition": "Quantile < 0.20. The lowest 20% of the range of possible values."
},
{
- "key": "R",
- "name": "Remote",
- "definition": "The vulnerability is exploitable remotely."
- }
- ]
- },
- "values": {
- "L": {
- "key": "L",
- "name": "Local",
- "definition": "The vulnerability is only exploitable locally (i.e., it requires physical access or authenticated login to the target system)"
- },
- "R": {
- "key": "R",
- "name": "Remote",
- "definition": "The vulnerability is exploitable remotely."
- }
- }
- },
- "2.0.0": {
- "version": "2.0.0",
- "obj": {
- "namespace": "cvss",
- "key": "AV",
- "version": "2.0.0",
- "name": "Access Vector",
- "definition": "This metric reflects the context by which vulnerability exploitation is possible.",
- "schemaVersion": "2.0.0",
- "values": [
+ "key": "Q2",
+ "name": "Second Quintile",
+ "definition": "0.20 <= Quantile < 0.40. The second lowest 20% of the range of possible values."
+ },
{
- "key": "L",
- "name": "Local",
- "definition": "A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account."
+ "key": "Q3",
+ "name": "Third Quintile",
+ "definition": "0.40 <= Quantile < 0.60. The middle 20% of the range of possible values."
},
{
- "key": "A",
- "name": "Adjacent Network",
- "definition": "A vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software."
+ "key": "Q4",
+ "name": "Fourth Quintile",
+ "definition": "0.60 <= Quantile < 0.80. The second highest 20% of the range of possible values."
},
{
- "key": "N",
- "name": "Network",
- "definition": "A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed 'remotely exploitable'."
+ "key": "Q5",
+ "name": "Fifth Quintile",
+ "definition": "0.80 <= Quantile <= 1.0. The highest 20% of the range of possible values."
}
]
},
"values": {
- "L": {
- "key": "L",
- "name": "Local",
- "definition": "A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account."
- },
- "A": {
- "key": "A",
- "name": "Adjacent Network",
- "definition": "A vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software."
- },
- "N": {
- "key": "N",
- "name": "Network",
- "definition": "A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed 'remotely exploitable'."
+ "Q1": {
+ "key": "Q1",
+ "name": "First Quintile",
+ "definition": "Quantile < 0.20. The lowest 20% of the range of possible values."
+ },
+ "Q2": {
+ "key": "Q2",
+ "name": "Second Quintile",
+ "definition": "0.20 <= Quantile < 0.40. The second lowest 20% of the range of possible values."
+ },
+ "Q3": {
+ "key": "Q3",
+ "name": "Third Quintile",
+ "definition": "0.40 <= Quantile < 0.60. The middle 20% of the range of possible values."
+ },
+ "Q4": {
+ "key": "Q4",
+ "name": "Fourth Quintile",
+ "definition": "0.60 <= Quantile < 0.80. The second highest 20% of the range of possible values."
+ },
+ "Q5": {
+ "key": "Q5",
+ "name": "Fifth Quintile",
+ "definition": "0.80 <= Quantile <= 1.0. The highest 20% of the range of possible values."
}
}
- },
- "3.0.0": {
- "version": "3.0.0",
+ }
+ }
+ },
+ "IKE": {
+ "key": "IKE",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
- "namespace": "cvss",
- "key": "AV",
- "version": "3.0.0",
- "name": "Attack Vector",
- "definition": "This metric reflects the context by which vulnerability exploitation is possible. ",
+ "namespace": "basic",
+ "key": "IKE",
+ "version": "1.0.0",
+ "name": "Do, Schedule, Delegate, Delete",
+ "definition": "The Eisenhower outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "P",
- "name": "Physical",
- "definition": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."
+ "key": "D",
+ "name": "Delete",
+ "definition": "Delete"
},
{
- "key": "L",
- "name": "Local",
- "definition": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."
+ "key": "G",
+ "name": "Delegate",
+ "definition": "Delegate"
},
{
- "key": "A",
- "name": "Adjacent",
- "definition": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."
+ "key": "S",
+ "name": "Schedule",
+ "definition": "Schedule"
},
{
- "key": "N",
- "name": "Network",
- "definition": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
+ "key": "O",
+ "name": "Do",
+ "definition": "Do"
}
]
},
"values": {
- "P": {
- "key": "P",
- "name": "Physical",
- "definition": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."
+ "D": {
+ "key": "D",
+ "name": "Delete",
+ "definition": "Delete"
},
- "L": {
- "key": "L",
- "name": "Local",
- "definition": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."
+ "G": {
+ "key": "G",
+ "name": "Delegate",
+ "definition": "Delegate"
},
- "A": {
- "key": "A",
- "name": "Adjacent",
- "definition": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."
+ "S": {
+ "key": "S",
+ "name": "Schedule",
+ "definition": "Schedule"
},
- "N": {
- "key": "N",
- "name": "Network",
- "definition": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
+ "O": {
+ "key": "O",
+ "name": "Do",
+ "definition": "Do"
}
}
- },
- "3.0.1": {
- "version": "3.0.1",
+ }
+ }
+ },
+ "LMH": {
+ "key": "LMH",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
- "namespace": "cvss",
- "key": "AV",
- "version": "3.0.1",
- "name": "Attack Vector",
- "definition": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
+ "namespace": "basic",
+ "key": "LMH",
+ "version": "1.0.0",
+ "name": "LowMediumHigh",
+ "definition": "A Low/Medium/High decision point / outcome group.",
"schemaVersion": "2.0.0",
"values": [
- {
- "key": "P",
- "name": "Physical",
- "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
- },
{
"key": "L",
- "name": "Local",
- "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
+ "name": "Low",
+ "definition": "Low"
},
{
- "key": "A",
- "name": "Adjacent",
- "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
+ "key": "M",
+ "name": "Medium",
+ "definition": "Medium"
},
{
- "key": "N",
- "name": "Network",
- "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
+ "key": "H",
+ "name": "High",
+ "definition": "High"
}
]
},
"values": {
- "P": {
- "key": "P",
- "name": "Physical",
- "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
- },
"L": {
"key": "L",
- "name": "Local",
- "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
+ "name": "Low",
+ "definition": "Low"
},
- "A": {
- "key": "A",
- "name": "Adjacent",
- "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
+ "M": {
+ "key": "M",
+ "name": "Medium",
+ "definition": "Medium"
},
- "N": {
- "key": "N",
- "name": "Network",
- "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "High"
}
}
}
}
},
- "Au": {
- "key": "Au",
+ "MSCW": {
+ "key": "MSCW",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
- "namespace": "cvss",
- "key": "Au",
+ "namespace": "basic",
+ "key": "MSCW",
"version": "1.0.0",
- "name": "Authentication",
- "definition": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.",
+ "name": "MoSCoW",
+ "definition": "The MoSCoW (Must, Should, Could, Won't) outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "N",
- "name": "Not Required",
- "definition": "Authentication is not required to access or exploit the vulnerability."
+ "key": "W",
+ "name": "Won't",
+ "definition": "Won't"
},
{
- "key": "R",
- "name": "Required",
- "definition": "Authentication is required to access and exploit the vulnerability."
- }
- ]
- },
- "values": {
- "N": {
- "key": "N",
- "name": "Not Required",
- "definition": "Authentication is not required to access or exploit the vulnerability."
- },
- "R": {
- "key": "R",
- "name": "Required",
- "definition": "Authentication is required to access and exploit the vulnerability."
- }
- }
- },
- "2.0.0": {
- "version": "2.0.0",
- "obj": {
- "namespace": "cvss",
- "key": "Au",
- "version": "2.0.0",
- "name": "Authentication",
- "definition": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.",
- "schemaVersion": "2.0.0",
- "values": [
- {
- "key": "M",
- "name": "Multiple",
- "definition": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time."
+ "key": "C",
+ "name": "Could",
+ "definition": "Could"
},
{
"key": "S",
- "name": "Single",
- "definition": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)."
+ "name": "Should",
+ "definition": "Should"
},
{
- "key": "N",
- "name": "None",
- "definition": "Authentication is not required to exploit the vulnerability."
+ "key": "M",
+ "name": "Must",
+ "definition": "Must"
}
]
},
"values": {
- "M": {
- "key": "M",
- "name": "Multiple",
- "definition": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time."
+ "W": {
+ "key": "W",
+ "name": "Won't",
+ "definition": "Won't"
+ },
+ "C": {
+ "key": "C",
+ "name": "Could",
+ "definition": "Could"
},
"S": {
"key": "S",
- "name": "Single",
- "definition": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)."
+ "name": "Should",
+ "definition": "Should"
},
- "N": {
- "key": "N",
- "name": "None",
- "definition": "Authentication is not required to exploit the vulnerability."
+ "M": {
+ "key": "M",
+ "name": "Must",
+ "definition": "Must"
}
}
}
}
},
- "A": {
- "key": "A",
+ "VALUE_COMPLEXITY": {
+ "key": "VALUE_COMPLEXITY",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
- "namespace": "cvss",
- "key": "A",
+ "namespace": "basic",
+ "key": "VALUE_COMPLEXITY",
"version": "1.0.0",
- "name": "Availability Impact",
- "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.",
+ "name": "Value, Complexity",
+ "definition": "The Value/Complexity outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "N",
- "name": "None",
- "definition": "No impact on availability."
+ "key": "D",
+ "name": "Drop",
+ "definition": "Drop"
},
{
- "key": "P",
- "name": "Partial",
- "definition": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete."
+ "key": "R",
+ "name": "Reconsider Later",
+ "definition": "Reconsider Later"
},
{
- "key": "C",
- "name": "Complete",
- "definition": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable."
+ "key": "E",
+ "name": "Easy Win",
+ "definition": "Easy Win"
+ },
+ {
+ "key": "F",
+ "name": "Do First",
+ "definition": "Do First"
}
]
},
"values": {
- "N": {
- "key": "N",
- "name": "None",
- "definition": "No impact on availability."
+ "D": {
+ "key": "D",
+ "name": "Drop",
+ "definition": "Drop"
},
- "P": {
- "key": "P",
- "name": "Partial",
- "definition": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete."
+ "R": {
+ "key": "R",
+ "name": "Reconsider Later",
+ "definition": "Reconsider Later"
},
- "C": {
- "key": "C",
- "name": "Complete",
- "definition": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable."
+ "E": {
+ "key": "E",
+ "name": "Easy Win",
+ "definition": "Easy Win"
+ },
+ "F": {
+ "key": "F",
+ "name": "Do First",
+ "definition": "Do First"
}
}
- },
- "2.0.0": {
- "version": "2.0.0",
+ }
+ }
+ },
+ "YN": {
+ "key": "YN",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
- "namespace": "cvss",
- "key": "A",
- "version": "2.0.0",
- "name": "Availability Impact",
- "definition": "This metric measures the impact to availability of a successfully exploited vulnerability.",
+ "namespace": "basic",
+ "key": "YN",
+ "version": "1.0.0",
+ "name": "YesNo",
+ "definition": "A Yes/No decision point / outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
- "name": "None",
- "definition": "There is no impact to the availability of the system."
- },
- {
- "key": "L",
- "name": "Low",
- "definition": "There is reduced performance or interruptions in resource availability."
+ "name": "No",
+ "definition": "No"
},
{
- "key": "H",
- "name": "High",
- "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "key": "Y",
+ "name": "Yes",
+ "definition": "Yes"
}
]
},
"values": {
"N": {
"key": "N",
- "name": "None",
- "definition": "There is no impact to the availability of the system."
- },
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "There is reduced performance or interruptions in resource availability."
+ "name": "No",
+ "definition": "No"
},
- "H": {
- "key": "H",
- "name": "High",
- "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "Y": {
+ "key": "Y",
+ "name": "Yes",
+ "definition": "Yes"
}
}
}
}
- },
- "VA": {
- "key": "VA",
+ }
+ }
+ },
+ "cisa": {
+ "namespace": "cisa",
+ "keys": {
+ "KEV": {
+ "key": "KEV",
"versions": {
- "3.0.0": {
- "version": "3.0.0",
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
- "namespace": "cvss",
- "key": "VA",
- "version": "3.0.0",
- "name": "Availability Impact to the Vulnerable System",
- "definition": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
+ "namespace": "cisa",
+ "key": "KEV",
+ "version": "1.0.0",
+ "name": "In KEV",
+ "definition": "Denotes whether a vulnerability is in the CISA Known Exploited Vulnerabilities (KEV) list.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
- "name": "None",
- "definition": "There is no impact to availability within the Vulnerable System."
- },
- {
- "key": "L",
- "name": "Low",
- "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
+ "name": "No",
+ "definition": "Vulnerability is not listed in KEV."
},
{
- "key": "H",
- "name": "High",
- "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "key": "Y",
+ "name": "Yes",
+ "definition": "Vulnerability is listed in KEV."
}
]
},
"values": {
"N": {
"key": "N",
- "name": "None",
- "definition": "There is no impact to availability within the Vulnerable System."
- },
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
+ "name": "No",
+ "definition": "Vulnerability is not listed in KEV."
},
- "H": {
- "key": "H",
- "name": "High",
- "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "Y": {
+ "key": "Y",
+ "name": "Yes",
+ "definition": "Vulnerability is listed in KEV."
}
}
}
}
},
- "AR": {
- "key": "AR",
+ "MP": {
+ "key": "MP",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
- "namespace": "cvss",
- "key": "AR",
+ "namespace": "cisa",
+ "key": "MP",
"version": "1.0.0",
- "name": "Availability Requirement",
- "definition": "This metric measures the impact to the availability of a successfully exploited vulnerability.",
+ "name": "Mission Prevalence",
+ "definition": "Prevalence of the mission essential functions",
"schemaVersion": "2.0.0",
"values": [
- {
- "key": "L",
- "name": "Low",
- "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
- },
{
"key": "M",
- "name": "Medium",
- "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "name": "Minimal",
+ "definition": "Neither Support nor Essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component, nor does it provide impactful support to mission-essential functions."
},
{
- "key": "H",
- "name": "High",
- "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "key": "S",
+ "name": "Support",
+ "definition": "The vulnerable component only supports MEFs for two or more entities."
},
{
- "key": "ND",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "E",
+ "name": "Essential",
+ "definition": "The vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity; component failure may (but does not necessarily) lead to overall mission failure."
}
]
},
"values": {
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
- },
"M": {
"key": "M",
- "name": "Medium",
- "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "name": "Minimal",
+ "definition": "Neither Support nor Essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component, nor does it provide impactful support to mission-essential functions."
},
- "H": {
- "key": "H",
- "name": "High",
- "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "S": {
+ "key": "S",
+ "name": "Support",
+ "definition": "The vulnerable component only supports MEFs for two or more entities."
},
- "ND": {
- "key": "ND",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "E": {
+ "key": "E",
+ "name": "Essential",
+ "definition": "The vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity; component failure may (but does not necessarily) lead to overall mission failure."
}
}
- },
+ }
+ }
+ },
+ "CISA": {
+ "key": "CISA",
+ "versions": {
"1.1.0": {
"version": "1.1.0",
"obj": {
- "namespace": "cvss",
- "key": "AR",
+ "namespace": "cisa",
+ "key": "CISA",
"version": "1.1.0",
- "name": "Availability Requirement",
- "definition": "This metric measures the impact to the availability of a successfully exploited vulnerability.",
+ "name": "CISA Levels",
+ "definition": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "L",
- "name": "Low",
- "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "key": "T",
+ "name": "Track",
+ "definition": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines."
},
{
- "key": "M",
- "name": "Medium",
- "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "key": "T*",
+ "name": "Track*",
+ "definition": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."
},
{
- "key": "H",
- "name": "High",
- "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "key": "AT",
+ "name": "Attend",
+ "definition": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."
},
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "AC",
+ "name": "Act",
+ "definition": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
}
]
},
"values": {
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "T": {
+ "key": "T",
+ "name": "Track",
+ "definition": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines."
},
- "M": {
- "key": "M",
- "name": "Medium",
- "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "T*": {
+ "key": "T*",
+ "name": "Track*",
+ "definition": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."
},
- "H": {
- "key": "H",
- "name": "High",
- "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "AT": {
+ "key": "AT",
+ "name": "Attend",
+ "definition": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."
},
- "X": {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "AC": {
+ "key": "AC",
+ "name": "Act",
+ "definition": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
}
}
- },
- "1.1.1": {
- "version": "1.1.1",
+ }
+ }
+ }
+ }
+ },
+ "cvss": {
+ "namespace": "cvss",
+ "keys": {
+ "AC": {
+ "key": "AC",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "AR",
- "version": "1.1.1",
- "name": "Availability Requirement",
- "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability.",
+ "key": "AC",
+ "version": "1.0.0",
+ "name": "Access Complexity",
+ "definition": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
"schemaVersion": "2.0.0",
"values": [
- {
- "key": "L",
- "name": "Low",
- "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
- },
- {
- "key": "M",
- "name": "Medium",
- "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
- },
{
"key": "H",
"name": "High",
- "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Specialized access conditions exist; for example: the system is exploitable during specific windows of time (a race condition), the system is exploitable under specific circumstances (nondefault configurations), or the system is exploitable with victim interaction (vulnerability exploitable only if user opens e-mail)"
},
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "L",
+ "name": "Low",
+ "definition": "Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable."
}
]
},
"values": {
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
- },
- "M": {
- "key": "M",
- "name": "Medium",
- "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
- },
"H": {
"key": "H",
"name": "High",
- "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Specialized access conditions exist; for example: the system is exploitable during specific windows of time (a race condition), the system is exploitable under specific circumstances (nondefault configurations), or the system is exploitable with victim interaction (vulnerability exploitable only if user opens e-mail)"
},
- "X": {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable."
}
}
- }
- }
- },
- "AR_NoX": {
- "key": "AR_NoX",
- "versions": {
- "1.1.1": {
- "version": "1.1.1",
+ },
+ "2.0.0": {
+ "version": "2.0.0",
"obj": {
"namespace": "cvss",
- "key": "AR_NoX",
- "version": "1.1.1",
- "name": "Availability Requirement (without Not Defined)",
- "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability. This version does not include the Not Defined (X) option.",
+ "key": "AC",
+ "version": "2.0.0",
+ "name": "Access Complexity",
+ "definition": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "L",
- "name": "Low",
- "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "key": "H",
+ "name": "High",
+ "definition": "Specialized access conditions exist."
},
{
"key": "M",
"name": "Medium",
- "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "The access conditions are somewhat specialized."
},
{
- "key": "H",
- "name": "High",
- "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "key": "L",
+ "name": "Low",
+ "definition": "Specialized access conditions or extenuating circumstances do not exist."
}
]
},
"values": {
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "Specialized access conditions exist."
},
"M": {
"key": "M",
"name": "Medium",
- "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "The access conditions are somewhat specialized."
},
- "H": {
- "key": "H",
- "name": "High",
- "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "Specialized access conditions or extenuating circumstances do not exist."
}
}
- }
- }
- },
- "CDP": {
- "key": "CDP",
- "versions": {
- "1.0.0": {
- "version": "1.0.0",
+ },
+ "3.0.0": {
+ "version": "3.0.0",
"obj": {
"namespace": "cvss",
- "key": "CDP",
- "version": "1.0.0",
- "name": "Collateral Damage Potential",
- "definition": "This metric measures the potential for a loss in physical equipment, property damage or loss of life or limb.",
+ "key": "AC",
+ "version": "3.0.0",
+ "name": "Attack Complexity",
+ "definition": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "N",
- "name": "None",
- "definition": "There is no potential for physical or property damage."
+ "key": "H",
+ "name": "High",
+ "definition": "A successful attack depends on conditions beyond the attacker's control."
},
{
"key": "L",
"name": "Low",
- "definition": "A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed."
- },
- {
- "key": "M",
- "name": "Medium",
- "definition": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."
- },
- {
- "key": "H",
- "name": "High",
- "definition": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
+ "definition": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
}
]
},
"values": {
- "N": {
- "key": "N",
- "name": "None",
- "definition": "There is no potential for physical or property damage."
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "A successful attack depends on conditions beyond the attacker's control."
},
"L": {
"key": "L",
"name": "Low",
- "definition": "A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed."
- },
- "M": {
- "key": "M",
- "name": "Medium",
- "definition": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."
- },
- "H": {
- "key": "H",
- "name": "High",
- "definition": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
+ "definition": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
}
}
},
- "2.0.0": {
- "version": "2.0.0",
+ "3.0.1": {
+ "version": "3.0.1",
"obj": {
"namespace": "cvss",
- "key": "CDP",
- "version": "2.0.0",
- "name": "Collateral Damage Potential",
- "definition": "This metric measures the potential for loss of life or physical assets.",
+ "key": "AC",
+ "version": "3.0.1",
+ "name": "Attack Complexity",
+ "definition": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
"schemaVersion": "2.0.0",
"values": [
- {
- "key": "N",
- "name": "None",
- "definition": "There is no potential for loss of life, physical assets, productivity or revenue."
- },
- {
- "key": "LM",
- "name": "Low-Medium",
- "definition": "A successful exploit of this vulnerability may result in moderate physical or property damage or loss."
- },
- {
- "key": "MH",
- "name": "Medium-High",
- "definition": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."
- },
{
"key": "H",
"name": "High",
- "definition": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
+ "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
},
{
- "key": "ND",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "L",
+ "name": "Low",
+ "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
}
]
},
"values": {
- "N": {
- "key": "N",
- "name": "None",
- "definition": "There is no potential for loss of life, physical assets, productivity or revenue."
- },
- "LM": {
- "key": "LM",
- "name": "Low-Medium",
- "definition": "A successful exploit of this vulnerability may result in moderate physical or property damage or loss."
- },
- "MH": {
- "key": "MH",
- "name": "Medium-High",
- "definition": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."
- },
"H": {
"key": "H",
"name": "High",
- "definition": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
+ "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
},
- "ND": {
- "key": "ND",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
}
}
}
}
},
- "C": {
- "key": "C",
+ "AT": {
+ "key": "AT",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "C",
+ "key": "AT",
"version": "1.0.0",
- "name": "Confidentiality Impact",
- "definition": "This metric measures the impact on confidentiality of a successful exploit of the vulnerability on the target system.",
+ "name": "Attack Requirements",
+ "definition": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
"schemaVersion": "2.0.0",
"values": [
- {
- "key": "N",
- "name": "None",
- "definition": "No impact on confidentiality."
- },
{
"key": "P",
- "name": "Partial",
- "definition": "There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained."
+ "name": "Present",
+ "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
},
{
- "key": "C",
- "name": "Complete",
- "definition": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)."
+ "key": "N",
+ "name": "None",
+ "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
}
]
},
"values": {
+ "P": {
+ "key": "P",
+ "name": "Present",
+ "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
+ },
"N": {
"key": "N",
"name": "None",
- "definition": "No impact on confidentiality."
- },
- "P": {
- "key": "P",
- "name": "Partial",
- "definition": "There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained."
+ "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
+ }
+ }
+ }
+ }
+ },
+ "AV": {
+ "key": "AV",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
+ "obj": {
+ "namespace": "cvss",
+ "key": "AV",
+ "version": "1.0.0",
+ "name": "Access Vector",
+ "definition": "This metric measures whether or not the vulnerability is exploitable locally or remotely.",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "L",
+ "name": "Local",
+ "definition": "The vulnerability is only exploitable locally (i.e., it requires physical access or authenticated login to the target system)"
+ },
+ {
+ "key": "R",
+ "name": "Remote",
+ "definition": "The vulnerability is exploitable remotely."
+ }
+ ]
+ },
+ "values": {
+ "L": {
+ "key": "L",
+ "name": "Local",
+ "definition": "The vulnerability is only exploitable locally (i.e., it requires physical access or authenticated login to the target system)"
},
- "C": {
- "key": "C",
- "name": "Complete",
- "definition": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)."
+ "R": {
+ "key": "R",
+ "name": "Remote",
+ "definition": "The vulnerability is exploitable remotely."
}
}
},
@@ -1181,436 +1236,421 @@
"version": "2.0.0",
"obj": {
"namespace": "cvss",
- "key": "C",
+ "key": "AV",
"version": "2.0.0",
- "name": "Confidentiality Impact",
- "definition": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.",
+ "name": "Access Vector",
+ "definition": "This metric reflects the context by which vulnerability exploitation is possible.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "N",
- "name": "None",
- "definition": "There is no loss of confidentiality within the impacted component."
+ "key": "L",
+ "name": "Local",
+ "definition": "A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account."
},
{
- "key": "L",
- "name": "Low",
- "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ "key": "A",
+ "name": "Adjacent Network",
+ "definition": "A vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software."
},
{
- "key": "H",
- "name": "High",
- "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ "key": "N",
+ "name": "Network",
+ "definition": "A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed 'remotely exploitable'."
}
]
},
"values": {
- "N": {
- "key": "N",
- "name": "None",
- "definition": "There is no loss of confidentiality within the impacted component."
- },
"L": {
"key": "L",
- "name": "Low",
- "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ "name": "Local",
+ "definition": "A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account."
},
- "H": {
- "key": "H",
- "name": "High",
- "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ "A": {
+ "key": "A",
+ "name": "Adjacent Network",
+ "definition": "A vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software."
+ },
+ "N": {
+ "key": "N",
+ "name": "Network",
+ "definition": "A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed 'remotely exploitable'."
}
}
- }
- }
- },
- "VC": {
- "key": "VC",
- "versions": {
+ },
"3.0.0": {
"version": "3.0.0",
"obj": {
"namespace": "cvss",
- "key": "VC",
+ "key": "AV",
"version": "3.0.0",
- "name": "Confidentiality Impact to the Vulnerable System",
- "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
+ "name": "Attack Vector",
+ "definition": "This metric reflects the context by which vulnerability exploitation is possible. ",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "N",
- "name": "None",
- "definition": "There is no loss of confidentiality within the impacted component."
+ "key": "P",
+ "name": "Physical",
+ "definition": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."
},
{
"key": "L",
- "name": "Low",
- "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ "name": "Local",
+ "definition": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."
},
{
- "key": "H",
- "name": "High",
- "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ "key": "A",
+ "name": "Adjacent",
+ "definition": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."
+ },
+ {
+ "key": "N",
+ "name": "Network",
+ "definition": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
}
]
},
"values": {
- "N": {
- "key": "N",
- "name": "None",
- "definition": "There is no loss of confidentiality within the impacted component."
+ "P": {
+ "key": "P",
+ "name": "Physical",
+ "definition": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."
},
"L": {
"key": "L",
- "name": "Low",
- "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ "name": "Local",
+ "definition": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."
},
- "H": {
- "key": "H",
- "name": "High",
- "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ "A": {
+ "key": "A",
+ "name": "Adjacent",
+ "definition": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."
+ },
+ "N": {
+ "key": "N",
+ "name": "Network",
+ "definition": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
}
}
- }
- }
- },
- "CR": {
- "key": "CR",
- "versions": {
- "1.0.0": {
- "version": "1.0.0",
+ },
+ "3.0.1": {
+ "version": "3.0.1",
"obj": {
"namespace": "cvss",
- "key": "CR",
- "version": "1.0.0",
- "name": "Confidentiality Requirement",
- "definition": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.",
+ "key": "AV",
+ "version": "3.0.1",
+ "name": "Attack Vector",
+ "definition": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "L",
- "name": "Low",
- "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "key": "P",
+ "name": "Physical",
+ "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
},
{
- "key": "M",
- "name": "Medium",
- "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "key": "L",
+ "name": "Local",
+ "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
},
{
- "key": "H",
- "name": "High",
- "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "key": "A",
+ "name": "Adjacent",
+ "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
},
{
- "key": "ND",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "N",
+ "name": "Network",
+ "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
}
]
},
"values": {
+ "P": {
+ "key": "P",
+ "name": "Physical",
+ "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
+ },
"L": {
"key": "L",
- "name": "Low",
- "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
- },
- "M": {
- "key": "M",
- "name": "Medium",
- "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "name": "Local",
+ "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
},
- "H": {
- "key": "H",
- "name": "High",
- "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "A": {
+ "key": "A",
+ "name": "Adjacent",
+ "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
},
- "ND": {
- "key": "ND",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "N": {
+ "key": "N",
+ "name": "Network",
+ "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
}
}
- },
- "1.1.0": {
- "version": "1.1.0",
+ }
+ }
+ },
+ "Au": {
+ "key": "Au",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "CR",
- "version": "1.1.0",
- "name": "Confidentiality Requirement",
- "definition": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.",
+ "key": "Au",
+ "version": "1.0.0",
+ "name": "Authentication",
+ "definition": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "L",
- "name": "Low",
- "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
- },
- {
- "key": "M",
- "name": "Medium",
- "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
- },
- {
- "key": "H",
- "name": "High",
- "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "key": "N",
+ "name": "Not Required",
+ "definition": "Authentication is not required to access or exploit the vulnerability."
},
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "R",
+ "name": "Required",
+ "definition": "Authentication is required to access and exploit the vulnerability."
}
]
},
"values": {
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
- },
- "M": {
- "key": "M",
- "name": "Medium",
- "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
- },
- "H": {
- "key": "H",
- "name": "High",
- "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "N": {
+ "key": "N",
+ "name": "Not Required",
+ "definition": "Authentication is not required to access or exploit the vulnerability."
},
- "X": {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "R": {
+ "key": "R",
+ "name": "Required",
+ "definition": "Authentication is required to access and exploit the vulnerability."
}
}
},
- "1.1.1": {
- "version": "1.1.1",
+ "2.0.0": {
+ "version": "2.0.0",
"obj": {
"namespace": "cvss",
- "key": "CR",
- "version": "1.1.1",
- "name": "Confidentiality Requirement",
- "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.",
+ "key": "Au",
+ "version": "2.0.0",
+ "name": "Authentication",
+ "definition": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.",
"schemaVersion": "2.0.0",
"values": [
- {
- "key": "L",
- "name": "Low",
- "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
- },
{
"key": "M",
- "name": "Medium",
- "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "name": "Multiple",
+ "definition": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time."
},
{
- "key": "H",
- "name": "High",
- "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "key": "S",
+ "name": "Single",
+ "definition": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)."
},
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "N",
+ "name": "None",
+ "definition": "Authentication is not required to exploit the vulnerability."
}
]
},
"values": {
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
- },
"M": {
"key": "M",
- "name": "Medium",
- "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "name": "Multiple",
+ "definition": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time."
},
- "H": {
- "key": "H",
- "name": "High",
- "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "S": {
+ "key": "S",
+ "name": "Single",
+ "definition": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)."
},
- "X": {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "N": {
+ "key": "N",
+ "name": "None",
+ "definition": "Authentication is not required to exploit the vulnerability."
}
}
}
}
},
- "CR_NoX": {
- "key": "CR_NoX",
+ "A": {
+ "key": "A",
"versions": {
- "1.1.1": {
- "version": "1.1.1",
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "CR_NoX",
- "version": "1.1.1",
- "name": "Confidentiality Requirement (without Not Defined)",
- "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.",
+ "key": "A",
+ "version": "1.0.0",
+ "name": "Availability Impact",
+ "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "L",
- "name": "Low",
- "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "key": "N",
+ "name": "None",
+ "definition": "No impact on availability."
},
{
- "key": "M",
- "name": "Medium",
- "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "key": "P",
+ "name": "Partial",
+ "definition": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete."
},
{
- "key": "H",
- "name": "High",
- "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "key": "C",
+ "name": "Complete",
+ "definition": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable."
}
]
},
"values": {
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "N": {
+ "key": "N",
+ "name": "None",
+ "definition": "No impact on availability."
},
- "M": {
- "key": "M",
- "name": "Medium",
- "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "P": {
+ "key": "P",
+ "name": "Partial",
+ "definition": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete."
},
- "H": {
- "key": "H",
- "name": "High",
- "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "C": {
+ "key": "C",
+ "name": "Complete",
+ "definition": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable."
}
}
- }
- }
- },
- "EQ1": {
- "key": "EQ1",
- "versions": {
- "1.0.0": {
- "version": "1.0.0",
+ },
+ "2.0.0": {
+ "version": "2.0.0",
"obj": {
"namespace": "cvss",
- "key": "EQ1",
- "version": "1.0.0",
- "name": "Equivalence Set 1",
- "definition": "AV/PR/UI with 3 levels specified in Table 24",
+ "key": "A",
+ "version": "2.0.0",
+ "name": "Availability Impact",
+ "definition": "This metric measures the impact to availability of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "L",
- "name": "Low",
- "definition": "2: AV:P or not(AV:N or PR:N or UI:N)"
+ "key": "N",
+ "name": "None",
+ "definition": "There is no impact to the availability of the system."
},
{
- "key": "M",
- "name": "Medium",
- "definition": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"
+ "key": "L",
+ "name": "Low",
+ "definition": "There is reduced performance or interruptions in resource availability."
},
{
"key": "H",
"name": "High",
- "definition": "0: AV:N and PR:N and UI:N"
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
}
]
},
"values": {
+ "N": {
+ "key": "N",
+ "name": "None",
+ "definition": "There is no impact to the availability of the system."
+ },
"L": {
"key": "L",
"name": "Low",
- "definition": "2: AV:P or not(AV:N or PR:N or UI:N)"
- },
- "M": {
- "key": "M",
- "name": "Medium",
- "definition": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"
+ "definition": "There is reduced performance or interruptions in resource availability."
},
"H": {
"key": "H",
"name": "High",
- "definition": "0: AV:N and PR:N and UI:N"
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
}
}
}
}
},
- "EQ2": {
- "key": "EQ2",
+ "VA": {
+ "key": "VA",
"versions": {
- "1.0.0": {
- "version": "1.0.0",
+ "3.0.0": {
+ "version": "3.0.0",
"obj": {
"namespace": "cvss",
- "key": "EQ2",
- "version": "1.0.0",
- "name": "Equivalence Set 2",
- "definition": "AC/AT with 2 levels specified in Table 25",
+ "key": "VA",
+ "version": "3.0.0",
+ "name": "Availability Impact to the Vulnerable System",
+ "definition": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
+ {
+ "key": "N",
+ "name": "None",
+ "definition": "There is no impact to availability within the Vulnerable System."
+ },
{
"key": "L",
"name": "Low",
- "definition": "1: not (AC:L and AT:N)"
+ "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
},
{
"key": "H",
"name": "High",
- "definition": "0: AC:L and AT:N"
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
}
]
},
"values": {
+ "N": {
+ "key": "N",
+ "name": "None",
+ "definition": "There is no impact to availability within the Vulnerable System."
+ },
"L": {
"key": "L",
"name": "Low",
- "definition": "1: not (AC:L and AT:N)"
+ "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
},
"H": {
"key": "H",
"name": "High",
- "definition": "0: AC:L and AT:N"
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
}
}
}
}
},
- "EQ3": {
- "key": "EQ3",
+ "AR": {
+ "key": "AR",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "EQ3",
+ "key": "AR",
"version": "1.0.0",
- "name": "Equivalence Set 3",
- "definition": "VC/VI/VA with 3 levels specified in Table 26",
+ "name": "Availability Requirement",
+ "definition": "This metric measures the impact to the availability of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "definition": "2: not (VC:H or VI:H or VA:H)"
+ "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "definition": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"
+ "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "definition": "0: VC:H and VI:H"
+ "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ },
+ {
+ "key": "ND",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -1618,49 +1658,54 @@
"L": {
"key": "L",
"name": "Low",
- "definition": "2: not (VC:H or VI:H or VA:H)"
+ "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"M": {
"key": "M",
"name": "Medium",
- "definition": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"
+ "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"H": {
"key": "H",
"name": "High",
- "definition": "0: VC:H and VI:H"
+ "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ },
+ "ND": {
+ "key": "ND",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
- }
- }
- },
- "EQ4": {
- "key": "EQ4",
- "versions": {
- "1.0.0": {
- "version": "1.0.0",
+ },
+ "1.1.0": {
+ "version": "1.1.0",
"obj": {
"namespace": "cvss",
- "key": "EQ4",
- "version": "1.0.0",
- "name": "Equivalence Set 4",
- "definition": "SC/SI/SA with 3 levels specified in Table 27",
+ "key": "AR",
+ "version": "1.1.0",
+ "name": "Availability Requirement",
+ "definition": "This metric measures the impact to the availability of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "definition": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"
+ "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "definition": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"
+ "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "definition": "0: MSI:S or MSA:S"
+ "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -1668,49 +1713,54 @@
"L": {
"key": "L",
"name": "Low",
- "definition": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"
+ "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"M": {
"key": "M",
"name": "Medium",
- "definition": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"
+ "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"H": {
"key": "H",
"name": "High",
- "definition": "0: MSI:S or MSA:S"
+ "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ },
+ "X": {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
- }
- }
- },
- "EQ5": {
- "key": "EQ5",
- "versions": {
- "1.0.0": {
- "version": "1.0.0",
+ },
+ "1.1.1": {
+ "version": "1.1.1",
"obj": {
"namespace": "cvss",
- "key": "EQ5",
- "version": "1.0.0",
- "name": "Equivalence Set 5",
- "definition": "E with 3 levels specified in Table 28",
+ "key": "AR",
+ "version": "1.1.1",
+ "name": "Availability Requirement",
+ "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "definition": "2: E:U"
+ "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "definition": "1: E:P"
+ "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "definition": "0: E:A"
+ "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -1718,149 +1768,164 @@
"L": {
"key": "L",
"name": "Low",
- "definition": "2: E:U"
+ "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"M": {
"key": "M",
"name": "Medium",
- "definition": "1: E:P"
+ "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"H": {
"key": "H",
"name": "High",
- "definition": "0: E:A"
+ "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ },
+ "X": {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
}
},
- "EQ6": {
- "key": "EQ6",
+ "AR_NoX": {
+ "key": "AR_NoX",
"versions": {
- "1.0.0": {
- "version": "1.0.0",
+ "1.1.1": {
+ "version": "1.1.1",
"obj": {
"namespace": "cvss",
- "key": "EQ6",
- "version": "1.0.0",
- "name": "Equivalence Set 6",
- "definition": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29",
+ "key": "AR_NoX",
+ "version": "1.1.1",
+ "name": "Availability Requirement (without Not Defined)",
+ "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "definition": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)"
+ "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
- "key": "H",
- "name": "High",
- "definition": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)"
- }
+ "key": "M",
+ "name": "Medium",
+ "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ }
]
},
"values": {
"L": {
"key": "L",
"name": "Low",
- "definition": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)"
+ "definition": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ },
+ "M": {
+ "key": "M",
+ "name": "Medium",
+ "definition": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"H": {
"key": "H",
"name": "High",
- "definition": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)"
+ "definition": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
}
}
}
}
},
- "E": {
- "key": "E",
+ "CDP": {
+ "key": "CDP",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "E",
+ "key": "CDP",
"version": "1.0.0",
- "name": "Exploitability",
- "definition": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.",
+ "name": "Collateral Damage Potential",
+ "definition": "This metric measures the potential for a loss in physical equipment, property damage or loss of life or limb.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "U",
- "name": "Unproven",
- "definition": "No exploit code is yet available or an exploit method is entirely theoretical."
+ "key": "N",
+ "name": "None",
+ "definition": "There is no potential for physical or property damage."
},
{
- "key": "P",
- "name": "Proof of Concept",
- "definition": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
+ "key": "L",
+ "name": "Low",
+ "definition": "A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed."
},
{
- "key": "F",
- "name": "Functional",
- "definition": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
+ "key": "M",
+ "name": "Medium",
+ "definition": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."
},
{
"key": "H",
"name": "High",
- "definition": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
+ "definition": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
}
]
},
"values": {
- "U": {
- "key": "U",
- "name": "Unproven",
- "definition": "No exploit code is yet available or an exploit method is entirely theoretical."
+ "N": {
+ "key": "N",
+ "name": "None",
+ "definition": "There is no potential for physical or property damage."
},
- "P": {
- "key": "P",
- "name": "Proof of Concept",
- "definition": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed."
},
- "F": {
- "key": "F",
- "name": "Functional",
- "definition": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
+ "M": {
+ "key": "M",
+ "name": "Medium",
+ "definition": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."
},
"H": {
"key": "H",
"name": "High",
- "definition": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
+ "definition": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
}
}
},
- "1.1.0": {
- "version": "1.1.0",
+ "2.0.0": {
+ "version": "2.0.0",
"obj": {
"namespace": "cvss",
- "key": "E",
- "version": "1.1.0",
- "name": "Exploitability",
- "definition": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.",
+ "key": "CDP",
+ "version": "2.0.0",
+ "name": "Collateral Damage Potential",
+ "definition": "This metric measures the potential for loss of life or physical assets.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "U",
- "name": "Unproven",
- "definition": "No exploit code is yet available or an exploit method is entirely theoretical."
+ "key": "N",
+ "name": "None",
+ "definition": "There is no potential for loss of life, physical assets, productivity or revenue."
},
{
- "key": "P",
- "name": "Proof of Concept",
- "definition": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
+ "key": "LM",
+ "name": "Low-Medium",
+ "definition": "A successful exploit of this vulnerability may result in moderate physical or property damage or loss."
},
{
- "key": "F",
- "name": "Functional",
- "definition": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
+ "key": "MH",
+ "name": "Medium-High",
+ "definition": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."
},
{
"key": "H",
"name": "High",
- "definition": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
+ "definition": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
},
{
"key": "ND",
@@ -1870,25 +1935,25 @@
]
},
"values": {
- "U": {
- "key": "U",
- "name": "Unproven",
- "definition": "No exploit code is yet available or an exploit method is entirely theoretical."
+ "N": {
+ "key": "N",
+ "name": "None",
+ "definition": "There is no potential for loss of life, physical assets, productivity or revenue."
},
- "P": {
- "key": "P",
- "name": "Proof of Concept",
- "definition": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
+ "LM": {
+ "key": "LM",
+ "name": "Low-Medium",
+ "definition": "A successful exploit of this vulnerability may result in moderate physical or property damage or loss."
},
- "F": {
- "key": "F",
- "name": "Functional",
- "definition": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
+ "MH": {
+ "key": "MH",
+ "name": "Medium-High",
+ "definition": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."
},
"H": {
"key": "H",
"name": "High",
- "definition": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
+ "definition": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
},
"ND": {
"key": "ND",
@@ -1896,69 +1961,54 @@
"definition": "This metric value is not defined. See CVSS documentation for details."
}
}
- },
- "1.2.0": {
- "version": "1.2.0",
+ }
+ }
+ },
+ "C": {
+ "key": "C",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "E",
- "version": "1.2.0",
- "name": "Exploit Code Maturity",
- "definition": "measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation",
+ "key": "C",
+ "version": "1.0.0",
+ "name": "Confidentiality Impact",
+ "definition": "This metric measures the impact on confidentiality of a successful exploit of the vulnerability on the target system.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "U",
- "name": "Unproven",
- "definition": "No exploit code is available, or an exploit is theoretical."
- },
- {
- "key": "POC",
- "name": "Proof-of-Concept",
- "definition": "Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker."
- },
- {
- "key": "F",
- "name": "Functional",
- "definition": "Functional exploit code is available. The code works in most situations where the vulnerability exists."
+ "key": "N",
+ "name": "None",
+ "definition": "No impact on confidentiality."
},
{
- "key": "H",
- "name": "High",
- "definition": "Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools."
+ "key": "P",
+ "name": "Partial",
+ "definition": "There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained."
},
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "C",
+ "name": "Complete",
+ "definition": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)."
}
]
},
"values": {
- "U": {
- "key": "U",
- "name": "Unproven",
- "definition": "No exploit code is available, or an exploit is theoretical."
- },
- "POC": {
- "key": "POC",
- "name": "Proof-of-Concept",
- "definition": "Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker."
- },
- "F": {
- "key": "F",
- "name": "Functional",
- "definition": "Functional exploit code is available. The code works in most situations where the vulnerability exists."
+ "N": {
+ "key": "N",
+ "name": "None",
+ "definition": "No impact on confidentiality."
},
- "H": {
- "key": "H",
- "name": "High",
- "definition": "Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools."
+ "P": {
+ "key": "P",
+ "name": "Partial",
+ "definition": "There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained."
},
- "X": {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "C": {
+ "key": "C",
+ "name": "Complete",
+ "definition": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)."
}
}
},
@@ -1966,291 +2016,76 @@
"version": "2.0.0",
"obj": {
"namespace": "cvss",
- "key": "E",
+ "key": "C",
"version": "2.0.0",
- "name": "Exploit Maturity",
- "definition": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation.",
+ "name": "Confidentiality Impact",
+ "definition": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "U",
- "name": "Unreported",
- "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
- },
- {
- "key": "P",
- "name": "Proof-of-Concept",
- "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
+ "key": "N",
+ "name": "None",
+ "definition": "There is no loss of confidentiality within the impacted component."
},
{
- "key": "A",
- "name": "Attacked",
- "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
+ "key": "L",
+ "name": "Low",
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "H",
+ "name": "High",
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
}
]
},
"values": {
- "U": {
- "key": "U",
- "name": "Unreported",
- "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
- },
- "P": {
- "key": "P",
- "name": "Proof-of-Concept",
- "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
- },
- "A": {
- "key": "A",
- "name": "Attacked",
- "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
- },
- "X": {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
- }
- }
- }
- }
- },
- "E_NoX": {
- "key": "E_NoX",
- "versions": {
- "2.0.0": {
- "version": "2.0.0",
- "obj": {
- "namespace": "cvss",
- "key": "E_NoX",
- "version": "2.0.0",
- "name": "Exploit Maturity (without Not Defined)",
- "definition": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. This version does not include the Not Defined (X) option.",
- "schemaVersion": "2.0.0",
- "values": [
- {
- "key": "U",
- "name": "Unreported",
- "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
- },
- {
- "key": "P",
- "name": "Proof-of-Concept",
- "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
- },
- {
- "key": "A",
- "name": "Attacked",
- "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
- }
- ]
- },
- "values": {
- "U": {
- "key": "U",
- "name": "Unreported",
- "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
- },
- "P": {
- "key": "P",
- "name": "Proof-of-Concept",
- "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
- },
- "A": {
- "key": "A",
- "name": "Attacked",
- "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
- }
- }
- }
- }
- },
- "IB": {
- "key": "IB",
- "versions": {
- "1.0.0": {
- "version": "1.0.0",
- "obj": {
- "namespace": "cvss",
- "key": "IB",
- "version": "1.0.0",
- "name": "Impact Bias",
- "definition": "This metric measures the impact bias of the vulnerability.",
- "schemaVersion": "2.0.0",
- "values": [
- {
- "key": "N",
- "name": "Normal",
- "definition": "Confidentiality Impact, Integrity Impact, and Availability Impact are all assigned the same weight."
- },
- {
- "key": "C",
- "name": "Confidentiality",
- "definition": "Confidentiality impact is assigned greater weight than Integrity Impact or Availability Impact."
- },
- {
- "key": "I",
- "name": "Integrity",
- "definition": "Integrity Impact is assigned greater weight than Confidentiality Impact or Availability Impact."
- },
- {
- "key": "A",
- "name": "Availability",
- "definition": "Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact."
- }
- ]
- },
- "values": {
- "N": {
- "key": "N",
- "name": "Normal",
- "definition": "Confidentiality Impact, Integrity Impact, and Availability Impact are all assigned the same weight."
- },
- "C": {
- "key": "C",
- "name": "Confidentiality",
- "definition": "Confidentiality impact is assigned greater weight than Integrity Impact or Availability Impact."
- },
- "I": {
- "key": "I",
- "name": "Integrity",
- "definition": "Integrity Impact is assigned greater weight than Confidentiality Impact or Availability Impact."
- },
- "A": {
- "key": "A",
- "name": "Availability",
- "definition": "Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact."
- }
- }
- }
- }
- },
- "I": {
- "key": "I",
- "versions": {
- "1.0.0": {
- "version": "1.0.0",
- "obj": {
- "namespace": "cvss",
- "key": "I",
- "version": "1.0.0",
- "name": "Integrity Impact",
- "definition": "This metric measures the impact on integrity a successful exploit of the vulnerability will have on the target system.",
- "schemaVersion": "2.0.0",
- "values": [
- {
- "key": "N",
- "name": "None",
- "definition": "No impact on integrity."
- },
- {
- "key": "P",
- "name": "Partial",
- "definition": "Considerable breach in integrity. Modification of critical system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is constrained. For example, key system or program files may be overwritten or modified, but at random or in a limited context or scope."
- },
- {
- "key": "C",
- "name": "Complete",
- "definition": "A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files."
- }
- ]
- },
- "values": {
- "N": {
- "key": "N",
- "name": "None",
- "definition": "No impact on integrity."
- },
- "P": {
- "key": "P",
- "name": "Partial",
- "definition": "Considerable breach in integrity. Modification of critical system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is constrained. For example, key system or program files may be overwritten or modified, but at random or in a limited context or scope."
- },
- "C": {
- "key": "C",
- "name": "Complete",
- "definition": "A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files."
- }
- }
- },
- "2.0.0": {
- "version": "2.0.0",
- "obj": {
- "namespace": "cvss",
- "key": "I",
- "version": "2.0.0",
- "name": "Integrity Impact",
- "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
- "schemaVersion": "2.0.0",
- "values": [
- {
- "key": "N",
- "name": "None",
- "definition": "There is no impact to the integrity of the system."
- },
- {
- "key": "L",
- "name": "Low",
- "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."
- },
- {
- "key": "H",
- "name": "High",
- "definition": "There is a total loss of integrity, or a complete loss of protection."
- }
- ]
- },
- "values": {
- "N": {
- "key": "N",
- "name": "None",
- "definition": "There is no impact to the integrity of the system."
+ "N": {
+ "key": "N",
+ "name": "None",
+ "definition": "There is no loss of confidentiality within the impacted component."
},
"L": {
"key": "L",
"name": "Low",
- "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
"H": {
"key": "H",
"name": "High",
- "definition": "There is a total loss of integrity, or a complete loss of protection."
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
}
}
}
}
},
- "VI": {
- "key": "VI",
+ "VC": {
+ "key": "VC",
"versions": {
"3.0.0": {
"version": "3.0.0",
"obj": {
"namespace": "cvss",
- "key": "VI",
+ "key": "VC",
"version": "3.0.0",
- "name": "Integrity Impact to the Vulnerable System",
- "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
+ "name": "Confidentiality Impact to the Vulnerable System",
+ "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "definition": "There is no loss of integrity within the Vulnerable System."
+ "definition": "There is no loss of confidentiality within the impacted component."
},
{
"key": "L",
"name": "Low",
- "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
{
"key": "H",
"name": "High",
- "definition": "There is a total loss of integrity, or a complete loss of protection."
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
}
]
},
@@ -2258,49 +2093,49 @@
"N": {
"key": "N",
"name": "None",
- "definition": "There is no loss of integrity within the Vulnerable System."
+ "definition": "There is no loss of confidentiality within the impacted component."
},
"L": {
"key": "L",
"name": "Low",
- "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
"H": {
"key": "H",
"name": "High",
- "definition": "There is a total loss of integrity, or a complete loss of protection."
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
}
}
}
}
},
- "IR": {
- "key": "IR",
+ "CR": {
+ "key": "CR",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "IR",
+ "key": "CR",
"version": "1.0.0",
- "name": "Integrity Requirement",
- "definition": "This metric measures the impact to the integrity of a successfully exploited vulnerability.",
+ "name": "Confidentiality Requirement",
+ "definition": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "ND",
@@ -2313,17 +2148,17 @@
"L": {
"key": "L",
"name": "Low",
- "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"M": {
"key": "M",
"name": "Medium",
- "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"H": {
"key": "H",
"name": "High",
- "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"ND": {
"key": "ND",
@@ -2336,26 +2171,26 @@
"version": "1.1.0",
"obj": {
"namespace": "cvss",
- "key": "IR",
+ "key": "CR",
"version": "1.1.0",
- "name": "Integrity Requirement",
- "definition": "This metric measures the impact to the integrity of a successfully exploited vulnerability.",
+ "name": "Confidentiality Requirement",
+ "definition": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "X",
@@ -2368,17 +2203,17 @@
"L": {
"key": "L",
"name": "Low",
- "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"M": {
"key": "M",
"name": "Medium",
- "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"H": {
"key": "H",
"name": "High",
- "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"X": {
"key": "X",
@@ -2391,26 +2226,26 @@
"version": "1.1.1",
"obj": {
"namespace": "cvss",
- "key": "IR",
+ "key": "CR",
"version": "1.1.1",
- "name": "Integrity Requirement",
+ "name": "Confidentiality Requirement",
"definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "X",
@@ -2423,17 +2258,17 @@
"L": {
"key": "L",
"name": "Low",
- "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"M": {
"key": "M",
"name": "Medium",
- "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"H": {
"key": "H",
"name": "High",
- "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"X": {
"key": "X",
@@ -2444,33 +2279,33 @@
}
}
},
- "IR_NoX": {
- "key": "IR_NoX",
+ "CR_NoX": {
+ "key": "CR_NoX",
"versions": {
"1.1.1": {
"version": "1.1.1",
"obj": {
"namespace": "cvss",
- "key": "IR_NoX",
+ "key": "CR_NoX",
"version": "1.1.1",
- "name": "Integrity Requirement (without Not Defined)",
+ "name": "Confidentiality Requirement (without Not Defined)",
"definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "M",
"name": "Medium",
- "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "H",
"name": "High",
- "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
}
]
},
@@ -2478,854 +2313,829 @@
"L": {
"key": "L",
"name": "Low",
- "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"M": {
"key": "M",
"name": "Medium",
- "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"H": {
"key": "H",
"name": "High",
- "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ "definition": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
}
}
}
}
},
- "SA": {
- "key": "SA",
+ "EQ1": {
+ "key": "EQ1",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "SA",
+ "key": "EQ1",
"version": "1.0.0",
- "name": "Availability Impact to the Subsequent System",
- "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
+ "name": "Equivalence Set 1",
+ "definition": "AV/PR/UI with 3 levels specified in Table 24",
"schemaVersion": "2.0.0",
"values": [
- {
- "key": "N",
- "name": "None",
- "definition": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
- },
{
"key": "L",
"name": "Low",
- "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ "definition": "2: AV:P or not(AV:N or PR:N or UI:N)"
+ },
+ {
+ "key": "M",
+ "name": "Medium",
+ "definition": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"
},
{
"key": "H",
"name": "High",
- "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "0: AV:N and PR:N and UI:N"
}
]
},
"values": {
- "N": {
- "key": "N",
- "name": "None",
- "definition": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
- },
"L": {
"key": "L",
"name": "Low",
- "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ "definition": "2: AV:P or not(AV:N or PR:N or UI:N)"
+ },
+ "M": {
+ "key": "M",
+ "name": "Medium",
+ "definition": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"
},
"H": {
"key": "H",
"name": "High",
- "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "0: AV:N and PR:N and UI:N"
}
}
}
}
},
- "MSA": {
- "key": "MSA",
+ "EQ2": {
+ "key": "EQ2",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "MSA",
+ "key": "EQ2",
"version": "1.0.0",
- "name": "Modified Availability Impact to the Subsequent System",
- "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
+ "name": "Equivalence Set 2",
+ "definition": "AC/AT with 2 levels specified in Table 25",
"schemaVersion": "2.0.0",
"values": [
- {
- "key": "N",
- "name": "None",
- "definition": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
- },
{
"key": "L",
"name": "Low",
- "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ "definition": "1: not (AC:L and AT:N)"
},
{
"key": "H",
"name": "High",
- "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
- },
- {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "0: AC:L and AT:N"
}
]
},
"values": {
- "N": {
- "key": "N",
- "name": "None",
- "definition": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
- },
"L": {
"key": "L",
"name": "Low",
- "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ "definition": "1: not (AC:L and AT:N)"
},
"H": {
"key": "H",
"name": "High",
- "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
- },
- "X": {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "0: AC:L and AT:N"
}
}
- },
- "1.0.1": {
- "version": "1.0.1",
+ }
+ }
+ },
+ "EQ3": {
+ "key": "EQ3",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "MSA",
- "version": "1.0.1",
- "name": "Modified Availability Impact to the Subsequent System",
- "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
+ "key": "EQ3",
+ "version": "1.0.0",
+ "name": "Equivalence Set 3",
+ "definition": "VC/VI/VA with 3 levels specified in Table 26",
"schemaVersion": "2.0.0",
"values": [
- {
- "key": "N",
- "name": "Negligible",
- "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
- },
{
"key": "L",
"name": "Low",
- "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
- },
- {
- "key": "H",
- "name": "High",
- "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "definition": "2: not (VC:H or VI:H or VA:H)"
},
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "M",
+ "name": "Medium",
+ "definition": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"
},
{
- "key": "S",
- "name": "Safety",
- "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "key": "H",
+ "name": "High",
+ "definition": "0: VC:H and VI:H"
}
]
},
"values": {
- "N": {
- "key": "N",
- "name": "Negligible",
- "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
- },
"L": {
"key": "L",
"name": "Low",
- "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ "definition": "2: not (VC:H or VI:H or VA:H)"
+ },
+ "M": {
+ "key": "M",
+ "name": "Medium",
+ "definition": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"
},
"H": {
"key": "H",
"name": "High",
- "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
- },
- "X": {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
- },
- "S": {
- "key": "S",
- "name": "Safety",
- "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "definition": "0: VC:H and VI:H"
}
}
}
}
},
- "MSA_NoX": {
- "key": "MSA_NoX",
+ "EQ4": {
+ "key": "EQ4",
"versions": {
- "1.0.1": {
- "version": "1.0.1",
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "MSA_NoX",
- "version": "1.0.1",
- "name": "Modified Availability Impact to the Subsequent System (without Not Defined)",
- "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System. This version does not include the Not Defined (X) option.",
+ "key": "EQ4",
+ "version": "1.0.0",
+ "name": "Equivalence Set 4",
+ "definition": "SC/SI/SA with 3 levels specified in Table 27",
"schemaVersion": "2.0.0",
"values": [
- {
- "key": "N",
- "name": "Negligible",
- "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
- },
{
"key": "L",
"name": "Low",
- "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ "definition": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"
},
{
- "key": "H",
- "name": "High",
- "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "key": "M",
+ "name": "Medium",
+ "definition": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"
},
{
- "key": "S",
- "name": "Safety",
- "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "key": "H",
+ "name": "High",
+ "definition": "0: MSI:S or MSA:S"
}
]
},
"values": {
- "N": {
- "key": "N",
- "name": "Negligible",
- "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
- },
"L": {
"key": "L",
"name": "Low",
- "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ "definition": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"
+ },
+ "M": {
+ "key": "M",
+ "name": "Medium",
+ "definition": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"
},
"H": {
"key": "H",
"name": "High",
- "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
- },
- "S": {
- "key": "S",
- "name": "Safety",
- "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "definition": "0: MSI:S or MSA:S"
}
}
}
}
},
- "SI": {
- "key": "SI",
+ "EQ5": {
+ "key": "EQ5",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "SI",
+ "key": "EQ5",
"version": "1.0.0",
- "name": "Integrity Impact to the Subsequent System",
- "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.",
- "schemaVersion": "2.0.0",
+ "name": "Equivalence Set 5",
+ "definition": "E with 3 levels specified in Table 28",
+ "schemaVersion": "2.0.0",
"values": [
- {
- "key": "N",
- "name": "None",
- "definition": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
- },
{
"key": "L",
"name": "Low",
- "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ "definition": "2: E:U"
+ },
+ {
+ "key": "M",
+ "name": "Medium",
+ "definition": "1: E:P"
},
{
"key": "H",
"name": "High",
- "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+ "definition": "0: E:A"
}
]
},
"values": {
- "N": {
- "key": "N",
- "name": "None",
- "definition": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
- },
"L": {
"key": "L",
"name": "Low",
- "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ "definition": "2: E:U"
+ },
+ "M": {
+ "key": "M",
+ "name": "Medium",
+ "definition": "1: E:P"
},
"H": {
"key": "H",
"name": "High",
- "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+ "definition": "0: E:A"
}
}
}
}
},
- "MSI": {
- "key": "MSI",
+ "EQ6": {
+ "key": "EQ6",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "MSI",
+ "key": "EQ6",
"version": "1.0.0",
- "name": "Modified Integrity Impact to the Subsequent System",
- "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.",
+ "name": "Equivalence Set 6",
+ "definition": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29",
"schemaVersion": "2.0.0",
"values": [
- {
- "key": "N",
- "name": "None",
- "definition": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
- },
{
"key": "L",
"name": "Low",
- "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ "definition": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)"
},
{
"key": "H",
"name": "High",
- "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
- },
- {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)"
}
]
},
"values": {
- "N": {
- "key": "N",
- "name": "None",
- "definition": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
- },
"L": {
"key": "L",
"name": "Low",
- "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ "definition": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)"
},
"H": {
"key": "H",
"name": "High",
- "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
- },
- "X": {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)"
}
}
- },
- "1.0.1": {
- "version": "1.0.1",
+ }
+ }
+ },
+ "E": {
+ "key": "E",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "MSI",
- "version": "1.0.1",
- "name": "Modified Integrity Impact to the Subsequent System",
- "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.",
+ "key": "E",
+ "version": "1.0.0",
+ "name": "Exploitability",
+ "definition": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "N",
- "name": "Negligible",
- "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
- },
- {
- "key": "L",
- "name": "Low",
- "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ "key": "U",
+ "name": "Unproven",
+ "definition": "No exploit code is yet available or an exploit method is entirely theoretical."
},
{
- "key": "H",
- "name": "High",
- "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+ "key": "P",
+ "name": "Proof of Concept",
+ "definition": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
},
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "F",
+ "name": "Functional",
+ "definition": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
},
{
- "key": "S",
- "name": "Safety",
- "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "key": "H",
+ "name": "High",
+ "definition": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
}
]
},
"values": {
- "N": {
- "key": "N",
- "name": "Negligible",
- "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
+ "U": {
+ "key": "U",
+ "name": "Unproven",
+ "definition": "No exploit code is yet available or an exploit method is entirely theoretical."
},
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ "P": {
+ "key": "P",
+ "name": "Proof of Concept",
+ "definition": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
+ },
+ "F": {
+ "key": "F",
+ "name": "Functional",
+ "definition": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
},
"H": {
"key": "H",
"name": "High",
- "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
- },
- "X": {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
- },
- "S": {
- "key": "S",
- "name": "Safety",
- "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "definition": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
}
}
- }
- }
- },
- "MSI_NoX": {
- "key": "MSI_NoX",
- "versions": {
- "1.0.1": {
- "version": "1.0.1",
+ },
+ "1.1.0": {
+ "version": "1.1.0",
"obj": {
"namespace": "cvss",
- "key": "MSI_NoX",
- "version": "1.0.1",
- "name": "Modified Integrity Impact to the Subsequent System (without Not Defined)",
- "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest. This version does not include the Not Defined (X) option.",
+ "key": "E",
+ "version": "1.1.0",
+ "name": "Exploitability",
+ "definition": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "N",
- "name": "Negligible",
- "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
+ "key": "U",
+ "name": "Unproven",
+ "definition": "No exploit code is yet available or an exploit method is entirely theoretical."
},
{
- "key": "L",
- "name": "Low",
- "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ "key": "P",
+ "name": "Proof of Concept",
+ "definition": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
+ },
+ {
+ "key": "F",
+ "name": "Functional",
+ "definition": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
},
{
"key": "H",
"name": "High",
- "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+ "definition": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
},
{
- "key": "S",
- "name": "Safety",
- "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "key": "ND",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
"values": {
- "N": {
- "key": "N",
- "name": "Negligible",
- "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
+ "U": {
+ "key": "U",
+ "name": "Unproven",
+ "definition": "No exploit code is yet available or an exploit method is entirely theoretical."
},
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ "P": {
+ "key": "P",
+ "name": "Proof of Concept",
+ "definition": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
+ },
+ "F": {
+ "key": "F",
+ "name": "Functional",
+ "definition": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
},
"H": {
"key": "H",
"name": "High",
- "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+ "definition": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
},
- "S": {
- "key": "S",
- "name": "Safety",
- "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+ "ND": {
+ "key": "ND",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
- }
- }
- },
- "PR": {
- "key": "PR",
- "versions": {
- "1.0.0": {
- "version": "1.0.0",
+ },
+ "1.2.0": {
+ "version": "1.2.0",
"obj": {
"namespace": "cvss",
- "key": "PR",
- "version": "1.0.0",
- "name": "Privileges Required",
- "definition": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.",
+ "key": "E",
+ "version": "1.2.0",
+ "name": "Exploit Code Maturity",
+ "definition": "measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "H",
- "name": "High",
- "definition": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
+ "key": "U",
+ "name": "Unproven",
+ "definition": "No exploit code is available, or an exploit is theoretical."
},
{
- "key": "L",
- "name": "Low",
- "definition": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
+ "key": "POC",
+ "name": "Proof-of-Concept",
+ "definition": "Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker."
},
{
- "key": "N",
- "name": "None",
- "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ "key": "F",
+ "name": "Functional",
+ "definition": "Functional exploit code is available. The code works in most situations where the vulnerability exists."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "definition": "Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
"values": {
+ "U": {
+ "key": "U",
+ "name": "Unproven",
+ "definition": "No exploit code is available, or an exploit is theoretical."
+ },
+ "POC": {
+ "key": "POC",
+ "name": "Proof-of-Concept",
+ "definition": "Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker."
+ },
+ "F": {
+ "key": "F",
+ "name": "Functional",
+ "definition": "Functional exploit code is available. The code works in most situations where the vulnerability exists."
+ },
"H": {
"key": "H",
"name": "High",
- "definition": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
- },
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
+ "definition": "Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools."
},
- "N": {
- "key": "N",
- "name": "None",
- "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ "X": {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
},
- "1.0.1": {
- "version": "1.0.1",
+ "2.0.0": {
+ "version": "2.0.0",
"obj": {
"namespace": "cvss",
- "key": "PR",
- "version": "1.0.1",
- "name": "Privileges Required",
- "definition": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.",
+ "key": "E",
+ "version": "2.0.0",
+ "name": "Exploit Maturity",
+ "definition": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "H",
- "name": "High",
- "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
+ "key": "U",
+ "name": "Unreported",
+ "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
},
{
- "key": "L",
- "name": "Low",
- "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
+ "key": "P",
+ "name": "Proof-of-Concept",
+ "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
},
{
- "key": "N",
- "name": "None",
- "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ "key": "A",
+ "name": "Attacked",
+ "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
"values": {
- "H": {
- "key": "H",
- "name": "High",
- "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
+ "U": {
+ "key": "U",
+ "name": "Unreported",
+ "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
},
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
+ "P": {
+ "key": "P",
+ "name": "Proof-of-Concept",
+ "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
},
- "N": {
- "key": "N",
- "name": "None",
- "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ "A": {
+ "key": "A",
+ "name": "Attacked",
+ "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
+ },
+ "X": {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
}
},
- "QS": {
- "key": "QS",
+ "E_NoX": {
+ "key": "E_NoX",
"versions": {
- "1.0.0": {
- "version": "1.0.0",
+ "2.0.0": {
+ "version": "2.0.0",
"obj": {
"namespace": "cvss",
- "key": "QS",
- "version": "1.0.0",
- "name": "CVSS Qualitative Severity Rating Scale",
- "definition": "The CVSS Qualitative Severity Rating Scale provides a categorical representation of a CVSS Score.",
+ "key": "E_NoX",
+ "version": "2.0.0",
+ "name": "Exploit Maturity (without Not Defined)",
+ "definition": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "N",
- "name": "None",
- "definition": "No severity rating (0.0)"
- },
- {
- "key": "L",
- "name": "Low",
- "definition": "Low (0.1 - 3.9)"
- },
- {
- "key": "M",
- "name": "Medium",
- "definition": "Medium (4.0 - 6.9)"
+ "key": "U",
+ "name": "Unreported",
+ "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
},
{
- "key": "H",
- "name": "High",
- "definition": "High (7.0 - 8.9)"
+ "key": "P",
+ "name": "Proof-of-Concept",
+ "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
},
{
- "key": "C",
- "name": "Critical",
- "definition": "Critical (9.0 - 10.0)"
+ "key": "A",
+ "name": "Attacked",
+ "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
}
]
},
"values": {
- "N": {
- "key": "N",
- "name": "None",
- "definition": "No severity rating (0.0)"
- },
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "Low (0.1 - 3.9)"
- },
- "M": {
- "key": "M",
- "name": "Medium",
- "definition": "Medium (4.0 - 6.9)"
+ "U": {
+ "key": "U",
+ "name": "Unreported",
+ "definition": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
},
- "H": {
- "key": "H",
- "name": "High",
- "definition": "High (7.0 - 8.9)"
+ "P": {
+ "key": "P",
+ "name": "Proof-of-Concept",
+ "definition": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
},
- "C": {
- "key": "C",
- "name": "Critical",
- "definition": "Critical (9.0 - 10.0)"
+ "A": {
+ "key": "A",
+ "name": "Attacked",
+ "definition": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
}
}
}
}
},
- "RL": {
- "key": "RL",
+ "IB": {
+ "key": "IB",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "RL",
+ "key": "IB",
"version": "1.0.0",
- "name": "Remediation Level",
- "definition": "This metric measures the remediation status of a vulnerability.",
+ "name": "Impact Bias",
+ "definition": "This metric measures the impact bias of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "OF",
- "name": "Official Fix",
- "definition": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."
+ "key": "N",
+ "name": "Normal",
+ "definition": "Confidentiality Impact, Integrity Impact, and Availability Impact are all assigned the same weight."
},
{
- "key": "TF",
- "name": "Temporary Fix",
- "definition": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."
+ "key": "C",
+ "name": "Confidentiality",
+ "definition": "Confidentiality impact is assigned greater weight than Integrity Impact or Availability Impact."
},
{
- "key": "W",
- "name": "Workaround",
- "definition": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."
+ "key": "I",
+ "name": "Integrity",
+ "definition": "Integrity Impact is assigned greater weight than Confidentiality Impact or Availability Impact."
},
{
- "key": "U",
- "name": "Unavailable",
- "definition": "There is either no solution available or it is impossible to apply."
+ "key": "A",
+ "name": "Availability",
+ "definition": "Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact."
}
]
},
"values": {
- "OF": {
- "key": "OF",
- "name": "Official Fix",
- "definition": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."
+ "N": {
+ "key": "N",
+ "name": "Normal",
+ "definition": "Confidentiality Impact, Integrity Impact, and Availability Impact are all assigned the same weight."
},
- "TF": {
- "key": "TF",
- "name": "Temporary Fix",
- "definition": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."
+ "C": {
+ "key": "C",
+ "name": "Confidentiality",
+ "definition": "Confidentiality impact is assigned greater weight than Integrity Impact or Availability Impact."
},
- "W": {
- "key": "W",
- "name": "Workaround",
- "definition": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."
+ "I": {
+ "key": "I",
+ "name": "Integrity",
+ "definition": "Integrity Impact is assigned greater weight than Confidentiality Impact or Availability Impact."
},
- "U": {
- "key": "U",
- "name": "Unavailable",
- "definition": "There is either no solution available or it is impossible to apply."
+ "A": {
+ "key": "A",
+ "name": "Availability",
+ "definition": "Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact."
}
}
- },
- "1.1.0": {
- "version": "1.1.0",
+ }
+ }
+ },
+ "I": {
+ "key": "I",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "RL",
- "version": "1.1.0",
- "name": "Remediation Level",
- "definition": "This metric measures the remediation status of a vulnerability.",
+ "key": "I",
+ "version": "1.0.0",
+ "name": "Integrity Impact",
+ "definition": "This metric measures the impact on integrity a successful exploit of the vulnerability will have on the target system.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "OF",
- "name": "Official Fix",
- "definition": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."
+ "key": "N",
+ "name": "None",
+ "definition": "No impact on integrity."
},
{
- "key": "TF",
- "name": "Temporary Fix",
- "definition": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."
+ "key": "P",
+ "name": "Partial",
+ "definition": "Considerable breach in integrity. Modification of critical system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is constrained. For example, key system or program files may be overwritten or modified, but at random or in a limited context or scope."
},
{
- "key": "W",
- "name": "Workaround",
- "definition": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."
+ "key": "C",
+ "name": "Complete",
+ "definition": "A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files."
+ }
+ ]
+ },
+ "values": {
+ "N": {
+ "key": "N",
+ "name": "None",
+ "definition": "No impact on integrity."
+ },
+ "P": {
+ "key": "P",
+ "name": "Partial",
+ "definition": "Considerable breach in integrity. Modification of critical system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is constrained. For example, key system or program files may be overwritten or modified, but at random or in a limited context or scope."
+ },
+ "C": {
+ "key": "C",
+ "name": "Complete",
+ "definition": "A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files."
+ }
+ }
+ },
+ "2.0.0": {
+ "version": "2.0.0",
+ "obj": {
+ "namespace": "cvss",
+ "key": "I",
+ "version": "2.0.0",
+ "name": "Integrity Impact",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "N",
+ "name": "None",
+ "definition": "There is no impact to the integrity of the system."
},
{
- "key": "U",
- "name": "Unavailable",
- "definition": "There is either no solution available or it is impossible to apply."
+ "key": "L",
+ "name": "Low",
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."
},
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "H",
+ "name": "High",
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
}
]
},
"values": {
- "OF": {
- "key": "OF",
- "name": "Official Fix",
- "definition": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."
- },
- "TF": {
- "key": "TF",
- "name": "Temporary Fix",
- "definition": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."
- },
- "W": {
- "key": "W",
- "name": "Workaround",
- "definition": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."
+ "N": {
+ "key": "N",
+ "name": "None",
+ "definition": "There is no impact to the integrity of the system."
},
- "U": {
- "key": "U",
- "name": "Unavailable",
- "definition": "There is either no solution available or it is impossible to apply."
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."
},
- "X": {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
}
}
}
}
},
- "RC": {
- "key": "RC",
+ "VI": {
+ "key": "VI",
"versions": {
- "1.0.0": {
- "version": "1.0.0",
+ "3.0.0": {
+ "version": "3.0.0",
"obj": {
"namespace": "cvss",
- "key": "RC",
- "version": "1.0.0",
- "name": "Report Confidence",
- "definition": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.",
+ "key": "VI",
+ "version": "3.0.0",
+ "name": "Integrity Impact to the Vulnerable System",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "UC",
- "name": "Unconfirmed",
- "definition": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."
+ "key": "N",
+ "name": "None",
+ "definition": "There is no loss of integrity within the Vulnerable System."
},
{
- "key": "UR",
- "name": "Uncorroborated",
- "definition": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."
+ "key": "L",
+ "name": "Low",
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
},
{
- "key": "C",
- "name": "Confirmed",
- "definition": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
+ "key": "H",
+ "name": "High",
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
}
]
},
"values": {
- "UC": {
- "key": "UC",
- "name": "Unconfirmed",
- "definition": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."
+ "N": {
+ "key": "N",
+ "name": "None",
+ "definition": "There is no loss of integrity within the Vulnerable System."
},
- "UR": {
- "key": "UR",
- "name": "Uncorroborated",
- "definition": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
},
- "C": {
- "key": "C",
- "name": "Confirmed",
- "definition": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
}
}
- },
- "1.1.0": {
- "version": "1.1.0",
+ }
+ }
+ },
+ "IR": {
+ "key": "IR",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "RC",
- "version": "1.1.0",
- "name": "Report Confidence",
- "definition": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.",
+ "key": "IR",
+ "version": "1.0.0",
+ "name": "Integrity Requirement",
+ "definition": "This metric measures the impact to the integrity of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "UC",
- "name": "Unconfirmed",
- "definition": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."
+ "key": "L",
+ "name": "Low",
+ "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
- "key": "UR",
- "name": "Uncorroborated",
- "definition": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."
+ "key": "M",
+ "name": "Medium",
+ "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
- "key": "C",
- "name": "Confirmed",
- "definition": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
+ "key": "H",
+ "name": "High",
+ "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "ND",
@@ -3335,20 +3145,20 @@
]
},
"values": {
- "UC": {
- "key": "UC",
- "name": "Unconfirmed",
- "definition": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
- "UR": {
- "key": "UR",
- "name": "Uncorroborated",
- "definition": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."
+ "M": {
+ "key": "M",
+ "name": "Medium",
+ "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
- "C": {
- "key": "C",
- "name": "Confirmed",
- "definition": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"ND": {
"key": "ND",
@@ -3357,30 +3167,30 @@
}
}
},
- "2.0.0": {
- "version": "2.0.0",
+ "1.1.0": {
+ "version": "1.1.0",
"obj": {
"namespace": "cvss",
- "key": "RC",
- "version": "2.0.0",
- "name": "Report Confidence",
- "definition": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.",
+ "key": "IR",
+ "version": "1.1.0",
+ "name": "Integrity Requirement",
+ "definition": "This metric measures the impact to the integrity of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "U",
- "name": "Unknown",
- "definition": "There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described."
+ "key": "L",
+ "name": "Low",
+ "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
- "key": "R",
- "name": "Reasonable",
- "definition": "Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this)."
+ "key": "M",
+ "name": "Medium",
+ "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
- "key": "C",
- "name": "Confirmed",
- "definition": "Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability."
+ "key": "H",
+ "name": "High",
+ "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
"key": "X",
@@ -3390,20 +3200,75 @@
]
},
"values": {
- "U": {
- "key": "U",
- "name": "Unknown",
- "definition": "There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described."
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
- "R": {
- "key": "R",
- "name": "Reasonable",
- "definition": "Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this)."
+ "M": {
+ "key": "M",
+ "name": "Medium",
+ "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
- "C": {
- "key": "C",
- "name": "Confirmed",
- "definition": "Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability."
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ },
+ "X": {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
+ }
+ }
+ },
+ "1.1.1": {
+ "version": "1.1.1",
+ "obj": {
+ "namespace": "cvss",
+ "key": "IR",
+ "version": "1.1.1",
+ "name": "Integrity Requirement",
+ "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "L",
+ "name": "Low",
+ "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ },
+ {
+ "key": "M",
+ "name": "Medium",
+ "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+ },
+ "values": {
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ },
+ "M": {
+ "key": "M",
+ "name": "Medium",
+ "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ },
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
"X": {
"key": "X",
@@ -3414,118 +3279,133 @@
}
}
},
- "S": {
- "key": "S",
+ "IR_NoX": {
+ "key": "IR_NoX",
"versions": {
- "1.0.0": {
- "version": "1.0.0",
+ "1.1.1": {
+ "version": "1.1.1",
"obj": {
"namespace": "cvss",
- "key": "S",
- "version": "1.0.0",
- "name": "Scope",
- "definition": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges",
+ "key": "IR_NoX",
+ "version": "1.1.1",
+ "name": "Integrity Requirement (without Not Defined)",
+ "definition": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "U",
- "name": "Unchanged",
- "definition": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."
+ "key": "L",
+ "name": "Low",
+ "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
{
- "key": "C",
- "name": "Changed",
- "definition": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
+ "key": "M",
+ "name": "Medium",
+ "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
}
]
},
"values": {
- "U": {
- "key": "U",
- "name": "Unchanged",
- "definition": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
},
- "C": {
- "key": "C",
- "name": "Changed",
- "definition": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
+ "M": {
+ "key": "M",
+ "name": "Medium",
+ "definition": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+ },
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
}
}
}
}
},
- "SC": {
- "key": "SC",
+ "SA": {
+ "key": "SA",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "SC",
+ "key": "SA",
"version": "1.0.0",
- "name": "Confidentiality Impact to the Subsequent System",
- "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
+ "name": "Availability Impact to the Subsequent System",
+ "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
- "name": "Negligible",
- "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+ "name": "None",
+ "definition": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+ "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
},
{
"key": "H",
"name": "High",
- "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+ "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
}
]
},
"values": {
"N": {
"key": "N",
- "name": "Negligible",
- "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+ "name": "None",
+ "definition": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
},
"L": {
"key": "L",
"name": "Low",
- "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+ "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
},
"H": {
"key": "H",
"name": "High",
- "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+ "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
}
}
}
}
},
- "AU": {
- "key": "AU",
+ "MSA": {
+ "key": "MSA",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "AU",
+ "key": "MSA",
"version": "1.0.0",
- "name": "Automatable",
- "definition": "The \"Automatable\" metric captures the answer to the question \"Can an attacker automate exploitation events for this vulnerability across multiple targets?\" based on steps 1-4 of the kill chain.",
+ "name": "Modified Availability Impact to the Subsequent System",
+ "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
- "name": "No",
- "definition": "Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
+ "name": "None",
+ "definition": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
},
{
- "key": "Y",
- "name": "Yes",
- "definition": "Attackers can reliably automate all 4 steps of the kill chain. These steps are reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is \"wormable\")."
+ "key": "L",
+ "name": "Low",
+ "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
{
"key": "X",
@@ -3537,13 +3417,18 @@
"values": {
"N": {
"key": "N",
- "name": "No",
- "definition": "Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
+ "name": "None",
+ "definition": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
},
- "Y": {
- "key": "Y",
- "name": "Yes",
- "definition": "Attackers can reliably automate all 4 steps of the kill chain. These steps are reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is \"wormable\")."
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ },
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
"X": {
"key": "X",
@@ -3551,546 +3436,501 @@
"definition": "This metric value is not defined. See CVSS documentation for details."
}
}
- }
- }
- },
- "U": {
- "key": "U",
- "versions": {
- "1.0.0": {
- "version": "1.0.0",
+ },
+ "1.0.1": {
+ "version": "1.0.1",
"obj": {
"namespace": "cvss",
- "key": "U",
- "version": "1.0.0",
- "name": "Provider Urgency",
- "definition": "Many vendors currently provide supplemental severity ratings to consumers via product security advisories. Other vendors publish Qualitative Severity Ratings from the CVSS Specification Document in their advisories. To facilitate a standardized method to incorporate additional provider-supplied assessment, an optional \"pass-through\" Supplemental Metric called Provider Urgency is available.",
+ "key": "MSA",
+ "version": "1.0.1",
+ "name": "Modified Availability Impact to the Subsequent System",
+ "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "N",
+ "name": "Negligible",
+ "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
},
{
- "key": "C",
- "name": "Clear",
- "definition": "Provider has assessed the impact of this vulnerability as having no urgency (Informational)."
+ "key": "L",
+ "name": "Low",
+ "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
},
{
- "key": "G",
- "name": "Green",
- "definition": "Provider has assessed the impact of this vulnerability as having a reduced urgency."
+ "key": "H",
+ "name": "High",
+ "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
{
- "key": "A",
- "name": "Amber",
- "definition": "Provider has assessed the impact of this vulnerability as having a moderate urgency."
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
{
- "key": "R",
- "name": "Red",
- "definition": "Provider has assessed the impact of this vulnerability as having the highest urgency."
+ "key": "S",
+ "name": "Safety",
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
]
},
"values": {
+ "N": {
+ "key": "N",
+ "name": "Negligible",
+ "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
+ },
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+ },
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ },
"X": {
"key": "X",
"name": "Not Defined",
"definition": "This metric value is not defined. See CVSS documentation for details."
},
- "C": {
- "key": "C",
- "name": "Clear",
- "definition": "Provider has assessed the impact of this vulnerability as having no urgency (Informational)."
- },
- "G": {
- "key": "G",
- "name": "Green",
- "definition": "Provider has assessed the impact of this vulnerability as having a reduced urgency."
- },
- "A": {
- "key": "A",
- "name": "Amber",
- "definition": "Provider has assessed the impact of this vulnerability as having a moderate urgency."
- },
- "R": {
- "key": "R",
- "name": "Red",
- "definition": "Provider has assessed the impact of this vulnerability as having the highest urgency."
+ "S": {
+ "key": "S",
+ "name": "Safety",
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
}
}
}
},
- "R": {
- "key": "R",
+ "MSA_NoX": {
+ "key": "MSA_NoX",
"versions": {
- "1.0.0": {
- "version": "1.0.0",
+ "1.0.1": {
+ "version": "1.0.1",
"obj": {
"namespace": "cvss",
- "key": "R",
- "version": "1.0.0",
- "name": "Recovery",
- "definition": "The Recovery metric describes the resilience of a system to recover services, in terms of performance and availability, after an attack has been performed.",
+ "key": "MSA_NoX",
+ "version": "1.0.1",
+ "name": "Modified Availability Impact to the Subsequent System (without Not Defined)",
+ "definition": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "N",
+ "name": "Negligible",
+ "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
},
{
- "key": "A",
- "name": "Automatic",
- "definition": "The system recovers services automatically after an attack has been performed."
+ "key": "L",
+ "name": "Low",
+ "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
},
{
- "key": "U",
- "name": "User",
- "definition": "The system requires manual intervention by the user to recover services, after an attack has been performed."
+ "key": "H",
+ "name": "High",
+ "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
{
- "key": "I",
- "name": "Irrecoverable",
- "definition": "The system services are irrecoverable by the user, after an attack has been performed."
+ "key": "S",
+ "name": "Safety",
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
]
},
"values": {
- "X": {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "N": {
+ "key": "N",
+ "name": "Negligible",
+ "definition": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
},
- "A": {
- "key": "A",
- "name": "Automatic",
- "definition": "The system recovers services automatically after an attack has been performed."
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
},
- "U": {
- "key": "U",
- "name": "User",
- "definition": "The system requires manual intervention by the user to recover services, after an attack has been performed."
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
- "I": {
- "key": "I",
- "name": "Irrecoverable",
- "definition": "The system services are irrecoverable by the user, after an attack has been performed."
+ "S": {
+ "key": "S",
+ "name": "Safety",
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
}
}
}
},
- "SF": {
- "key": "SF",
+ "SI": {
+ "key": "SI",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "SF",
+ "key": "SI",
"version": "1.0.0",
- "name": "Safety",
- "definition": "The Safety decision point is a measure of the potential for harm to humans or the environment.",
+ "name": "Integrity Impact to the Subsequent System",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "N",
+ "name": "None",
+ "definition": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
},
{
- "key": "P",
- "name": "Present",
- "definition": "Consequences of the vulnerability meet definition of IEC 61508 consequence categories of \"marginal,\" \"critical,\" or \"catastrophic.\""
+ "key": "L",
+ "name": "Low",
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
},
{
- "key": "N",
- "name": "Negligible",
- "definition": "Consequences of the vulnerability meet definition of IEC 61508 consequence category \"negligible.\""
+ "key": "H",
+ "name": "High",
+ "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
}
]
},
"values": {
- "X": {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
- },
- "P": {
- "key": "P",
- "name": "Present",
- "definition": "Consequences of the vulnerability meet definition of IEC 61508 consequence categories of \"marginal,\" \"critical,\" or \"catastrophic.\""
- },
"N": {
"key": "N",
- "name": "Negligible",
- "definition": "Consequences of the vulnerability meet definition of IEC 61508 consequence category \"negligible.\""
+ "name": "None",
+ "definition": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
+ },
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ },
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
}
}
}
}
},
- "V": {
- "key": "V",
+ "MSI": {
+ "key": "MSI",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "V",
+ "key": "MSI",
"version": "1.0.0",
- "name": "Value Density",
- "definition": "Value Density describes the resources that the attacker will gain control over with a single exploitation event. It has two possible values, diffuse and concentrated.",
+ "name": "Modified Integrity Impact to the Subsequent System",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "N",
+ "name": "None",
+ "definition": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
},
{
- "key": "D",
- "name": "Diffuse",
- "definition": "The vulnerable system has limited resources. That is, the resources that the attacker will gain control over with a single exploitation event are relatively small."
+ "key": "L",
+ "name": "Low",
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
},
{
- "key": "C",
- "name": "Concentrated",
- "definition": "The vulnerable system is rich in resources. Heuristically, such systems are often the direct responsibility of \"system operators\" rather than users."
+ "key": "H",
+ "name": "High",
+ "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
"values": {
+ "N": {
+ "key": "N",
+ "name": "None",
+ "definition": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
+ },
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+ },
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+ },
"X": {
"key": "X",
"name": "Not Defined",
"definition": "This metric value is not defined. See CVSS documentation for details."
- },
- "D": {
- "key": "D",
- "name": "Diffuse",
- "definition": "The vulnerable system has limited resources. That is, the resources that the attacker will gain control over with a single exploitation event are relatively small."
- },
- "C": {
- "key": "C",
- "name": "Concentrated",
- "definition": "The vulnerable system is rich in resources. Heuristically, such systems are often the direct responsibility of \"system operators\" rather than users."
}
}
- }
- }
- },
- "RE": {
- "key": "RE",
- "versions": {
- "1.0.0": {
- "version": "1.0.0",
+ },
+ "1.0.1": {
+ "version": "1.0.1",
"obj": {
"namespace": "cvss",
- "key": "RE",
- "version": "1.0.0",
- "name": "Vulnerability Response Effort",
- "definition": "The intention of the Vulnerability Response Effort metric is to provide supplemental information on how difficult it is for consumers to provide an initial response to the impact of vulnerabilities for deployed products and services in their infrastructure. The consumer can then take this additional information on effort required into consideration when applying mitigations and/or scheduling remediation.",
+ "key": "MSI",
+ "version": "1.0.1",
+ "name": "Modified Integrity Impact to the Subsequent System",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "N",
+ "name": "Negligible",
+ "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "definition": "The effort required to respond to a vulnerability is low/trivial."
- },
- {
- "key": "M",
- "name": "Moderate",
- "definition": "The actions required to respond to a vulnerability require some effort on behalf of the consumer and could cause minimal service impact to implement."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
},
{
"key": "H",
"name": "High",
- "definition": "The actions required to respond to a vulnerability are significant and/or difficult, and may possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling purposes including honoring any embargo on deployment of the selected response. Alternatively, response to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or replacement)."
- }
- ]
- },
- "values": {
- "X": {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
- },
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "The effort required to respond to a vulnerability is low/trivial."
- },
- "M": {
- "key": "M",
- "name": "Moderate",
- "definition": "The actions required to respond to a vulnerability require some effort on behalf of the consumer and could cause minimal service impact to implement."
- },
- "H": {
- "key": "H",
- "name": "High",
- "definition": "The actions required to respond to a vulnerability are significant and/or difficult, and may possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling purposes including honoring any embargo on deployment of the selected response. Alternatively, response to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or replacement)."
- }
- }
- }
- }
- },
- "TD": {
- "key": "TD",
- "versions": {
- "1.0.0": {
- "version": "1.0.0",
- "obj": {
- "namespace": "cvss",
- "key": "TD",
- "version": "1.0.0",
- "name": "Target Distribution",
- "definition": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.",
- "schemaVersion": "2.0.0",
- "values": [
- {
- "key": "N",
- "name": "None",
- "definition": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."
- },
- {
- "key": "L",
- "name": "Low",
- "definition": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."
+ "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
},
{
- "key": "M",
- "name": "Medium",
- "definition": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
{
- "key": "H",
- "name": "High",
- "definition": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
+ "key": "S",
+ "name": "Safety",
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
]
},
"values": {
"N": {
"key": "N",
- "name": "None",
- "definition": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."
+ "name": "Negligible",
+ "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
},
"L": {
"key": "L",
"name": "Low",
- "definition": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."
- },
- "M": {
- "key": "M",
- "name": "Medium",
- "definition": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
},
"H": {
"key": "H",
"name": "High",
- "definition": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
+ "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+ },
+ "X": {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
+ },
+ "S": {
+ "key": "S",
+ "name": "Safety",
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
}
- },
- "1.1.0": {
- "version": "1.1.0",
+ }
+ }
+ },
+ "MSI_NoX": {
+ "key": "MSI_NoX",
+ "versions": {
+ "1.0.1": {
+ "version": "1.0.1",
"obj": {
"namespace": "cvss",
- "key": "TD",
- "version": "1.1.0",
- "name": "Target Distribution",
- "definition": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.",
+ "key": "MSI_NoX",
+ "version": "1.0.1",
+ "name": "Modified Integrity Impact to the Subsequent System (without Not Defined)",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
- "name": "None",
- "definition": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."
+ "name": "Negligible",
+ "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
},
{
"key": "L",
"name": "Low",
- "definition": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."
- },
- {
- "key": "M",
- "name": "Medium",
- "definition": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
},
{
"key": "H",
"name": "High",
- "definition": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
+ "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
},
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "S",
+ "name": "Safety",
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
]
},
"values": {
"N": {
"key": "N",
- "name": "None",
- "definition": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."
+ "name": "Negligible",
+ "definition": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
},
"L": {
"key": "L",
"name": "Low",
- "definition": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."
- },
- "M": {
- "key": "M",
- "name": "Medium",
- "definition": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
},
"H": {
"key": "H",
"name": "High",
- "definition": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
+ "definition": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
},
- "X": {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "S": {
+ "key": "S",
+ "name": "Safety",
+ "definition": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
}
}
}
}
},
- "UI": {
- "key": "UI",
+ "PR": {
+ "key": "PR",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "UI",
+ "key": "PR",
"version": "1.0.0",
- "name": "User Interaction",
- "definition": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.",
+ "name": "Privileges Required",
+ "definition": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "R",
- "name": "Required",
- "definition": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
+ "key": "H",
+ "name": "High",
+ "definition": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
+ },
+ {
+ "key": "L",
+ "name": "Low",
+ "definition": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
},
{
"key": "N",
"name": "None",
- "definition": "The vulnerable system can be exploited without interaction from any user."
+ "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
}
]
},
"values": {
- "R": {
- "key": "R",
- "name": "Required",
- "definition": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
+ },
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
},
"N": {
"key": "N",
"name": "None",
- "definition": "The vulnerable system can be exploited without interaction from any user."
+ "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
}
}
},
- "2.0.0": {
- "version": "2.0.0",
+ "1.0.1": {
+ "version": "1.0.1",
"obj": {
"namespace": "cvss",
- "key": "UI",
- "version": "2.0.0",
- "name": "User Interaction",
- "definition": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.",
+ "key": "PR",
+ "version": "1.0.1",
+ "name": "Privileges Required",
+ "definition": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "A",
- "name": "Active",
- "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
+ "key": "H",
+ "name": "High",
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
},
{
- "key": "P",
- "name": "Passive",
- "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
+ "key": "L",
+ "name": "Low",
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
},
{
"key": "N",
"name": "None",
- "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
+ "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
}
]
},
"values": {
- "A": {
- "key": "A",
- "name": "Active",
- "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
},
- "P": {
- "key": "P",
- "name": "Passive",
- "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
},
"N": {
"key": "N",
"name": "None",
- "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
+ "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
}
}
}
}
},
- "CVSS": {
- "key": "CVSS",
+ "QS": {
+ "key": "QS",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "CVSS",
+ "key": "QS",
"version": "1.0.0",
"name": "CVSS Qualitative Severity Rating Scale",
- "definition": "The CVSS Qualitative Severity Rating Scale group.",
+ "definition": "The CVSS Qualitative Severity Rating Scale provides a categorical representation of a CVSS Score.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "definition": "None (0.0)"
+ "definition": "No severity rating (0.0)"
},
{
"key": "L",
"name": "Low",
- "definition": "Low (0.1-3.9)"
+ "definition": "Low (0.1 - 3.9)"
},
{
"key": "M",
"name": "Medium",
- "definition": "Medium (4.0-6.9)"
+ "definition": "Medium (4.0 - 6.9)"
},
{
"key": "H",
"name": "High",
- "definition": "High (7.0-8.9)"
+ "definition": "High (7.0 - 8.9)"
},
{
"key": "C",
"name": "Critical",
- "definition": "Critical (9.0-10.0)"
+ "definition": "Critical (9.0 - 10.0)"
}
]
},
@@ -4098,129 +3938,119 @@
"N": {
"key": "N",
"name": "None",
- "definition": "None (0.0)"
+ "definition": "No severity rating (0.0)"
},
"L": {
"key": "L",
"name": "Low",
- "definition": "Low (0.1-3.9)"
+ "definition": "Low (0.1 - 3.9)"
},
"M": {
"key": "M",
"name": "Medium",
- "definition": "Medium (4.0-6.9)"
+ "definition": "Medium (4.0 - 6.9)"
},
"H": {
"key": "H",
"name": "High",
- "definition": "High (7.0-8.9)"
+ "definition": "High (7.0 - 8.9)"
},
"C": {
"key": "C",
"name": "Critical",
- "definition": "Critical (9.0-10.0)"
+ "definition": "Critical (9.0 - 10.0)"
}
}
}
}
},
- "MAV": {
- "key": "MAV",
+ "RL": {
+ "key": "RL",
"versions": {
- "3.0.0": {
- "version": "3.0.0",
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "MAV",
- "version": "3.0.0",
- "name": "Modified Attack Vector",
- "definition": "This metric reflects the context by which vulnerability exploitation is possible. ",
+ "key": "RL",
+ "version": "1.0.0",
+ "name": "Remediation Level",
+ "definition": "This metric measures the remediation status of a vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "P",
- "name": "Physical",
- "definition": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."
- },
- {
- "key": "L",
- "name": "Local",
- "definition": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."
+ "key": "OF",
+ "name": "Official Fix",
+ "definition": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."
},
{
- "key": "A",
- "name": "Adjacent",
- "definition": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."
+ "key": "TF",
+ "name": "Temporary Fix",
+ "definition": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."
},
{
- "key": "N",
- "name": "Network",
- "definition": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
+ "key": "W",
+ "name": "Workaround",
+ "definition": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."
},
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "U",
+ "name": "Unavailable",
+ "definition": "There is either no solution available or it is impossible to apply."
}
]
},
"values": {
- "P": {
- "key": "P",
- "name": "Physical",
- "definition": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."
- },
- "L": {
- "key": "L",
- "name": "Local",
- "definition": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."
+ "OF": {
+ "key": "OF",
+ "name": "Official Fix",
+ "definition": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."
},
- "A": {
- "key": "A",
- "name": "Adjacent",
- "definition": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."
+ "TF": {
+ "key": "TF",
+ "name": "Temporary Fix",
+ "definition": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."
},
- "N": {
- "key": "N",
- "name": "Network",
- "definition": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
+ "W": {
+ "key": "W",
+ "name": "Workaround",
+ "definition": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."
},
- "X": {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "U": {
+ "key": "U",
+ "name": "Unavailable",
+ "definition": "There is either no solution available or it is impossible to apply."
}
}
},
- "3.0.1": {
- "version": "3.0.1",
+ "1.1.0": {
+ "version": "1.1.0",
"obj": {
"namespace": "cvss",
- "key": "MAV",
- "version": "3.0.1",
- "name": "Modified Attack Vector",
- "definition": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
+ "key": "RL",
+ "version": "1.1.0",
+ "name": "Remediation Level",
+ "definition": "This metric measures the remediation status of a vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "P",
- "name": "Physical",
- "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
+ "key": "OF",
+ "name": "Official Fix",
+ "definition": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."
},
{
- "key": "L",
- "name": "Local",
- "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
+ "key": "TF",
+ "name": "Temporary Fix",
+ "definition": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."
},
{
- "key": "A",
- "name": "Adjacent",
- "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
+ "key": "W",
+ "name": "Workaround",
+ "definition": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."
},
{
- "key": "N",
- "name": "Network",
- "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
+ "key": "U",
+ "name": "Unavailable",
+ "definition": "There is either no solution available or it is impossible to apply."
},
{
"key": "X",
@@ -4230,25 +4060,25 @@
]
},
"values": {
- "P": {
- "key": "P",
- "name": "Physical",
- "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
+ "OF": {
+ "key": "OF",
+ "name": "Official Fix",
+ "definition": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."
},
- "L": {
- "key": "L",
- "name": "Local",
- "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
+ "TF": {
+ "key": "TF",
+ "name": "Temporary Fix",
+ "definition": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."
},
- "A": {
- "key": "A",
- "name": "Adjacent",
- "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
+ "W": {
+ "key": "W",
+ "name": "Workaround",
+ "definition": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."
},
- "N": {
- "key": "N",
- "name": "Network",
- "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
+ "U": {
+ "key": "U",
+ "name": "Unavailable",
+ "definition": "There is either no solution available or it is impossible to apply."
},
"X": {
"key": "X",
@@ -4259,128 +4089,133 @@
}
}
},
- "MAC": {
- "key": "MAC",
+ "RC": {
+ "key": "RC",
"versions": {
- "3.0.0": {
- "version": "3.0.0",
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "MAC",
- "version": "3.0.0",
- "name": "Modified Attack Complexity",
- "definition": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.",
+ "key": "RC",
+ "version": "1.0.0",
+ "name": "Report Confidence",
+ "definition": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "H",
- "name": "High",
- "definition": "A successful attack depends on conditions beyond the attacker's control."
+ "key": "UC",
+ "name": "Unconfirmed",
+ "definition": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."
},
{
- "key": "L",
- "name": "Low",
- "definition": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
+ "key": "UR",
+ "name": "Uncorroborated",
+ "definition": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."
},
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "C",
+ "name": "Confirmed",
+ "definition": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
}
]
},
"values": {
- "H": {
- "key": "H",
- "name": "High",
- "definition": "A successful attack depends on conditions beyond the attacker's control."
+ "UC": {
+ "key": "UC",
+ "name": "Unconfirmed",
+ "definition": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."
},
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
+ "UR": {
+ "key": "UR",
+ "name": "Uncorroborated",
+ "definition": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."
},
- "X": {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "C": {
+ "key": "C",
+ "name": "Confirmed",
+ "definition": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
}
}
},
- "3.0.1": {
- "version": "3.0.1",
+ "1.1.0": {
+ "version": "1.1.0",
"obj": {
"namespace": "cvss",
- "key": "MAC",
- "version": "3.0.1",
- "name": "Modified Attack Complexity",
- "definition": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
+ "key": "RC",
+ "version": "1.1.0",
+ "name": "Report Confidence",
+ "definition": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "H",
- "name": "High",
- "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
+ "key": "UC",
+ "name": "Unconfirmed",
+ "definition": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."
},
{
- "key": "L",
- "name": "Low",
- "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
+ "key": "UR",
+ "name": "Uncorroborated",
+ "definition": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."
},
{
- "key": "X",
+ "key": "C",
+ "name": "Confirmed",
+ "definition": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
+ },
+ {
+ "key": "ND",
"name": "Not Defined",
"definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
"values": {
- "H": {
- "key": "H",
- "name": "High",
- "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
+ "UC": {
+ "key": "UC",
+ "name": "Unconfirmed",
+ "definition": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."
},
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
+ "UR": {
+ "key": "UR",
+ "name": "Uncorroborated",
+ "definition": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."
},
- "X": {
- "key": "X",
+ "C": {
+ "key": "C",
+ "name": "Confirmed",
+ "definition": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
+ },
+ "ND": {
+ "key": "ND",
"name": "Not Defined",
"definition": "This metric value is not defined. See CVSS documentation for details."
}
}
- }
- }
- },
- "MPR": {
- "key": "MPR",
- "versions": {
- "1.0.0": {
- "version": "1.0.0",
+ },
+ "2.0.0": {
+ "version": "2.0.0",
"obj": {
"namespace": "cvss",
- "key": "MPR",
- "version": "1.0.0",
- "name": "Modified Privileges Required",
- "definition": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.",
+ "key": "RC",
+ "version": "2.0.0",
+ "name": "Report Confidence",
+ "definition": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "H",
- "name": "High",
- "definition": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
+ "key": "U",
+ "name": "Unknown",
+ "definition": "There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described."
},
{
- "key": "L",
- "name": "Low",
- "definition": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
+ "key": "R",
+ "name": "Reasonable",
+ "definition": "Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this)."
},
{
- "key": "N",
- "name": "None",
- "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ "key": "C",
+ "name": "Confirmed",
+ "definition": "Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability."
},
{
"key": "X",
@@ -4390,20 +4225,20 @@
]
},
"values": {
- "H": {
- "key": "H",
- "name": "High",
- "definition": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
+ "U": {
+ "key": "U",
+ "name": "Unknown",
+ "definition": "There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described."
},
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
+ "R": {
+ "key": "R",
+ "name": "Reasonable",
+ "definition": "Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this)."
},
- "N": {
- "key": "N",
- "name": "None",
- "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ "C": {
+ "key": "C",
+ "name": "Confirmed",
+ "definition": "Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability."
},
"X": {
"key": "X",
@@ -4411,136 +4246,121 @@
"definition": "This metric value is not defined. See CVSS documentation for details."
}
}
- },
- "1.0.1": {
- "version": "1.0.1",
+ }
+ }
+ },
+ "S": {
+ "key": "S",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "MPR",
- "version": "1.0.1",
- "name": "Modified Privileges Required",
- "definition": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.",
+ "key": "S",
+ "version": "1.0.0",
+ "name": "Scope",
+ "definition": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "H",
- "name": "High",
- "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
- },
- {
- "key": "L",
- "name": "Low",
- "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
- },
- {
- "key": "N",
- "name": "None",
- "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ "key": "U",
+ "name": "Unchanged",
+ "definition": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."
},
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "C",
+ "name": "Changed",
+ "definition": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
}
]
},
"values": {
- "H": {
- "key": "H",
- "name": "High",
- "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
- },
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
- },
- "N": {
- "key": "N",
- "name": "None",
- "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ "U": {
+ "key": "U",
+ "name": "Unchanged",
+ "definition": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."
},
- "X": {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "C": {
+ "key": "C",
+ "name": "Changed",
+ "definition": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
}
}
}
}
},
- "MUI": {
- "key": "MUI",
+ "SC": {
+ "key": "SC",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "MUI",
+ "key": "SC",
"version": "1.0.0",
- "name": "Modified User Interaction",
- "definition": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.",
+ "name": "Confidentiality Impact to the Subsequent System",
+ "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "R",
- "name": "Required",
- "definition": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
+ "key": "N",
+ "name": "Negligible",
+ "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
},
{
- "key": "N",
- "name": "None",
- "definition": "The vulnerable system can be exploited without interaction from any user."
+ "key": "L",
+ "name": "Low",
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
},
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "H",
+ "name": "High",
+ "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
}
]
},
"values": {
- "R": {
- "key": "R",
- "name": "Required",
- "definition": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
- },
"N": {
"key": "N",
- "name": "None",
- "definition": "The vulnerable system can be exploited without interaction from any user."
+ "name": "Negligible",
+ "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
},
- "X": {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+ },
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
}
}
- },
- "2.0.0": {
- "version": "2.0.0",
+ }
+ }
+ },
+ "AU": {
+ "key": "AU",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "MUI",
- "version": "2.0.0",
- "name": "Modified User Interaction",
- "definition": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.",
+ "key": "AU",
+ "version": "1.0.0",
+ "name": "Automatable",
+ "definition": "The \"Automatable\" metric captures the answer to the question \"Can an attacker automate exploitation events for this vulnerability across multiple targets?\" based on steps 1-4 of the kill chain.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "A",
- "name": "Active",
- "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
- },
- {
- "key": "P",
- "name": "Passive",
- "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
+ "key": "N",
+ "name": "No",
+ "definition": "Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
},
{
- "key": "N",
- "name": "None",
- "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
+ "key": "Y",
+ "name": "Yes",
+ "definition": "Attackers can reliably automate all 4 steps of the kill chain. These steps are reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is \"wormable\")."
},
{
"key": "X",
@@ -4550,20 +4370,15 @@
]
},
"values": {
- "A": {
- "key": "A",
- "name": "Active",
- "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
- },
- "P": {
- "key": "P",
- "name": "Passive",
- "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
- },
"N": {
"key": "N",
- "name": "None",
- "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
+ "name": "No",
+ "definition": "Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
+ },
+ "Y": {
+ "key": "Y",
+ "name": "Yes",
+ "definition": "Attackers can reliably automate all 4 steps of the kill chain. These steps are reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is \"wormable\")."
},
"X": {
"key": "X",
@@ -4574,318 +4389,328 @@
}
}
},
- "MS": {
- "key": "MS",
+ "U": {
+ "key": "U",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "MS",
+ "key": "U",
"version": "1.0.0",
- "name": "Modified Scope",
- "definition": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges",
+ "name": "Provider Urgency",
+ "definition": "Many vendors currently provide supplemental severity ratings to consumers via product security advisories. Other vendors publish Qualitative Severity Ratings from the CVSS Specification Document in their advisories. To facilitate a standardized method to incorporate additional provider-supplied assessment, an optional \"pass-through\" Supplemental Metric called Provider Urgency is available.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "U",
- "name": "Unchanged",
- "definition": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
{
"key": "C",
- "name": "Changed",
- "definition": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
+ "name": "Clear",
+ "definition": "Provider has assessed the impact of this vulnerability as having no urgency (Informational)."
},
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "G",
+ "name": "Green",
+ "definition": "Provider has assessed the impact of this vulnerability as having a reduced urgency."
+ },
+ {
+ "key": "A",
+ "name": "Amber",
+ "definition": "Provider has assessed the impact of this vulnerability as having a moderate urgency."
+ },
+ {
+ "key": "R",
+ "name": "Red",
+ "definition": "Provider has assessed the impact of this vulnerability as having the highest urgency."
}
]
},
"values": {
- "U": {
- "key": "U",
- "name": "Unchanged",
- "definition": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."
- },
- "C": {
- "key": "C",
- "name": "Changed",
- "definition": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
- },
"X": {
"key": "X",
"name": "Not Defined",
"definition": "This metric value is not defined. See CVSS documentation for details."
+ },
+ "C": {
+ "key": "C",
+ "name": "Clear",
+ "definition": "Provider has assessed the impact of this vulnerability as having no urgency (Informational)."
+ },
+ "G": {
+ "key": "G",
+ "name": "Green",
+ "definition": "Provider has assessed the impact of this vulnerability as having a reduced urgency."
+ },
+ "A": {
+ "key": "A",
+ "name": "Amber",
+ "definition": "Provider has assessed the impact of this vulnerability as having a moderate urgency."
+ },
+ "R": {
+ "key": "R",
+ "name": "Red",
+ "definition": "Provider has assessed the impact of this vulnerability as having the highest urgency."
}
}
}
}
},
- "MC": {
- "key": "MC",
+ "R": {
+ "key": "R",
"versions": {
- "2.0.0": {
- "version": "2.0.0",
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "MC",
- "version": "2.0.0",
- "name": "Modified Confidentiality Impact",
- "definition": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.",
+ "key": "R",
+ "version": "1.0.0",
+ "name": "Recovery",
+ "definition": "The Recovery metric describes the resilience of a system to recover services, in terms of performance and availability, after an attack has been performed.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "N",
- "name": "None",
- "definition": "There is no loss of confidentiality within the impacted component."
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
{
- "key": "L",
- "name": "Low",
- "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ "key": "A",
+ "name": "Automatic",
+ "definition": "The system recovers services automatically after an attack has been performed."
},
{
- "key": "H",
- "name": "High",
- "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ "key": "U",
+ "name": "User",
+ "definition": "The system requires manual intervention by the user to recover services, after an attack has been performed."
},
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "I",
+ "name": "Irrecoverable",
+ "definition": "The system services are irrecoverable by the user, after an attack has been performed."
}
]
},
"values": {
- "N": {
- "key": "N",
- "name": "None",
- "definition": "There is no loss of confidentiality within the impacted component."
- },
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
- },
- "H": {
- "key": "H",
- "name": "High",
- "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
- },
"X": {
"key": "X",
"name": "Not Defined",
"definition": "This metric value is not defined. See CVSS documentation for details."
+ },
+ "A": {
+ "key": "A",
+ "name": "Automatic",
+ "definition": "The system recovers services automatically after an attack has been performed."
+ },
+ "U": {
+ "key": "U",
+ "name": "User",
+ "definition": "The system requires manual intervention by the user to recover services, after an attack has been performed."
+ },
+ "I": {
+ "key": "I",
+ "name": "Irrecoverable",
+ "definition": "The system services are irrecoverable by the user, after an attack has been performed."
}
}
}
}
},
- "MI": {
- "key": "MI",
+ "SF": {
+ "key": "SF",
"versions": {
- "2.0.0": {
- "version": "2.0.0",
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "MI",
- "version": "2.0.0",
- "name": "Modified Integrity Impact",
- "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
+ "key": "SF",
+ "version": "1.0.0",
+ "name": "Safety",
+ "definition": "The Safety decision point is a measure of the potential for harm to humans or the environment.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "N",
- "name": "None",
- "definition": "There is no impact to the integrity of the system."
- },
- {
- "key": "L",
- "name": "Low",
- "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
{
- "key": "H",
- "name": "High",
- "definition": "There is a total loss of integrity, or a complete loss of protection."
+ "key": "P",
+ "name": "Present",
+ "definition": "Consequences of the vulnerability meet definition of IEC 61508 consequence categories of \"marginal,\" \"critical,\" or \"catastrophic.\""
},
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "N",
+ "name": "Negligible",
+ "definition": "Consequences of the vulnerability meet definition of IEC 61508 consequence category \"negligible.\""
}
]
},
"values": {
- "N": {
- "key": "N",
- "name": "None",
- "definition": "There is no impact to the integrity of the system."
- },
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."
- },
- "H": {
- "key": "H",
- "name": "High",
- "definition": "There is a total loss of integrity, or a complete loss of protection."
- },
"X": {
"key": "X",
"name": "Not Defined",
"definition": "This metric value is not defined. See CVSS documentation for details."
+ },
+ "P": {
+ "key": "P",
+ "name": "Present",
+ "definition": "Consequences of the vulnerability meet definition of IEC 61508 consequence categories of \"marginal,\" \"critical,\" or \"catastrophic.\""
+ },
+ "N": {
+ "key": "N",
+ "name": "Negligible",
+ "definition": "Consequences of the vulnerability meet definition of IEC 61508 consequence category \"negligible.\""
}
}
}
}
},
- "MA": {
- "key": "MA",
+ "V": {
+ "key": "V",
"versions": {
- "2.0.0": {
- "version": "2.0.0",
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "MA",
- "version": "2.0.0",
- "name": "Modified Availability Impact",
- "definition": "This metric measures the impact to availability of a successfully exploited vulnerability.",
+ "key": "V",
+ "version": "1.0.0",
+ "name": "Value Density",
+ "definition": "Value Density describes the resources that the attacker will gain control over with a single exploitation event. It has two possible values, diffuse and concentrated.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "N",
- "name": "None",
- "definition": "There is no impact to the availability of the system."
- },
- {
- "key": "L",
- "name": "Low",
- "definition": "There is reduced performance or interruptions in resource availability."
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
{
- "key": "H",
- "name": "High",
- "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "key": "D",
+ "name": "Diffuse",
+ "definition": "The vulnerable system has limited resources. That is, the resources that the attacker will gain control over with a single exploitation event are relatively small."
},
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "C",
+ "name": "Concentrated",
+ "definition": "The vulnerable system is rich in resources. Heuristically, such systems are often the direct responsibility of \"system operators\" rather than users."
}
]
},
"values": {
- "N": {
- "key": "N",
- "name": "None",
- "definition": "There is no impact to the availability of the system."
- },
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "There is reduced performance or interruptions in resource availability."
- },
- "H": {
- "key": "H",
- "name": "High",
- "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
- },
"X": {
"key": "X",
"name": "Not Defined",
"definition": "This metric value is not defined. See CVSS documentation for details."
+ },
+ "D": {
+ "key": "D",
+ "name": "Diffuse",
+ "definition": "The vulnerable system has limited resources. That is, the resources that the attacker will gain control over with a single exploitation event are relatively small."
+ },
+ "C": {
+ "key": "C",
+ "name": "Concentrated",
+ "definition": "The vulnerable system is rich in resources. Heuristically, such systems are often the direct responsibility of \"system operators\" rather than users."
}
}
}
}
},
- "MAT": {
- "key": "MAT",
+ "RE": {
+ "key": "RE",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "MAT",
+ "key": "RE",
"version": "1.0.0",
- "name": "Modified Attack Requirements",
- "definition": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
+ "name": "Vulnerability Response Effort",
+ "definition": "The intention of the Vulnerability Response Effort metric is to provide supplemental information on how difficult it is for consumers to provide an initial response to the impact of vulnerabilities for deployed products and services in their infrastructure. The consumer can then take this additional information on effort required into consideration when applying mitigations and/or scheduling remediation.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "P",
- "name": "Present",
- "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
},
{
- "key": "N",
- "name": "None",
- "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
+ "key": "L",
+ "name": "Low",
+ "definition": "The effort required to respond to a vulnerability is low/trivial."
},
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "M",
+ "name": "Moderate",
+ "definition": "The actions required to respond to a vulnerability require some effort on behalf of the consumer and could cause minimal service impact to implement."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "definition": "The actions required to respond to a vulnerability are significant and/or difficult, and may possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling purposes including honoring any embargo on deployment of the selected response. Alternatively, response to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or replacement)."
}
]
},
"values": {
- "P": {
- "key": "P",
- "name": "Present",
- "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
- },
- "N": {
- "key": "N",
- "name": "None",
- "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
- },
"X": {
"key": "X",
"name": "Not Defined",
"definition": "This metric value is not defined. See CVSS documentation for details."
+ },
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "The effort required to respond to a vulnerability is low/trivial."
+ },
+ "M": {
+ "key": "M",
+ "name": "Moderate",
+ "definition": "The actions required to respond to a vulnerability require some effort on behalf of the consumer and could cause minimal service impact to implement."
+ },
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "The actions required to respond to a vulnerability are significant and/or difficult, and may possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling purposes including honoring any embargo on deployment of the selected response. Alternatively, response to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or replacement)."
}
}
}
}
},
- "MVC": {
- "key": "MVC",
+ "TD": {
+ "key": "TD",
"versions": {
- "3.0.0": {
- "version": "3.0.0",
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "MVC",
- "version": "3.0.0",
- "name": "Modified Confidentiality Impact to the Vulnerable System",
- "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
+ "key": "TD",
+ "version": "1.0.0",
+ "name": "Target Distribution",
+ "definition": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "definition": "There is no loss of confidentiality within the impacted component."
+ "definition": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."
},
{
"key": "L",
"name": "Low",
- "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ "definition": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."
},
{
- "key": "H",
- "name": "High",
- "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+ "key": "M",
+ "name": "Medium",
+ "definition": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."
},
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "H",
+ "name": "High",
+ "definition": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
}
]
},
@@ -4893,54 +4718,54 @@
"N": {
"key": "N",
"name": "None",
- "definition": "There is no loss of confidentiality within the impacted component."
+ "definition": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."
},
"L": {
"key": "L",
"name": "Low",
- "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+ "definition": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."
+ },
+ "M": {
+ "key": "M",
+ "name": "Medium",
+ "definition": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."
},
"H": {
"key": "H",
"name": "High",
- "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
- },
- "X": {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
}
}
- }
- }
- },
- "MVI": {
- "key": "MVI",
- "versions": {
- "3.0.0": {
- "version": "3.0.0",
+ },
+ "1.1.0": {
+ "version": "1.1.0",
"obj": {
"namespace": "cvss",
- "key": "MVI",
- "version": "3.0.0",
- "name": "Modified Integrity Impact to the Vulnerable System",
- "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
+ "key": "TD",
+ "version": "1.1.0",
+ "name": "Target Distribution",
+ "definition": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "definition": "There is no loss of integrity within the Vulnerable System."
+ "definition": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."
},
{
"key": "L",
"name": "Low",
- "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
+ "definition": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."
+ },
+ {
+ "key": "M",
+ "name": "Medium",
+ "definition": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."
},
{
"key": "H",
"name": "High",
- "definition": "There is a total loss of integrity, or a complete loss of protection."
+ "definition": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
},
{
"key": "X",
@@ -4953,17 +4778,22 @@
"N": {
"key": "N",
"name": "None",
- "definition": "There is no loss of integrity within the Vulnerable System."
+ "definition": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."
},
"L": {
"key": "L",
"name": "Low",
- "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
+ "definition": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."
+ },
+ "M": {
+ "key": "M",
+ "name": "Medium",
+ "definition": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."
},
"H": {
"key": "H",
"name": "High",
- "definition": "There is a total loss of integrity, or a complete loss of protection."
+ "definition": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
},
"X": {
"key": "X",
@@ -4974,148 +4804,193 @@
}
}
},
- "MVA": {
- "key": "MVA",
+ "UI": {
+ "key": "UI",
"versions": {
- "3.0.0": {
- "version": "3.0.0",
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "MVA",
- "version": "3.0.0",
- "name": "Modified Availability Impact to the Vulnerable System",
- "definition": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
+ "key": "UI",
+ "version": "1.0.0",
+ "name": "User Interaction",
+ "definition": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.",
"schemaVersion": "2.0.0",
"values": [
+ {
+ "key": "R",
+ "name": "Required",
+ "definition": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
+ },
{
"key": "N",
"name": "None",
- "definition": "There is no impact to availability within the Vulnerable System."
- },
+ "definition": "The vulnerable system can be exploited without interaction from any user."
+ }
+ ]
+ },
+ "values": {
+ "R": {
+ "key": "R",
+ "name": "Required",
+ "definition": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
+ },
+ "N": {
+ "key": "N",
+ "name": "None",
+ "definition": "The vulnerable system can be exploited without interaction from any user."
+ }
+ }
+ },
+ "2.0.0": {
+ "version": "2.0.0",
+ "obj": {
+ "namespace": "cvss",
+ "key": "UI",
+ "version": "2.0.0",
+ "name": "User Interaction",
+ "definition": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.",
+ "schemaVersion": "2.0.0",
+ "values": [
{
- "key": "L",
- "name": "Low",
- "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
+ "key": "A",
+ "name": "Active",
+ "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
},
{
- "key": "H",
- "name": "High",
- "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ "key": "P",
+ "name": "Passive",
+ "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
},
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "N",
+ "name": "None",
+ "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
}
]
},
"values": {
+ "A": {
+ "key": "A",
+ "name": "Active",
+ "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
+ },
+ "P": {
+ "key": "P",
+ "name": "Passive",
+ "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
+ },
"N": {
"key": "N",
"name": "None",
- "definition": "There is no impact to availability within the Vulnerable System."
- },
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
- },
- "H": {
- "key": "H",
- "name": "High",
- "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
- },
- "X": {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
}
}
}
}
},
- "MSC": {
- "key": "MSC",
+ "CVSS": {
+ "key": "CVSS",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "cvss",
- "key": "MSC",
+ "key": "CVSS",
"version": "1.0.0",
- "name": "Modified Confidentiality Impact to the Subsequent System",
- "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
+ "name": "CVSS Qualitative Severity Rating Scale",
+ "definition": "The CVSS Qualitative Severity Rating Scale group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
- "name": "Negligible",
- "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+ "name": "None",
+ "definition": "None (0.0)"
},
{
"key": "L",
"name": "Low",
- "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+ "definition": "Low (0.1-3.9)"
},
{
- "key": "H",
- "name": "High",
- "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+ "key": "M",
+ "name": "Medium",
+ "definition": "Medium (4.0-6.9)"
},
{
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "key": "H",
+ "name": "High",
+ "definition": "High (7.0-8.9)"
+ },
+ {
+ "key": "C",
+ "name": "Critical",
+ "definition": "Critical (9.0-10.0)"
}
]
},
"values": {
"N": {
"key": "N",
- "name": "Negligible",
- "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+ "name": "None",
+ "definition": "None (0.0)"
},
"L": {
"key": "L",
"name": "Low",
- "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+ "definition": "Low (0.1-3.9)"
+ },
+ "M": {
+ "key": "M",
+ "name": "Medium",
+ "definition": "Medium (4.0-6.9)"
},
"H": {
"key": "H",
"name": "High",
- "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+ "definition": "High (7.0-8.9)"
},
- "X": {
- "key": "X",
- "name": "Not Defined",
- "definition": "This metric value is not defined. See CVSS documentation for details."
+ "C": {
+ "key": "C",
+ "name": "Critical",
+ "definition": "Critical (9.0-10.0)"
}
}
- },
- "1.0.1": {
- "version": "1.0.1",
+ }
+ }
+ },
+ "MAV": {
+ "key": "MAV",
+ "versions": {
+ "3.0.0": {
+ "version": "3.0.0",
"obj": {
"namespace": "cvss",
- "key": "MSC",
- "version": "1.0.1",
- "name": "Modified Confidentiality Impact to the Subsequent System",
- "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
+ "key": "MAV",
+ "version": "3.0.0",
+ "name": "Modified Attack Vector",
+ "definition": "This metric reflects the context by which vulnerability exploitation is possible. ",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "N",
- "name": "Negligible",
- "definition": "There is negligible loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+ "key": "P",
+ "name": "Physical",
+ "definition": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."
},
{
"key": "L",
- "name": "Low",
- "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+ "name": "Local",
+ "definition": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."
},
{
- "key": "H",
- "name": "High",
- "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+ "key": "A",
+ "name": "Adjacent",
+ "definition": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."
+ },
+ {
+ "key": "N",
+ "name": "Network",
+ "definition": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
},
{
"key": "X",
@@ -5125,20 +5000,25 @@
]
},
"values": {
- "N": {
- "key": "N",
- "name": "Negligible",
- "definition": "There is negligible loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+ "P": {
+ "key": "P",
+ "name": "Physical",
+ "definition": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."
},
"L": {
"key": "L",
- "name": "Low",
- "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+ "name": "Local",
+ "definition": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."
},
- "H": {
- "key": "H",
- "name": "High",
- "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+ "A": {
+ "key": "A",
+ "name": "Adjacent",
+ "definition": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."
+ },
+ "N": {
+ "key": "N",
+ "name": "Network",
+ "definition": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
},
"X": {
"key": "X",
@@ -5146,526 +5026,591 @@
"definition": "This metric value is not defined. See CVSS documentation for details."
}
}
- }
- }
- }
- }
- },
- "ssvc": {
- "namespace": "ssvc",
- "keys": {
- "V": {
- "key": "V",
- "versions": {
- "1.0.0": {
- "version": "1.0.0",
+ },
+ "3.0.1": {
+ "version": "3.0.1",
"obj": {
- "namespace": "ssvc",
- "key": "V",
- "version": "1.0.0",
- "name": "Virulence",
- "definition": "The speed at which the vulnerability can be exploited.",
+ "namespace": "cvss",
+ "key": "MAV",
+ "version": "3.0.1",
+ "name": "Modified Attack Vector",
+ "definition": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "S",
- "name": "Slow",
- "definition": "Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
+ "key": "P",
+ "name": "Physical",
+ "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
},
{
- "key": "R",
- "name": "Rapid",
- "definition": "Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows remote code execution or command injection, the default response should be rapid."
- }
- ]
- },
- "values": {
- "S": {
- "key": "S",
- "name": "Slow",
- "definition": "Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
- },
- "R": {
- "key": "R",
- "name": "Rapid",
- "definition": "Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows remote code execution or command injection, the default response should be rapid."
- }
- }
- }
- }
- },
- "A": {
- "key": "A",
- "versions": {
- "2.0.0": {
- "version": "2.0.0",
- "obj": {
- "namespace": "ssvc",
- "key": "A",
- "version": "2.0.0",
- "name": "Automatable",
- "definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
- "schemaVersion": "2.0.0",
- "values": [
+ "key": "L",
+ "name": "Local",
+ "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
+ },
+ {
+ "key": "A",
+ "name": "Adjacent",
+ "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
+ },
{
"key": "N",
- "name": "No",
- "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
+ "name": "Network",
+ "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
},
{
- "key": "Y",
- "name": "Yes",
- "definition": "Attackers can reliably automate steps 1-4 of the kill chain."
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
"values": {
+ "P": {
+ "key": "P",
+ "name": "Physical",
+ "definition": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
+ },
+ "L": {
+ "key": "L",
+ "name": "Local",
+ "definition": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
+ },
+ "A": {
+ "key": "A",
+ "name": "Adjacent",
+ "definition": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
+ },
"N": {
"key": "N",
- "name": "No",
- "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
+ "name": "Network",
+ "definition": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
},
- "Y": {
- "key": "Y",
- "name": "Yes",
- "definition": "Attackers can reliably automate steps 1-4 of the kill chain."
+ "X": {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
}
},
- "CS": {
- "key": "CS",
+ "MAC": {
+ "key": "MAC",
"versions": {
- "1.0.0": {
- "version": "1.0.0",
+ "3.0.0": {
+ "version": "3.0.0",
"obj": {
- "namespace": "ssvc",
- "key": "CS",
- "version": "1.0.0",
- "name": "Critical Software",
- "definition": "Denotes whether a system meets a critical software definition.",
+ "namespace": "cvss",
+ "key": "MAC",
+ "version": "3.0.0",
+ "name": "Modified Attack Complexity",
+ "definition": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "N",
- "name": "No",
- "definition": "System does not meet a critical software definition."
+ "key": "H",
+ "name": "High",
+ "definition": "A successful attack depends on conditions beyond the attacker's control."
},
{
- "key": "Y",
- "name": "Yes",
- "definition": "System meets a critical software definition."
+ "key": "L",
+ "name": "Low",
+ "definition": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
"values": {
- "N": {
- "key": "N",
- "name": "No",
- "definition": "System does not meet a critical software definition."
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "A successful attack depends on conditions beyond the attacker's control."
},
- "Y": {
- "key": "Y",
- "name": "Yes",
- "definition": "System meets a critical software definition."
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
+ },
+ "X": {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
+ }
+ }
+ },
+ "3.0.1": {
+ "version": "3.0.1",
+ "obj": {
+ "namespace": "cvss",
+ "key": "MAC",
+ "version": "3.0.1",
+ "name": "Modified Attack Complexity",
+ "definition": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "H",
+ "name": "High",
+ "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
+ },
+ {
+ "key": "L",
+ "name": "Low",
+ "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+ },
+ "values": {
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
+ },
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
+ },
+ "X": {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
}
},
- "E": {
- "key": "E",
+ "MPR": {
+ "key": "MPR",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
- "namespace": "ssvc",
- "key": "E",
+ "namespace": "cvss",
+ "key": "MPR",
"version": "1.0.0",
- "name": "Exploitation",
- "definition": "The present state of exploitation of the vulnerability.",
+ "name": "Modified Privileges Required",
+ "definition": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "N",
- "name": "None",
- "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
+ "key": "H",
+ "name": "High",
+ "definition": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
},
{
- "key": "P",
- "name": "PoC",
- "definition": "One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation."
+ "key": "L",
+ "name": "Low",
+ "definition": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
},
{
- "key": "A",
- "name": "Active",
- "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ "key": "N",
+ "name": "None",
+ "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
"values": {
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
+ },
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
+ },
"N": {
"key": "N",
"name": "None",
- "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
- },
- "P": {
- "key": "P",
- "name": "PoC",
- "definition": "One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation."
+ "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
},
- "A": {
- "key": "A",
- "name": "Active",
- "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ "X": {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
},
- "1.1.0": {
- "version": "1.1.0",
+ "1.0.1": {
+ "version": "1.0.1",
"obj": {
- "namespace": "ssvc",
- "key": "E",
- "version": "1.1.0",
- "name": "Exploitation",
- "definition": "The present state of exploitation of the vulnerability.",
+ "namespace": "cvss",
+ "key": "MPR",
+ "version": "1.0.1",
+ "name": "Modified Privileges Required",
+ "definition": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "N",
- "name": "None",
- "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
+ "key": "H",
+ "name": "High",
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
},
{
- "key": "P",
- "name": "Public PoC",
- "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
+ "key": "L",
+ "name": "Low",
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
},
{
- "key": "A",
- "name": "Active",
- "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ "key": "N",
+ "name": "None",
+ "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
"values": {
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
+ },
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
+ },
"N": {
"key": "N",
"name": "None",
- "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
- },
- "P": {
- "key": "P",
- "name": "Public PoC",
- "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
+ "definition": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
},
- "A": {
- "key": "A",
- "name": "Active",
- "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ "X": {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
}
},
- "HVA": {
- "key": "HVA",
+ "MUI": {
+ "key": "MUI",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
- "namespace": "ssvc",
- "key": "HVA",
+ "namespace": "cvss",
+ "key": "MUI",
"version": "1.0.0",
- "name": "High Value Asset",
- "definition": "Denotes whether a system meets a high value asset definition.",
+ "name": "Modified User Interaction",
+ "definition": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.",
"schemaVersion": "2.0.0",
"values": [
+ {
+ "key": "R",
+ "name": "Required",
+ "definition": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
+ },
{
"key": "N",
- "name": "No",
- "definition": "System does not meet a high value asset definition."
+ "name": "None",
+ "definition": "The vulnerable system can be exploited without interaction from any user."
},
{
- "key": "Y",
- "name": "Yes",
- "definition": "System meets a high value asset definition."
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
"values": {
+ "R": {
+ "key": "R",
+ "name": "Required",
+ "definition": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
+ },
"N": {
"key": "N",
- "name": "No",
- "definition": "System does not meet a high value asset definition."
+ "name": "None",
+ "definition": "The vulnerable system can be exploited without interaction from any user."
},
- "Y": {
- "key": "Y",
- "name": "Yes",
- "definition": "System meets a high value asset definition."
+ "X": {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
- }
- }
- },
- "MWI": {
- "key": "MWI",
- "versions": {
- "1.0.0": {
- "version": "1.0.0",
+ },
+ "2.0.0": {
+ "version": "2.0.0",
"obj": {
- "namespace": "ssvc",
- "key": "MWI",
- "version": "1.0.0",
- "name": "Mission and Well-Being Impact",
- "definition": "Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.",
+ "namespace": "cvss",
+ "key": "MUI",
+ "version": "2.0.0",
+ "name": "Modified User Interaction",
+ "definition": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "L",
- "name": "Low",
- "definition": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal"
+ "key": "A",
+ "name": "Active",
+ "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
},
{
- "key": "M",
- "name": "Medium",
- "definition": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)"
+ "key": "P",
+ "name": "Passive",
+ "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
},
{
- "key": "H",
- "name": "High",
- "definition": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)"
+ "key": "N",
+ "name": "None",
+ "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
"values": {
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal"
+ "A": {
+ "key": "A",
+ "name": "Active",
+ "definition": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
},
- "M": {
- "key": "M",
- "name": "Medium",
- "definition": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)"
+ "P": {
+ "key": "P",
+ "name": "Passive",
+ "definition": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
},
- "H": {
- "key": "H",
- "name": "High",
- "definition": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)"
+ "N": {
+ "key": "N",
+ "name": "None",
+ "definition": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
+ },
+ "X": {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
}
},
- "HI": {
- "key": "HI",
+ "MS": {
+ "key": "MS",
"versions": {
- "2.0.0": {
- "version": "2.0.0",
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
- "namespace": "ssvc",
- "key": "HI",
- "version": "2.0.0",
- "name": "Human Impact",
- "definition": "Human Impact is a combination of Safety and Mission impacts.",
+ "namespace": "cvss",
+ "key": "MS",
+ "version": "1.0.0",
+ "name": "Modified Scope",
+ "definition": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "L",
- "name": "Low",
- "definition": "Safety Impact:(None OR Minor) AND Mission Impact:(None OR Degraded OR Crippled)"
- },
- {
- "key": "M",
- "name": "Medium",
- "definition": "(Safety Impact:(None OR Minor) AND Mission Impact:MEF Failure) OR (Safety Impact:Major AND Mission Impact:(None OR Degraded OR Crippled))"
+ "key": "U",
+ "name": "Unchanged",
+ "definition": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."
},
{
- "key": "H",
- "name": "High",
- "definition": "(Safety Impact:Hazardous AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Major AND Mission Impact:MEF Failure)"
+ "key": "C",
+ "name": "Changed",
+ "definition": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
},
{
- "key": "VH",
- "name": "Very High",
- "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
"values": {
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "Safety Impact:(None OR Minor) AND Mission Impact:(None OR Degraded OR Crippled)"
- },
- "M": {
- "key": "M",
- "name": "Medium",
- "definition": "(Safety Impact:(None OR Minor) AND Mission Impact:MEF Failure) OR (Safety Impact:Major AND Mission Impact:(None OR Degraded OR Crippled))"
+ "U": {
+ "key": "U",
+ "name": "Unchanged",
+ "definition": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."
},
- "H": {
- "key": "H",
- "name": "High",
- "definition": "(Safety Impact:Hazardous AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Major AND Mission Impact:MEF Failure)"
+ "C": {
+ "key": "C",
+ "name": "Changed",
+ "definition": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
},
- "VH": {
- "key": "VH",
- "name": "Very High",
- "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ "X": {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
- },
- "2.0.1": {
- "version": "2.0.1",
+ }
+ }
+ },
+ "MC": {
+ "key": "MC",
+ "versions": {
+ "2.0.0": {
+ "version": "2.0.0",
"obj": {
- "namespace": "ssvc",
- "key": "HI",
- "version": "2.0.1",
- "name": "Human Impact",
- "definition": "Human Impact is a combination of Safety and Mission impacts.",
+ "namespace": "cvss",
+ "key": "MC",
+ "version": "2.0.0",
+ "name": "Modified Confidentiality Impact",
+ "definition": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "L",
- "name": "Low",
- "definition": "Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)"
+ "key": "N",
+ "name": "None",
+ "definition": "There is no loss of confidentiality within the impacted component."
},
{
- "key": "M",
- "name": "Medium",
- "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))"
+ "key": "L",
+ "name": "Low",
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
{
"key": "H",
"name": "High",
- "definition": "(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
},
{
- "key": "VH",
- "name": "Very High",
- "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
"values": {
+ "N": {
+ "key": "N",
+ "name": "None",
+ "definition": "There is no loss of confidentiality within the impacted component."
+ },
"L": {
"key": "L",
"name": "Low",
- "definition": "Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)"
- },
- "M": {
- "key": "M",
- "name": "Medium",
- "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))"
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
"H": {
"key": "H",
"name": "High",
- "definition": "(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
},
- "VH": {
- "key": "VH",
- "name": "Very High",
- "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ "X": {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
- },
- "2.0.2": {
- "version": "2.0.2",
+ }
+ }
+ },
+ "MI": {
+ "key": "MI",
+ "versions": {
+ "2.0.0": {
+ "version": "2.0.0",
"obj": {
- "namespace": "ssvc",
- "key": "HI",
- "version": "2.0.2",
- "name": "Human Impact",
- "definition": "Human Impact is a combination of Safety and Mission impacts.",
+ "namespace": "cvss",
+ "key": "MI",
+ "version": "2.0.0",
+ "name": "Modified Integrity Impact",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "L",
- "name": "Low",
- "definition": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
+ "key": "N",
+ "name": "None",
+ "definition": "There is no impact to the integrity of the system."
},
{
- "key": "M",
- "name": "Medium",
- "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
+ "key": "L",
+ "name": "Low",
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."
},
{
"key": "H",
"name": "High",
- "definition": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
},
{
- "key": "VH",
- "name": "Very High",
- "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
"values": {
+ "N": {
+ "key": "N",
+ "name": "None",
+ "definition": "There is no impact to the integrity of the system."
+ },
"L": {
"key": "L",
"name": "Low",
- "definition": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
- },
- "M": {
- "key": "M",
- "name": "Medium",
- "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."
},
"H": {
"key": "H",
"name": "High",
- "definition": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
},
- "VH": {
- "key": "VH",
- "name": "Very High",
- "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ "X": {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
}
},
- "MI": {
- "key": "MI",
+ "MA": {
+ "key": "MA",
"versions": {
- "1.0.0": {
- "version": "1.0.0",
+ "2.0.0": {
+ "version": "2.0.0",
"obj": {
- "namespace": "ssvc",
- "key": "MI",
- "version": "1.0.0",
- "name": "Mission Impact",
- "definition": "Impact on Mission Essential Functions of the Organization",
+ "namespace": "cvss",
+ "key": "MA",
+ "version": "2.0.0",
+ "name": "Modified Availability Impact",
+ "definition": "This metric measures the impact to availability of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "definition": "Little to no impact"
+ "definition": "There is no impact to the availability of the system."
},
{
- "key": "NED",
- "name": "Non-Essential Degraded",
- "definition": "Degradation of non-essential functions; chronic degradation would eventually harm essential functions"
- },
- {
- "key": "MSC",
- "name": "MEF Support Crippled",
- "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time"
+ "key": "L",
+ "name": "Low",
+ "definition": "There is reduced performance or interruptions in resource availability."
},
{
- "key": "MEF",
- "name": "MEF Failure",
- "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
+ "key": "H",
+ "name": "High",
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
{
- "key": "MF",
- "name": "Mission Failure",
- "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -5673,379 +5618,889 @@
"N": {
"key": "N",
"name": "None",
- "definition": "Little to no impact"
+ "definition": "There is no impact to the availability of the system."
},
- "NED": {
- "key": "NED",
- "name": "Non-Essential Degraded",
- "definition": "Degradation of non-essential functions; chronic degradation would eventually harm essential functions"
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "There is reduced performance or interruptions in resource availability."
},
- "MSC": {
- "key": "MSC",
- "name": "MEF Support Crippled",
- "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time"
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
},
- "MEF": {
- "key": "MEF",
- "name": "MEF Failure",
- "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
+ "X": {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
+ }
+ }
+ }
+ }
+ },
+ "MAT": {
+ "key": "MAT",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
+ "obj": {
+ "namespace": "cvss",
+ "key": "MAT",
+ "version": "1.0.0",
+ "name": "Modified Attack Requirements",
+ "definition": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "P",
+ "name": "Present",
+ "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
+ },
+ {
+ "key": "N",
+ "name": "None",
+ "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+ },
+ "values": {
+ "P": {
+ "key": "P",
+ "name": "Present",
+ "definition": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
},
- "MF": {
- "key": "MF",
- "name": "Mission Failure",
- "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
+ "N": {
+ "key": "N",
+ "name": "None",
+ "definition": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
+ },
+ "X": {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
- },
- "2.0.0": {
- "version": "2.0.0",
+ }
+ }
+ },
+ "MVC": {
+ "key": "MVC",
+ "versions": {
+ "3.0.0": {
+ "version": "3.0.0",
"obj": {
- "namespace": "ssvc",
- "key": "MI",
- "version": "2.0.0",
- "name": "Mission Impact",
- "definition": "Impact on Mission Essential Functions of the Organization",
+ "namespace": "cvss",
+ "key": "MVC",
+ "version": "3.0.0",
+ "name": "Modified Confidentiality Impact to the Vulnerable System",
+ "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "D",
- "name": "Degraded",
- "definition": "Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions"
+ "key": "N",
+ "name": "None",
+ "definition": "There is no loss of confidentiality within the impacted component."
},
{
- "key": "MSC",
- "name": "MEF Support Crippled",
- "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time"
+ "key": "L",
+ "name": "Low",
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
{
- "key": "MEF",
- "name": "MEF Failure",
- "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
+ "key": "H",
+ "name": "High",
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
},
{
- "key": "MF",
- "name": "Mission Failure",
- "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
"values": {
- "D": {
- "key": "D",
- "name": "Degraded",
- "definition": "Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions"
+ "N": {
+ "key": "N",
+ "name": "None",
+ "definition": "There is no loss of confidentiality within the impacted component."
},
- "MSC": {
- "key": "MSC",
- "name": "MEF Support Crippled",
- "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time"
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
- "MEF": {
- "key": "MEF",
- "name": "MEF Failure",
- "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
},
- "MF": {
- "key": "MF",
- "name": "Mission Failure",
- "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
+ "X": {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
}
},
- "PWI": {
- "key": "PWI",
+ "MVI": {
+ "key": "MVI",
"versions": {
- "1.1.0": {
- "version": "1.1.0",
+ "3.0.0": {
+ "version": "3.0.0",
"obj": {
- "namespace": "ssvc",
- "key": "PWI",
- "version": "1.1.0",
- "name": "Public Well-Being Impact",
- "definition": "A coarse-grained representation of impact to public well-being.",
+ "namespace": "cvss",
+ "key": "MVI",
+ "version": "3.0.0",
+ "name": "Modified Integrity Impact to the Vulnerable System",
+ "definition": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "M",
- "name": "Minimal",
- "definition": "The effect is below the threshold for all aspects described in material. "
+ "key": "N",
+ "name": "None",
+ "definition": "There is no loss of integrity within the Vulnerable System."
},
{
- "key": "MA",
- "name": "Material",
- "definition": "Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people. "
+ "key": "L",
+ "name": "Low",
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
},
{
- "key": "I",
- "name": "Irreversible",
- "definition": "Any one or more of these conditions hold. Physical harm: One or both of the following are true: (a) Multiple fatalities are likely.(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed. Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) are imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse. Psychological: N/A "
+ "key": "H",
+ "name": "High",
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
]
},
"values": {
- "M": {
- "key": "M",
- "name": "Minimal",
- "definition": "The effect is below the threshold for all aspects described in material. "
+ "N": {
+ "key": "N",
+ "name": "None",
+ "definition": "There is no loss of integrity within the Vulnerable System."
},
- "MA": {
- "key": "MA",
- "name": "Material",
- "definition": "Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people. "
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
},
- "I": {
- "key": "I",
- "name": "Irreversible",
- "definition": "Any one or more of these conditions hold. Physical harm: One or both of the following are true: (a) Multiple fatalities are likely.(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed. Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) are imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse. Psychological: N/A "
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "There is a total loss of integrity, or a complete loss of protection."
+ },
+ "X": {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
}
}
}
}
},
- "PSI": {
- "key": "PSI",
+ "MVA": {
+ "key": "MVA",
"versions": {
- "2.0.0": {
- "version": "2.0.0",
+ "3.0.0": {
+ "version": "3.0.0",
"obj": {
- "namespace": "ssvc",
- "key": "PSI",
+ "namespace": "cvss",
+ "key": "MVA",
+ "version": "3.0.0",
+ "name": "Modified Availability Impact to the Vulnerable System",
+ "definition": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "N",
+ "name": "None",
+ "definition": "There is no impact to availability within the Vulnerable System."
+ },
+ {
+ "key": "L",
+ "name": "Low",
+ "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+ },
+ "values": {
+ "N": {
+ "key": "N",
+ "name": "None",
+ "definition": "There is no impact to availability within the Vulnerable System."
+ },
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
+ },
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+ },
+ "X": {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
+ }
+ }
+ }
+ }
+ },
+ "MSC": {
+ "key": "MSC",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
+ "obj": {
+ "namespace": "cvss",
+ "key": "MSC",
+ "version": "1.0.0",
+ "name": "Modified Confidentiality Impact to the Subsequent System",
+ "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "N",
+ "name": "Negligible",
+ "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+ },
+ {
+ "key": "L",
+ "name": "Low",
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+ },
+ "values": {
+ "N": {
+ "key": "N",
+ "name": "Negligible",
+ "definition": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+ },
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+ },
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+ },
+ "X": {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
+ }
+ }
+ },
+ "1.0.1": {
+ "version": "1.0.1",
+ "obj": {
+ "namespace": "cvss",
+ "key": "MSC",
+ "version": "1.0.1",
+ "name": "Modified Confidentiality Impact to the Subsequent System",
+ "definition": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "N",
+ "name": "Negligible",
+ "definition": "There is negligible loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+ },
+ {
+ "key": "L",
+ "name": "Low",
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+ },
+ {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
+ }
+ ]
+ },
+ "values": {
+ "N": {
+ "key": "N",
+ "name": "Negligible",
+ "definition": "There is negligible loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+ },
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+ },
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+ },
+ "X": {
+ "key": "X",
+ "name": "Not Defined",
+ "definition": "This metric value is not defined. See CVSS documentation for details."
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "ssvc": {
+ "namespace": "ssvc",
+ "keys": {
+ "V": {
+ "key": "V",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
+ "obj": {
+ "namespace": "ssvc",
+ "key": "V",
+ "version": "1.0.0",
+ "name": "Virulence",
+ "definition": "The speed at which the vulnerability can be exploited.",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "S",
+ "name": "Slow",
+ "definition": "Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
+ },
+ {
+ "key": "R",
+ "name": "Rapid",
+ "definition": "Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows remote code execution or command injection, the default response should be rapid."
+ }
+ ]
+ },
+ "values": {
+ "S": {
+ "key": "S",
+ "name": "Slow",
+ "definition": "Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
+ },
+ "R": {
+ "key": "R",
+ "name": "Rapid",
+ "definition": "Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows remote code execution or command injection, the default response should be rapid."
+ }
+ }
+ }
+ }
+ },
+ "A": {
+ "key": "A",
+ "versions": {
+ "2.0.0": {
+ "version": "2.0.0",
+ "obj": {
+ "namespace": "ssvc",
+ "key": "A",
"version": "2.0.0",
- "name": "Public Safety Impact",
- "definition": "A coarse-grained representation of impact to public safety.",
+ "name": "Automatable",
+ "definition": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "N",
+ "name": "No",
+ "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
+ },
+ {
+ "key": "Y",
+ "name": "Yes",
+ "definition": "Attackers can reliably automate steps 1-4 of the kill chain."
+ }
+ ]
+ },
+ "values": {
+ "N": {
+ "key": "N",
+ "name": "No",
+ "definition": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
+ },
+ "Y": {
+ "key": "Y",
+ "name": "Yes",
+ "definition": "Attackers can reliably automate steps 1-4 of the kill chain."
+ }
+ }
+ }
+ }
+ },
+ "CS": {
+ "key": "CS",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
+ "obj": {
+ "namespace": "ssvc",
+ "key": "CS",
+ "version": "1.0.0",
+ "name": "Critical Software",
+ "definition": "Denotes whether a system meets a critical software definition.",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "N",
+ "name": "No",
+ "definition": "System does not meet a critical software definition."
+ },
+ {
+ "key": "Y",
+ "name": "Yes",
+ "definition": "System meets a critical software definition."
+ }
+ ]
+ },
+ "values": {
+ "N": {
+ "key": "N",
+ "name": "No",
+ "definition": "System does not meet a critical software definition."
+ },
+ "Y": {
+ "key": "Y",
+ "name": "Yes",
+ "definition": "System meets a critical software definition."
+ }
+ }
+ }
+ }
+ },
+ "E": {
+ "key": "E",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
+ "obj": {
+ "namespace": "ssvc",
+ "key": "E",
+ "version": "1.0.0",
+ "name": "Exploitation",
+ "definition": "The present state of exploitation of the vulnerability.",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "N",
+ "name": "None",
+ "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
+ },
+ {
+ "key": "P",
+ "name": "PoC",
+ "definition": "One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation."
+ },
+ {
+ "key": "A",
+ "name": "Active",
+ "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ }
+ ]
+ },
+ "values": {
+ "N": {
+ "key": "N",
+ "name": "None",
+ "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
+ },
+ "P": {
+ "key": "P",
+ "name": "PoC",
+ "definition": "One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation."
+ },
+ "A": {
+ "key": "A",
+ "name": "Active",
+ "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ }
+ }
+ },
+ "1.1.0": {
+ "version": "1.1.0",
+ "obj": {
+ "namespace": "ssvc",
+ "key": "E",
+ "version": "1.1.0",
+ "name": "Exploitation",
+ "definition": "The present state of exploitation of the vulnerability.",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "N",
+ "name": "None",
+ "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
+ },
+ {
+ "key": "P",
+ "name": "Public PoC",
+ "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
+ },
+ {
+ "key": "A",
+ "name": "Active",
+ "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ }
+ ]
+ },
+ "values": {
+ "N": {
+ "key": "N",
+ "name": "None",
+ "definition": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
+ },
+ "P": {
+ "key": "P",
+ "name": "Public PoC",
+ "definition": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
+ },
+ "A": {
+ "key": "A",
+ "name": "Active",
+ "definition": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ }
+ }
+ }
+ }
+ },
+ "HVA": {
+ "key": "HVA",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
+ "obj": {
+ "namespace": "ssvc",
+ "key": "HVA",
+ "version": "1.0.0",
+ "name": "High Value Asset",
+ "definition": "Denotes whether a system meets a high value asset definition.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "M",
- "name": "Minimal",
- "definition": "Safety Impact:(None OR Minor)"
+ "key": "N",
+ "name": "No",
+ "definition": "System does not meet a high value asset definition."
},
{
- "key": "S",
- "name": "Significant",
- "definition": "Safety Impact:(Major OR Hazardous OR Catastrophic)"
+ "key": "Y",
+ "name": "Yes",
+ "definition": "System meets a high value asset definition."
}
]
},
"values": {
- "M": {
- "key": "M",
- "name": "Minimal",
- "definition": "Safety Impact:(None OR Minor)"
+ "N": {
+ "key": "N",
+ "name": "No",
+ "definition": "System does not meet a high value asset definition."
},
- "S": {
- "key": "S",
- "name": "Significant",
- "definition": "Safety Impact:(Major OR Hazardous OR Catastrophic)"
+ "Y": {
+ "key": "Y",
+ "name": "Yes",
+ "definition": "System meets a high value asset definition."
}
}
- },
- "2.0.1": {
- "version": "2.0.1",
+ }
+ }
+ },
+ "MWI": {
+ "key": "MWI",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
"namespace": "ssvc",
- "key": "PSI",
- "version": "2.0.1",
- "name": "Public Safety Impact",
- "definition": "A coarse-grained representation of impact to public safety.",
+ "key": "MWI",
+ "version": "1.0.0",
+ "name": "Mission and Well-Being Impact",
+ "definition": "Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.",
"schemaVersion": "2.0.0",
"values": [
+ {
+ "key": "L",
+ "name": "Low",
+ "definition": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal"
+ },
{
"key": "M",
- "name": "Minimal",
- "definition": "Safety Impact:Negligible"
+ "name": "Medium",
+ "definition": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)"
},
{
- "key": "S",
- "name": "Significant",
- "definition": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
+ "key": "H",
+ "name": "High",
+ "definition": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)"
}
]
},
"values": {
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal"
+ },
"M": {
"key": "M",
- "name": "Minimal",
- "definition": "Safety Impact:Negligible"
+ "name": "Medium",
+ "definition": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)"
},
- "S": {
- "key": "S",
- "name": "Significant",
- "definition": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)"
}
}
}
}
},
- "PVA": {
- "key": "PVA",
+ "HI": {
+ "key": "HI",
"versions": {
- "1.0.0": {
- "version": "1.0.0",
+ "2.0.0": {
+ "version": "2.0.0",
"obj": {
"namespace": "ssvc",
- "key": "PVA",
- "version": "1.0.0",
- "name": "Public Value Added",
- "definition": "How much value would a publication from the coordinator benefit the broader community?",
+ "key": "HI",
+ "version": "2.0.0",
+ "name": "Human Impact",
+ "definition": "Human Impact is a combination of Safety and Mission impacts.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
- "name": "Limited",
- "definition": "Minimal value added to the existing public information because existing information is already high quality and in multiple outlets."
+ "name": "Low",
+ "definition": "Safety Impact:(None OR Minor) AND Mission Impact:(None OR Degraded OR Crippled)"
},
{
- "key": "A",
- "name": "Ampliative",
- "definition": "Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc."
+ "key": "M",
+ "name": "Medium",
+ "definition": "(Safety Impact:(None OR Minor) AND Mission Impact:MEF Failure) OR (Safety Impact:Major AND Mission Impact:(None OR Degraded OR Crippled))"
},
{
- "key": "P",
- "name": "Precedence",
- "definition": "The publication would be the first publicly available, or be coincident with the first publicly available."
+ "key": "H",
+ "name": "High",
+ "definition": "(Safety Impact:Hazardous AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Major AND Mission Impact:MEF Failure)"
+ },
+ {
+ "key": "VH",
+ "name": "Very High",
+ "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
]
},
"values": {
"L": {
"key": "L",
- "name": "Limited",
- "definition": "Minimal value added to the existing public information because existing information is already high quality and in multiple outlets."
+ "name": "Low",
+ "definition": "Safety Impact:(None OR Minor) AND Mission Impact:(None OR Degraded OR Crippled)"
},
- "A": {
- "key": "A",
- "name": "Ampliative",
- "definition": "Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc."
+ "M": {
+ "key": "M",
+ "name": "Medium",
+ "definition": "(Safety Impact:(None OR Minor) AND Mission Impact:MEF Failure) OR (Safety Impact:Major AND Mission Impact:(None OR Degraded OR Crippled))"
},
- "P": {
- "key": "P",
- "name": "Precedence",
- "definition": "The publication would be the first publicly available, or be coincident with the first publicly available."
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "(Safety Impact:Hazardous AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Major AND Mission Impact:MEF Failure)"
+ },
+ "VH": {
+ "key": "VH",
+ "name": "Very High",
+ "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
}
- }
- }
- },
- "RC": {
- "key": "RC",
- "versions": {
- "1.0.0": {
- "version": "1.0.0",
+ },
+ "2.0.1": {
+ "version": "2.0.1",
"obj": {
"namespace": "ssvc",
- "key": "RC",
- "version": "1.0.0",
- "name": "Report Credibility",
- "definition": "Is the report credible?",
+ "key": "HI",
+ "version": "2.0.1",
+ "name": "Human Impact",
+ "definition": "Human Impact is a combination of Safety and Mission impacts.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "NC",
- "name": "Not Credible",
- "definition": "The report is not credible."
+ "key": "L",
+ "name": "Low",
+ "definition": "Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)"
},
{
- "key": "C",
- "name": "Credible",
- "definition": "The report is credible."
+ "key": "M",
+ "name": "Medium",
+ "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))"
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "definition": "(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ },
+ {
+ "key": "VH",
+ "name": "Very High",
+ "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
]
},
"values": {
- "NC": {
- "key": "NC",
- "name": "Not Credible",
- "definition": "The report is not credible."
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)"
},
- "C": {
- "key": "C",
- "name": "Credible",
- "definition": "The report is credible."
+ "M": {
+ "key": "M",
+ "name": "Medium",
+ "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))"
+ },
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ },
+ "VH": {
+ "key": "VH",
+ "name": "Very High",
+ "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
}
- }
- }
- },
- "RP": {
- "key": "RP",
- "versions": {
- "1.0.0": {
- "version": "1.0.0",
+ },
+ "2.0.2": {
+ "version": "2.0.2",
"obj": {
"namespace": "ssvc",
- "key": "RP",
- "version": "1.0.0",
- "name": "Report Public",
- "definition": "Is a viable report of the details of the vulnerability already publicly available?",
+ "key": "HI",
+ "version": "2.0.2",
+ "name": "Human Impact",
+ "definition": "Human Impact is a combination of Safety and Mission impacts.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "Y",
- "name": "Yes",
- "definition": "A public report of the vulnerability exists."
+ "key": "L",
+ "name": "Low",
+ "definition": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
},
{
- "key": "N",
- "name": "No",
- "definition": "No public report of the vulnerability exists."
+ "key": "M",
+ "name": "Medium",
+ "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "definition": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ },
+ {
+ "key": "VH",
+ "name": "Very High",
+ "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
]
},
- "values": {
- "Y": {
- "key": "Y",
- "name": "Yes",
- "definition": "A public report of the vulnerability exists."
+ "values": {
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "definition": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
},
- "N": {
- "key": "N",
- "name": "No",
- "definition": "No public report of the vulnerability exists."
+ "M": {
+ "key": "M",
+ "name": "Medium",
+ "definition": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
+ },
+ "H": {
+ "key": "H",
+ "name": "High",
+ "definition": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ },
+ "VH": {
+ "key": "VH",
+ "name": "Very High",
+ "definition": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
}
}
}
},
- "SI": {
- "key": "SI",
+ "MI": {
+ "key": "MI",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "ssvc",
- "key": "SI",
+ "key": "MI",
"version": "1.0.0",
- "name": "Safety Impact",
- "definition": "The safety impact of the vulnerability.",
+ "name": "Mission Impact",
+ "definition": "Impact on Mission Essential Functions of the Organization",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
- "definition": "The effect is below the threshold for all aspects described in Minor."
+ "definition": "Little to no impact"
},
{
- "key": "M",
- "name": "Minor",
- "definition": "Any one or more of these conditions hold. Physical harm: Physical discomfort for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. System resiliency: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. Environment: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. Financial Financial losses, which are not readily absorbable, to multiple persons. Psychological: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
+ "key": "NED",
+ "name": "Non-Essential Degraded",
+ "definition": "Degradation of non-essential functions; chronic degradation would eventually harm essential functions"
},
{
- "key": "J",
- "name": "Major",
- "definition": "Any one or more of these conditions hold. Physical harm: Physical distress and injuries for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. System resiliency: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. Environment: Major externalities (property damage, environmental damage, etc.) imposed on other parties. Financial: Financial losses that likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
+ "key": "MSC",
+ "name": "MEF Support Crippled",
+ "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time"
},
{
- "key": "H",
- "name": "Hazardous",
- "definition": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A."
+ "key": "MEF",
+ "name": "MEF Failure",
+ "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
},
{
- "key": "C",
- "name": "Catastrophic",
- "definition": "Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A."
+ "key": "MF",
+ "name": "Mission Failure",
+ "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
}
]
},
@@ -6053,27 +6508,27 @@
"N": {
"key": "N",
"name": "None",
- "definition": "The effect is below the threshold for all aspects described in Minor."
+ "definition": "Little to no impact"
},
- "M": {
- "key": "M",
- "name": "Minor",
- "definition": "Any one or more of these conditions hold. Physical harm: Physical discomfort for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. System resiliency: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. Environment: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. Financial Financial losses, which are not readily absorbable, to multiple persons. Psychological: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
+ "NED": {
+ "key": "NED",
+ "name": "Non-Essential Degraded",
+ "definition": "Degradation of non-essential functions; chronic degradation would eventually harm essential functions"
},
- "J": {
- "key": "J",
- "name": "Major",
- "definition": "Any one or more of these conditions hold. Physical harm: Physical distress and injuries for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. System resiliency: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. Environment: Major externalities (property damage, environmental damage, etc.) imposed on other parties. Financial: Financial losses that likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
+ "MSC": {
+ "key": "MSC",
+ "name": "MEF Support Crippled",
+ "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time"
},
- "H": {
- "key": "H",
- "name": "Hazardous",
- "definition": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A."
+ "MEF": {
+ "key": "MEF",
+ "name": "MEF Failure",
+ "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
},
- "C": {
- "key": "C",
- "name": "Catastrophic",
- "definition": "Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A."
+ "MF": {
+ "key": "MF",
+ "name": "Mission Failure",
+ "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
}
}
},
@@ -6081,544 +6536,654 @@
"version": "2.0.0",
"obj": {
"namespace": "ssvc",
- "key": "SI",
+ "key": "MI",
"version": "2.0.0",
- "name": "Safety Impact",
- "definition": "The safety impact of the vulnerability. (based on IEC 61508)",
+ "name": "Mission Impact",
+ "definition": "Impact on Mission Essential Functions of the Organization",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "N",
- "name": "Negligible",
- "definition": "Any one or more of these conditions hold.
- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
+ "key": "D",
+ "name": "Degraded",
+ "definition": "Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions"
},
{
- "key": "M",
- "name": "Marginal",
- "definition": "Any one or more of these conditions hold.
- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
+ "key": "MSC",
+ "name": "MEF Support Crippled",
+ "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time"
},
{
- "key": "R",
- "name": "Critical",
- "definition": "Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A."
+ "key": "MEF",
+ "name": "MEF Failure",
+ "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
},
{
- "key": "C",
- "name": "Catastrophic",
- "definition": "Any one or more of these conditions hold.
- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A."
+ "key": "MF",
+ "name": "Mission Failure",
+ "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
}
]
},
"values": {
- "N": {
- "key": "N",
- "name": "Negligible",
- "definition": "Any one or more of these conditions hold.
- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
+ "D": {
+ "key": "D",
+ "name": "Degraded",
+ "definition": "Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions"
+ },
+ "MSC": {
+ "key": "MSC",
+ "name": "MEF Support Crippled",
+ "definition": "Activities that directly support essential functions are crippled; essential functions continue for a time"
},
+ "MEF": {
+ "key": "MEF",
+ "name": "MEF Failure",
+ "definition": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
+ },
+ "MF": {
+ "key": "MF",
+ "name": "Mission Failure",
+ "definition": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
+ }
+ }
+ }
+ }
+ },
+ "PWI": {
+ "key": "PWI",
+ "versions": {
+ "1.1.0": {
+ "version": "1.1.0",
+ "obj": {
+ "namespace": "ssvc",
+ "key": "PWI",
+ "version": "1.1.0",
+ "name": "Public Well-Being Impact",
+ "definition": "A coarse-grained representation of impact to public well-being.",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "M",
+ "name": "Minimal",
+ "definition": "The effect is below the threshold for all aspects described in material. "
+ },
+ {
+ "key": "MA",
+ "name": "Material",
+ "definition": "Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people. "
+ },
+ {
+ "key": "I",
+ "name": "Irreversible",
+ "definition": "Any one or more of these conditions hold. Physical harm: One or both of the following are true: (a) Multiple fatalities are likely.(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed. Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) are imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse. Psychological: N/A "
+ }
+ ]
+ },
+ "values": {
"M": {
"key": "M",
- "name": "Marginal",
- "definition": "Any one or more of these conditions hold.
- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
+ "name": "Minimal",
+ "definition": "The effect is below the threshold for all aspects described in material. "
},
- "R": {
- "key": "R",
- "name": "Critical",
- "definition": "Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A."
+ "MA": {
+ "key": "MA",
+ "name": "Material",
+ "definition": "Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people. "
},
- "C": {
- "key": "C",
- "name": "Catastrophic",
- "definition": "Any one or more of these conditions hold.
- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A."
+ "I": {
+ "key": "I",
+ "name": "Irreversible",
+ "definition": "Any one or more of these conditions hold. Physical harm: One or both of the following are true: (a) Multiple fatalities are likely.(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed. Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) are imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse. Psychological: N/A "
}
}
}
}
},
- "SC": {
- "key": "SC",
+ "PSI": {
+ "key": "PSI",
"versions": {
- "1.0.0": {
- "version": "1.0.0",
+ "2.0.0": {
+ "version": "2.0.0",
"obj": {
"namespace": "ssvc",
- "key": "SC",
- "version": "1.0.0",
- "name": "Supplier Cardinality",
- "definition": "How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?",
+ "key": "PSI",
+ "version": "2.0.0",
+ "name": "Public Safety Impact",
+ "definition": "A coarse-grained representation of impact to public safety.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "O",
- "name": "One",
- "definition": "There is only one supplier of the vulnerable component."
+ "key": "M",
+ "name": "Minimal",
+ "definition": "Safety Impact:(None OR Minor)"
+ },
+ {
+ "key": "S",
+ "name": "Significant",
+ "definition": "Safety Impact:(Major OR Hazardous OR Catastrophic)"
+ }
+ ]
+ },
+ "values": {
+ "M": {
+ "key": "M",
+ "name": "Minimal",
+ "definition": "Safety Impact:(None OR Minor)"
+ },
+ "S": {
+ "key": "S",
+ "name": "Significant",
+ "definition": "Safety Impact:(Major OR Hazardous OR Catastrophic)"
+ }
+ }
+ },
+ "2.0.1": {
+ "version": "2.0.1",
+ "obj": {
+ "namespace": "ssvc",
+ "key": "PSI",
+ "version": "2.0.1",
+ "name": "Public Safety Impact",
+ "definition": "A coarse-grained representation of impact to public safety.",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "M",
+ "name": "Minimal",
+ "definition": "Safety Impact:Negligible"
},
{
- "key": "M",
- "name": "Multiple",
- "definition": "There are multiple suppliers of the vulnerable component."
+ "key": "S",
+ "name": "Significant",
+ "definition": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
}
]
},
"values": {
- "O": {
- "key": "O",
- "name": "One",
- "definition": "There is only one supplier of the vulnerable component."
- },
"M": {
"key": "M",
- "name": "Multiple",
- "definition": "There are multiple suppliers of the vulnerable component."
+ "name": "Minimal",
+ "definition": "Safety Impact:Negligible"
+ },
+ "S": {
+ "key": "S",
+ "name": "Significant",
+ "definition": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
}
}
}
}
},
- "SCON": {
- "key": "SCON",
+ "PVA": {
+ "key": "PVA",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "ssvc",
- "key": "SCON",
+ "key": "PVA",
"version": "1.0.0",
- "name": "Supplier Contacted",
- "definition": "Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?",
+ "name": "Public Value Added",
+ "definition": "How much value would a publication from the coordinator benefit the broader community?",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "N",
- "name": "No",
- "definition": "The supplier has not been contacted."
+ "key": "L",
+ "name": "Limited",
+ "definition": "Minimal value added to the existing public information because existing information is already high quality and in multiple outlets."
},
{
- "key": "Y",
- "name": "Yes",
- "definition": "The supplier has been contacted."
+ "key": "A",
+ "name": "Ampliative",
+ "definition": "Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc."
+ },
+ {
+ "key": "P",
+ "name": "Precedence",
+ "definition": "The publication would be the first publicly available, or be coincident with the first publicly available."
}
]
},
"values": {
- "N": {
- "key": "N",
- "name": "No",
- "definition": "The supplier has not been contacted."
+ "L": {
+ "key": "L",
+ "name": "Limited",
+ "definition": "Minimal value added to the existing public information because existing information is already high quality and in multiple outlets."
},
- "Y": {
- "key": "Y",
- "name": "Yes",
- "definition": "The supplier has been contacted."
+ "A": {
+ "key": "A",
+ "name": "Ampliative",
+ "definition": "Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc."
+ },
+ "P": {
+ "key": "P",
+ "name": "Precedence",
+ "definition": "The publication would be the first publicly available, or be coincident with the first publicly available."
}
}
}
}
},
- "SE": {
- "key": "SE",
+ "RC": {
+ "key": "RC",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "ssvc",
- "key": "SE",
+ "key": "RC",
"version": "1.0.0",
- "name": "Supplier Engagement",
- "definition": "Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?",
+ "name": "Report Credibility",
+ "definition": "Is the report credible?",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "A",
- "name": "Active",
- "definition": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort."
+ "key": "NC",
+ "name": "Not Credible",
+ "definition": "The report is not credible."
},
{
- "key": "U",
- "name": "Unresponsive",
- "definition": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort."
+ "key": "C",
+ "name": "Credible",
+ "definition": "The report is credible."
}
]
},
"values": {
- "A": {
- "key": "A",
- "name": "Active",
- "definition": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort."
+ "NC": {
+ "key": "NC",
+ "name": "Not Credible",
+ "definition": "The report is not credible."
},
- "U": {
- "key": "U",
- "name": "Unresponsive",
- "definition": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort."
+ "C": {
+ "key": "C",
+ "name": "Credible",
+ "definition": "The report is credible."
}
}
}
}
},
- "SINV": {
- "key": "SINV",
+ "RP": {
+ "key": "RP",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "ssvc",
- "key": "SINV",
+ "key": "RP",
"version": "1.0.0",
- "name": "Supplier Involvement",
- "definition": "What is the state of the supplier’s work on addressing the vulnerability?",
+ "name": "Report Public",
+ "definition": "Is a viable report of the details of the vulnerability already publicly available?",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "FR",
- "name": "Fix Ready",
- "definition": "The supplier has provided a patch or fix."
- },
- {
- "key": "C",
- "name": "Cooperative",
- "definition": "The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time."
+ "key": "Y",
+ "name": "Yes",
+ "definition": "A public report of the vulnerability exists."
},
{
- "key": "UU",
- "name": "Uncooperative/Unresponsive",
- "definition": "The supplier has not responded, declined to generate a remediation, or no longer exists."
+ "key": "N",
+ "name": "No",
+ "definition": "No public report of the vulnerability exists."
}
]
},
"values": {
- "FR": {
- "key": "FR",
- "name": "Fix Ready",
- "definition": "The supplier has provided a patch or fix."
- },
- "C": {
- "key": "C",
- "name": "Cooperative",
- "definition": "The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time."
+ "Y": {
+ "key": "Y",
+ "name": "Yes",
+ "definition": "A public report of the vulnerability exists."
},
- "UU": {
- "key": "UU",
- "name": "Uncooperative/Unresponsive",
- "definition": "The supplier has not responded, declined to generate a remediation, or no longer exists."
+ "N": {
+ "key": "N",
+ "name": "No",
+ "definition": "No public report of the vulnerability exists."
}
}
}
}
},
- "EXP": {
- "key": "EXP",
+ "SI": {
+ "key": "SI",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "ssvc",
- "key": "EXP",
+ "key": "SI",
"version": "1.0.0",
- "name": "System Exposure",
- "definition": "The Accessible Attack Surface of the Affected System or Service",
+ "name": "Safety Impact",
+ "definition": "The safety impact of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "S",
- "name": "Small",
- "definition": "Local service or program; highly controlled network"
+ "key": "N",
+ "name": "None",
+ "definition": "The effect is below the threshold for all aspects described in Minor."
},
{
- "key": "C",
- "name": "Controlled",
- "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
+ "key": "M",
+ "name": "Minor",
+ "definition": "Any one or more of these conditions hold. Physical harm: Physical discomfort for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. System resiliency: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. Environment: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. Financial Financial losses, which are not readily absorbable, to multiple persons. Psychological: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
},
{
- "key": "U",
- "name": "Unavoidable",
- "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
+ "key": "J",
+ "name": "Major",
+ "definition": "Any one or more of these conditions hold. Physical harm: Physical distress and injuries for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. System resiliency: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. Environment: Major externalities (property damage, environmental damage, etc.) imposed on other parties. Financial: Financial losses that likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
+ },
+ {
+ "key": "H",
+ "name": "Hazardous",
+ "definition": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A."
+ },
+ {
+ "key": "C",
+ "name": "Catastrophic",
+ "definition": "Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A."
}
]
},
"values": {
- "S": {
- "key": "S",
- "name": "Small",
- "definition": "Local service or program; highly controlled network"
+ "N": {
+ "key": "N",
+ "name": "None",
+ "definition": "The effect is below the threshold for all aspects described in Minor."
+ },
+ "M": {
+ "key": "M",
+ "name": "Minor",
+ "definition": "Any one or more of these conditions hold. Physical harm: Physical discomfort for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. System resiliency: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. Environment: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. Financial Financial losses, which are not readily absorbable, to multiple persons. Psychological: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
+ },
+ "J": {
+ "key": "J",
+ "name": "Major",
+ "definition": "Any one or more of these conditions hold. Physical harm: Physical distress and injuries for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. System resiliency: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. Environment: Major externalities (property damage, environmental damage, etc.) imposed on other parties. Financial: Financial losses that likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
+ },
+ "H": {
+ "key": "H",
+ "name": "Hazardous",
+ "definition": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A."
},
"C": {
"key": "C",
- "name": "Controlled",
- "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
- },
- "U": {
- "key": "U",
- "name": "Unavoidable",
- "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
+ "name": "Catastrophic",
+ "definition": "Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A."
}
}
},
- "1.0.1": {
- "version": "1.0.1",
+ "2.0.0": {
+ "version": "2.0.0",
"obj": {
"namespace": "ssvc",
- "key": "EXP",
- "version": "1.0.1",
- "name": "System Exposure",
- "definition": "The Accessible Attack Surface of the Affected System or Service",
+ "key": "SI",
+ "version": "2.0.0",
+ "name": "Safety Impact",
+ "definition": "The safety impact of the vulnerability. (based on IEC 61508)",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "S",
- "name": "Small",
- "definition": "Local service or program; highly controlled network"
+ "key": "N",
+ "name": "Negligible",
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
},
{
- "key": "C",
- "name": "Controlled",
- "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
+ "key": "M",
+ "name": "Marginal",
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
},
{
- "key": "O",
- "name": "Open",
- "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
+ "key": "R",
+ "name": "Critical",
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A."
+ },
+ {
+ "key": "C",
+ "name": "Catastrophic",
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A."
}
]
},
"values": {
- "S": {
- "key": "S",
- "name": "Small",
- "definition": "Local service or program; highly controlled network"
+ "N": {
+ "key": "N",
+ "name": "Negligible",
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
+ },
+ "M": {
+ "key": "M",
+ "name": "Marginal",
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
+ },
+ "R": {
+ "key": "R",
+ "name": "Critical",
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A."
},
"C": {
"key": "C",
- "name": "Controlled",
- "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
- },
- "O": {
- "key": "O",
- "name": "Open",
- "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
+ "name": "Catastrophic",
+ "definition": "Any one or more of these conditions hold.
- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A."
}
}
}
}
},
- "TI": {
- "key": "TI",
+ "SC": {
+ "key": "SC",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "ssvc",
- "key": "TI",
+ "key": "SC",
"version": "1.0.0",
- "name": "Technical Impact",
- "definition": "The technical impact of the vulnerability.",
+ "name": "Supplier Cardinality",
+ "definition": "How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "P",
- "name": "Partial",
- "definition": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
+ "key": "O",
+ "name": "One",
+ "definition": "There is only one supplier of the vulnerable component."
},
{
- "key": "T",
- "name": "Total",
- "definition": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
+ "key": "M",
+ "name": "Multiple",
+ "definition": "There are multiple suppliers of the vulnerable component."
}
]
},
"values": {
- "P": {
- "key": "P",
- "name": "Partial",
- "definition": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
+ "O": {
+ "key": "O",
+ "name": "One",
+ "definition": "There is only one supplier of the vulnerable component."
},
- "T": {
- "key": "T",
- "name": "Total",
- "definition": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
+ "M": {
+ "key": "M",
+ "name": "Multiple",
+ "definition": "There are multiple suppliers of the vulnerable component."
}
}
}
}
},
- "U": {
- "key": "U",
+ "SCON": {
+ "key": "SCON",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "ssvc",
- "key": "U",
+ "key": "SCON",
"version": "1.0.0",
- "name": "Utility",
- "definition": "The Usefulness of the Exploit to the Adversary",
+ "name": "Supplier Contacted",
+ "definition": "Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "L",
- "name": "Laborious",
- "definition": "Virulence:Slow and Value Density:Diffuse"
- },
- {
- "key": "E",
- "name": "Efficient",
- "definition": "Virulence:Rapid and Value Density:Diffuse OR Virulence:Slow and Value Density:Concentrated"
+ "key": "N",
+ "name": "No",
+ "definition": "The supplier has not been contacted."
},
{
- "key": "S",
- "name": "Super Effective",
- "definition": "Virulence:Rapid and Value Density:Concentrated"
+ "key": "Y",
+ "name": "Yes",
+ "definition": "The supplier has been contacted."
}
]
},
"values": {
- "L": {
- "key": "L",
- "name": "Laborious",
- "definition": "Virulence:Slow and Value Density:Diffuse"
- },
- "E": {
- "key": "E",
- "name": "Efficient",
- "definition": "Virulence:Rapid and Value Density:Diffuse OR Virulence:Slow and Value Density:Concentrated"
+ "N": {
+ "key": "N",
+ "name": "No",
+ "definition": "The supplier has not been contacted."
},
- "S": {
- "key": "S",
- "name": "Super Effective",
- "definition": "Virulence:Rapid and Value Density:Concentrated"
+ "Y": {
+ "key": "Y",
+ "name": "Yes",
+ "definition": "The supplier has been contacted."
}
}
- },
- "1.0.1": {
- "version": "1.0.1",
+ }
+ }
+ },
+ "SE": {
+ "key": "SE",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
"obj": {
"namespace": "ssvc",
- "key": "U",
- "version": "1.0.1",
- "name": "Utility",
- "definition": "The Usefulness of the Exploit to the Adversary",
+ "key": "SE",
+ "version": "1.0.0",
+ "name": "Supplier Engagement",
+ "definition": "Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "L",
- "name": "Laborious",
- "definition": "Automatable:No AND Value Density:Diffuse"
- },
- {
- "key": "E",
- "name": "Efficient",
- "definition": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
+ "key": "A",
+ "name": "Active",
+ "definition": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort."
},
{
- "key": "S",
- "name": "Super Effective",
- "definition": "Automatable:Yes AND Value Density:Concentrated"
+ "key": "U",
+ "name": "Unresponsive",
+ "definition": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort."
}
]
},
"values": {
- "L": {
- "key": "L",
- "name": "Laborious",
- "definition": "Automatable:No AND Value Density:Diffuse"
- },
- "E": {
- "key": "E",
- "name": "Efficient",
- "definition": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
+ "A": {
+ "key": "A",
+ "name": "Active",
+ "definition": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort."
},
- "S": {
- "key": "S",
- "name": "Super Effective",
- "definition": "Automatable:Yes AND Value Density:Concentrated"
+ "U": {
+ "key": "U",
+ "name": "Unresponsive",
+ "definition": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort."
}
}
}
}
},
- "VD": {
- "key": "VD",
+ "SINV": {
+ "key": "SINV",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "ssvc",
- "key": "VD",
+ "key": "SINV",
"version": "1.0.0",
- "name": "Value Density",
- "definition": "The concentration of value in the target",
+ "name": "Supplier Involvement",
+ "definition": "What is the state of the supplier’s work on addressing the vulnerability?",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "D",
- "name": "Diffuse",
- "definition": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small."
+ "key": "FR",
+ "name": "Fix Ready",
+ "definition": "The supplier has provided a patch or fix."
},
{
"key": "C",
- "name": "Concentrated",
- "definition": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users."
+ "name": "Cooperative",
+ "definition": "The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time."
+ },
+ {
+ "key": "UU",
+ "name": "Uncooperative/Unresponsive",
+ "definition": "The supplier has not responded, declined to generate a remediation, or no longer exists."
}
]
},
"values": {
- "D": {
- "key": "D",
- "name": "Diffuse",
- "definition": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small."
+ "FR": {
+ "key": "FR",
+ "name": "Fix Ready",
+ "definition": "The supplier has provided a patch or fix."
},
"C": {
"key": "C",
- "name": "Concentrated",
- "definition": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users."
+ "name": "Cooperative",
+ "definition": "The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time."
+ },
+ "UU": {
+ "key": "UU",
+ "name": "Uncooperative/Unresponsive",
+ "definition": "The supplier has not responded, declined to generate a remediation, or no longer exists."
}
}
}
}
},
- "COORDINATE": {
- "key": "COORDINATE",
+ "EXP": {
+ "key": "EXP",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "ssvc",
- "key": "COORDINATE",
+ "key": "EXP",
"version": "1.0.0",
- "name": "Decline, Track, Coordinate",
- "definition": "The coordinate outcome group.",
+ "name": "System Exposure",
+ "definition": "The Accessible Attack Surface of the Affected System or Service",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "D",
- "name": "Decline",
- "definition": "Decline"
+ "key": "S",
+ "name": "Small",
+ "definition": "Local service or program; highly controlled network"
},
{
- "key": "T",
- "name": "Track",
- "definition": "Track"
+ "key": "C",
+ "name": "Controlled",
+ "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
},
{
- "key": "C",
- "name": "Coordinate",
- "definition": "Coordinate"
+ "key": "U",
+ "name": "Unavoidable",
+ "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
}
]
},
"values": {
- "D": {
- "key": "D",
- "name": "Decline",
- "definition": "Decline"
- },
- "T": {
- "key": "T",
- "name": "Track",
- "definition": "Track"
+ "S": {
+ "key": "S",
+ "name": "Small",
+ "definition": "Local service or program; highly controlled network"
},
"C": {
"key": "C",
- "name": "Coordinate",
- "definition": "Coordinate"
+ "name": "Controlled",
+ "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
+ },
+ "U": {
+ "key": "U",
+ "name": "Unavoidable",
+ "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
}
}
},
@@ -6626,419 +7191,414 @@
"version": "1.0.1",
"obj": {
"namespace": "ssvc",
- "key": "COORDINATE",
+ "key": "EXP",
"version": "1.0.1",
- "name": "Decline, Track, Coordinate",
- "definition": "The coordinate outcome group.",
+ "name": "System Exposure",
+ "definition": "The Accessible Attack Surface of the Affected System or Service",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "D",
- "name": "Decline",
- "definition": "Do not act on the report."
+ "key": "S",
+ "name": "Small",
+ "definition": "Local service or program; highly controlled network"
},
{
- "key": "T",
- "name": "Track",
- "definition": "Receive information about the vulnerability and monitor for status changes but do not take any overt actions."
+ "key": "C",
+ "name": "Controlled",
+ "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
},
{
- "key": "C",
- "name": "Coordinate",
- "definition": "Take action on the report."
+ "key": "O",
+ "name": "Open",
+ "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
}
]
},
"values": {
- "D": {
- "key": "D",
- "name": "Decline",
- "definition": "Do not act on the report."
- },
- "T": {
- "key": "T",
- "name": "Track",
- "definition": "Receive information about the vulnerability and monitor for status changes but do not take any overt actions."
+ "S": {
+ "key": "S",
+ "name": "Small",
+ "definition": "Local service or program; highly controlled network"
},
"C": {
"key": "C",
- "name": "Coordinate",
- "definition": "Take action on the report."
+ "name": "Controlled",
+ "definition": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
+ },
+ "O": {
+ "key": "O",
+ "name": "Open",
+ "definition": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
}
}
}
}
},
- "DSOI": {
- "key": "DSOI",
+ "TI": {
+ "key": "TI",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "ssvc",
- "key": "DSOI",
+ "key": "TI",
"version": "1.0.0",
- "name": "Defer, Scheduled, Out-of-Cycle, Immediate",
- "definition": "The original SSVC outcome group.",
+ "name": "Technical Impact",
+ "definition": "The technical impact of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "D",
- "name": "Defer",
- "definition": "Defer"
- },
- {
- "key": "S",
- "name": "Scheduled",
- "definition": "Scheduled"
- },
- {
- "key": "O",
- "name": "Out-of-Cycle",
- "definition": "Out-of-Cycle"
+ "key": "P",
+ "name": "Partial",
+ "definition": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
},
{
- "key": "I",
- "name": "Immediate",
- "definition": "Immediate"
+ "key": "T",
+ "name": "Total",
+ "definition": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
}
]
},
"values": {
- "D": {
- "key": "D",
- "name": "Defer",
- "definition": "Defer"
- },
- "S": {
- "key": "S",
- "name": "Scheduled",
- "definition": "Scheduled"
- },
- "O": {
- "key": "O",
- "name": "Out-of-Cycle",
- "definition": "Out-of-Cycle"
+ "P": {
+ "key": "P",
+ "name": "Partial",
+ "definition": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
},
- "I": {
- "key": "I",
- "name": "Immediate",
- "definition": "Immediate"
+ "T": {
+ "key": "T",
+ "name": "Total",
+ "definition": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
}
}
}
}
},
- "PUBLISH": {
- "key": "PUBLISH",
+ "U": {
+ "key": "U",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
"namespace": "ssvc",
- "key": "PUBLISH",
+ "key": "U",
"version": "1.0.0",
- "name": "Publish, Do Not Publish",
- "definition": "The publish outcome group.",
+ "name": "Utility",
+ "definition": "The Usefulness of the Exploit to the Adversary",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "N",
- "name": "Do Not Publish",
- "definition": "Do Not Publish"
+ "key": "L",
+ "name": "Laborious",
+ "definition": "Virulence:Slow and Value Density:Diffuse"
},
{
- "key": "P",
- "name": "Publish",
- "definition": "Publish"
+ "key": "E",
+ "name": "Efficient",
+ "definition": "Virulence:Rapid and Value Density:Diffuse OR Virulence:Slow and Value Density:Concentrated"
+ },
+ {
+ "key": "S",
+ "name": "Super Effective",
+ "definition": "Virulence:Rapid and Value Density:Concentrated"
}
]
},
"values": {
- "N": {
- "key": "N",
- "name": "Do Not Publish",
- "definition": "Do Not Publish"
+ "L": {
+ "key": "L",
+ "name": "Laborious",
+ "definition": "Virulence:Slow and Value Density:Diffuse"
},
- "P": {
- "key": "P",
- "name": "Publish",
- "definition": "Publish"
+ "E": {
+ "key": "E",
+ "name": "Efficient",
+ "definition": "Virulence:Rapid and Value Density:Diffuse OR Virulence:Slow and Value Density:Concentrated"
+ },
+ "S": {
+ "key": "S",
+ "name": "Super Effective",
+ "definition": "Virulence:Rapid and Value Density:Concentrated"
}
}
- }
- }
- }
- }
- },
- "basic": {
- "namespace": "basic",
- "keys": {
- "IKE": {
- "key": "IKE",
- "versions": {
- "1.0.0": {
- "version": "1.0.0",
+ },
+ "1.0.1": {
+ "version": "1.0.1",
"obj": {
- "namespace": "basic",
- "key": "IKE",
- "version": "1.0.0",
- "name": "Do, Schedule, Delegate, Delete",
- "definition": "The Eisenhower outcome group.",
+ "namespace": "ssvc",
+ "key": "U",
+ "version": "1.0.1",
+ "name": "Utility",
+ "definition": "The Usefulness of the Exploit to the Adversary",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "D",
- "name": "Delete",
- "definition": "Delete"
+ "key": "L",
+ "name": "Laborious",
+ "definition": "Automatable:No AND Value Density:Diffuse"
},
{
- "key": "G",
- "name": "Delegate",
- "definition": "Delegate"
+ "key": "E",
+ "name": "Efficient",
+ "definition": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
},
{
"key": "S",
- "name": "Schedule",
- "definition": "Schedule"
- },
- {
- "key": "O",
- "name": "Do",
- "definition": "Do"
+ "name": "Super Effective",
+ "definition": "Automatable:Yes AND Value Density:Concentrated"
}
]
},
"values": {
- "D": {
- "key": "D",
- "name": "Delete",
- "definition": "Delete"
+ "L": {
+ "key": "L",
+ "name": "Laborious",
+ "definition": "Automatable:No AND Value Density:Diffuse"
},
- "G": {
- "key": "G",
- "name": "Delegate",
- "definition": "Delegate"
+ "E": {
+ "key": "E",
+ "name": "Efficient",
+ "definition": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
},
"S": {
"key": "S",
- "name": "Schedule",
- "definition": "Schedule"
+ "name": "Super Effective",
+ "definition": "Automatable:Yes AND Value Density:Concentrated"
+ }
+ }
+ }
+ }
+ },
+ "VD": {
+ "key": "VD",
+ "versions": {
+ "1.0.0": {
+ "version": "1.0.0",
+ "obj": {
+ "namespace": "ssvc",
+ "key": "VD",
+ "version": "1.0.0",
+ "name": "Value Density",
+ "definition": "The concentration of value in the target",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "D",
+ "name": "Diffuse",
+ "definition": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small."
+ },
+ {
+ "key": "C",
+ "name": "Concentrated",
+ "definition": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users."
+ }
+ ]
+ },
+ "values": {
+ "D": {
+ "key": "D",
+ "name": "Diffuse",
+ "definition": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small."
},
- "O": {
- "key": "O",
- "name": "Do",
- "definition": "Do"
+ "C": {
+ "key": "C",
+ "name": "Concentrated",
+ "definition": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users."
}
}
}
}
},
- "MSCW": {
- "key": "MSCW",
+ "COORDINATE": {
+ "key": "COORDINATE",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
- "namespace": "basic",
- "key": "MSCW",
+ "namespace": "ssvc",
+ "key": "COORDINATE",
"version": "1.0.0",
- "name": "MoSCoW",
- "definition": "The MoSCoW (Must, Should, Could, Won't) outcome group.",
+ "name": "Decline, Track, Coordinate",
+ "definition": "The coordinate outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "W",
- "name": "Won't",
- "definition": "Won't"
- },
- {
- "key": "C",
- "name": "Could",
- "definition": "Could"
+ "key": "D",
+ "name": "Decline",
+ "definition": "Decline"
},
{
- "key": "S",
- "name": "Should",
- "definition": "Should"
+ "key": "T",
+ "name": "Track",
+ "definition": "Track"
},
{
- "key": "M",
- "name": "Must",
- "definition": "Must"
+ "key": "C",
+ "name": "Coordinate",
+ "definition": "Coordinate"
}
]
},
"values": {
- "W": {
- "key": "W",
- "name": "Won't",
- "definition": "Won't"
+ "D": {
+ "key": "D",
+ "name": "Decline",
+ "definition": "Decline"
+ },
+ "T": {
+ "key": "T",
+ "name": "Track",
+ "definition": "Track"
},
"C": {
"key": "C",
- "name": "Could",
- "definition": "Could"
- },
- "S": {
- "key": "S",
- "name": "Should",
- "definition": "Should"
- },
- "M": {
- "key": "M",
- "name": "Must",
- "definition": "Must"
+ "name": "Coordinate",
+ "definition": "Coordinate"
}
}
- }
- }
- },
- "VALUE_COMPLEXITY": {
- "key": "VALUE_COMPLEXITY",
- "versions": {
- "1.0.0": {
- "version": "1.0.0",
+ },
+ "1.0.1": {
+ "version": "1.0.1",
"obj": {
- "namespace": "basic",
- "key": "VALUE_COMPLEXITY",
- "version": "1.0.0",
- "name": "Value, Complexity",
- "definition": "The Value/Complexity outcome group.",
+ "namespace": "ssvc",
+ "key": "COORDINATE",
+ "version": "1.0.1",
+ "name": "Decline, Track, Coordinate",
+ "definition": "The coordinate outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
- "name": "Drop",
- "definition": "Drop"
- },
- {
- "key": "R",
- "name": "Reconsider Later",
- "definition": "Reconsider Later"
+ "name": "Decline",
+ "definition": "Do not act on the report."
},
{
- "key": "E",
- "name": "Easy Win",
- "definition": "Easy Win"
+ "key": "T",
+ "name": "Track",
+ "definition": "Receive information about the vulnerability and monitor for status changes but do not take any overt actions."
},
{
- "key": "F",
- "name": "Do First",
- "definition": "Do First"
+ "key": "C",
+ "name": "Coordinate",
+ "definition": "Take action on the report."
}
]
},
"values": {
"D": {
"key": "D",
- "name": "Drop",
- "definition": "Drop"
- },
- "R": {
- "key": "R",
- "name": "Reconsider Later",
- "definition": "Reconsider Later"
+ "name": "Decline",
+ "definition": "Do not act on the report."
},
- "E": {
- "key": "E",
- "name": "Easy Win",
- "definition": "Easy Win"
+ "T": {
+ "key": "T",
+ "name": "Track",
+ "definition": "Receive information about the vulnerability and monitor for status changes but do not take any overt actions."
},
- "F": {
- "key": "F",
- "name": "Do First",
- "definition": "Do First"
+ "C": {
+ "key": "C",
+ "name": "Coordinate",
+ "definition": "Take action on the report."
}
}
}
}
},
- "YN": {
- "key": "YN",
+ "DSOI": {
+ "key": "DSOI",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
- "namespace": "basic",
- "key": "YN",
+ "namespace": "ssvc",
+ "key": "DSOI",
"version": "1.0.0",
- "name": "YesNo",
- "definition": "A Yes/No decision point / outcome group.",
+ "name": "Defer, Scheduled, Out-of-Cycle, Immediate",
+ "definition": "The original SSVC outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "N",
- "name": "No",
- "definition": "No"
+ "key": "D",
+ "name": "Defer",
+ "definition": "Defer"
},
{
- "key": "Y",
- "name": "Yes",
- "definition": "Yes"
+ "key": "S",
+ "name": "Scheduled",
+ "definition": "Scheduled"
+ },
+ {
+ "key": "O",
+ "name": "Out-of-Cycle",
+ "definition": "Out-of-Cycle"
+ },
+ {
+ "key": "I",
+ "name": "Immediate",
+ "definition": "Immediate"
}
]
},
"values": {
- "N": {
- "key": "N",
- "name": "No",
- "definition": "No"
+ "D": {
+ "key": "D",
+ "name": "Defer",
+ "definition": "Defer"
},
- "Y": {
- "key": "Y",
- "name": "Yes",
- "definition": "Yes"
+ "S": {
+ "key": "S",
+ "name": "Scheduled",
+ "definition": "Scheduled"
+ },
+ "O": {
+ "key": "O",
+ "name": "Out-of-Cycle",
+ "definition": "Out-of-Cycle"
+ },
+ "I": {
+ "key": "I",
+ "name": "Immediate",
+ "definition": "Immediate"
}
}
}
}
},
- "LMH": {
- "key": "LMH",
+ "PUBLISH": {
+ "key": "PUBLISH",
"versions": {
"1.0.0": {
"version": "1.0.0",
"obj": {
- "namespace": "basic",
- "key": "LMH",
+ "namespace": "ssvc",
+ "key": "PUBLISH",
"version": "1.0.0",
- "name": "LowMediumHigh",
- "definition": "A Low/Medium/High decision point / outcome group.",
+ "name": "Publish, Do Not Publish",
+ "definition": "The publish outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
- "key": "L",
- "name": "Low",
- "definition": "Low"
- },
- {
- "key": "M",
- "name": "Medium",
- "definition": "Medium"
+ "key": "N",
+ "name": "Do Not Publish",
+ "definition": "Do Not Publish"
},
{
- "key": "H",
- "name": "High",
- "definition": "High"
+ "key": "P",
+ "name": "Publish",
+ "definition": "Publish"
}
]
},
"values": {
- "L": {
- "key": "L",
- "name": "Low",
- "definition": "Low"
- },
- "M": {
- "key": "M",
- "name": "Medium",
- "definition": "Medium"
+ "N": {
+ "key": "N",
+ "name": "Do Not Publish",
+ "definition": "Do Not Publish"
},
- "H": {
- "key": "H",
- "name": "High",
- "definition": "High"
+ "P": {
+ "key": "P",
+ "name": "Publish",
+ "definition": "Publish"
}
}
}
diff --git a/src/ssvc/decision_points/base.py b/src/ssvc/decision_points/base.py
index 26429be6..935515f9 100644
--- a/src/ssvc/decision_points/base.py
+++ b/src/ssvc/decision_points/base.py
@@ -157,7 +157,9 @@ def value_summaries(self) -> list[str]:
def main():
- print("Please use doctools.py for schema generation and unit tests for verification")
+ print(
+ "Please use doctools.py for schema generation and unit tests for verification"
+ )
if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/basic/__init__.py b/src/ssvc/decision_points/basic/__init__.py
new file mode 100644
index 00000000..ebc4cbfc
--- /dev/null
+++ b/src/ssvc/decision_points/basic/__init__.py
@@ -0,0 +1,22 @@
+"""
+Provides SSVC decision points in the `basic` namespace.
+"""
+
+# Copyright (c) 2025 Carnegie Mellon University.
+# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE
+# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS.
+# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND,
+# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT
+# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR
+# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE
+# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE
+# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM
+# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
+# Licensed under a MIT (SEI)-style license, please see LICENSE or contact
+# permission@sei.cmu.edu for full terms.
+# [DISTRIBUTION STATEMENT A] This material has been approved for
+# public release and unlimited distribution. Please see Copyright notice
+# for non-US Government use and distribution.
+# This Software includes and/or makes use of Third-Party Software each
+# subject to its own license.
+# DM24-0278
diff --git a/src/ssvc/decision_points/basic/base.py b/src/ssvc/decision_points/basic/base.py
new file mode 100644
index 00000000..57a87e32
--- /dev/null
+++ b/src/ssvc/decision_points/basic/base.py
@@ -0,0 +1,31 @@
+#!/usr/bin/env python
+"""
+Provides a base class for decision points in the SSVC 'basic' namespace.
+"""
+# Copyright (c) 2025 Carnegie Mellon University.
+# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE
+# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS.
+# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND,
+# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT
+# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR
+# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE
+# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE
+# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM
+# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
+# Licensed under a MIT (SEI)-style license, please see LICENSE or contact
+# permission@sei.cmu.edu for full terms.
+# [DISTRIBUTION STATEMENT A] This material has been approved for
+# public release and unlimited distribution. Please see Copyright notice
+# for non-US Government use and distribution.
+# This Software includes and/or makes use of Third-Party Software each
+# subject to its own license.
+# DM24-0278
+
+from pydantic import BaseModel
+
+from ssvc.decision_points.base import DecisionPoint
+from ssvc.namespaces import NameSpace
+
+
+class BasicDecisionPoint(DecisionPoint, BaseModel):
+ namespace: str = NameSpace.BASIC
diff --git a/src/ssvc/decision_points/basic/near_boundary.py b/src/ssvc/decision_points/basic/near_boundary.py
new file mode 100644
index 00000000..2fc5a28b
--- /dev/null
+++ b/src/ssvc/decision_points/basic/near_boundary.py
@@ -0,0 +1,65 @@
+#!/usr/bin/env python
+"""
+Provides a boolean decision point that can be used to indicate if another value is near a boundary condition.
+"""
+# Copyright (c) 2025 Carnegie Mellon University.
+# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE
+# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS.
+# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND,
+# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT
+# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR
+# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE
+# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE
+# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM
+# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
+# Licensed under a MIT (SEI)-style license, please see LICENSE or contact
+# permission@sei.cmu.edu for full terms.
+# [DISTRIBUTION STATEMENT A] This material has been approved for
+# public release and unlimited distribution. Please see Copyright notice
+# for non-US Government use and distribution.
+# This Software includes and/or makes use of Third-Party Software each
+# subject to its own license.
+# DM24-0278
+
+from ssvc.decision_points.base import DecisionPointValue
+from ssvc.decision_points.basic.base import BasicDecisionPoint
+from ssvc.decision_points.helpers import print_versions_and_diffs
+
+JUST_BELOW_BOUNDARY = DecisionPointValue(
+ name="Just Below Boundary",
+ key="JB",
+ definition="The value is just below a boundary condition",
+)
+JUST_ABOVE_BOUNDARY = DecisionPointValue(
+ name="Just Above Boundary",
+ key="JA",
+ definition="The value is just above a boundary condition",
+)
+
+NOT_NEAR_BOUNDARY = DecisionPointValue(
+ name="Not Near Boundary",
+ key="NN",
+ definition="The value is not near a boundary condition",
+)
+BOUNDARY_PROXIMITY = BasicDecisionPoint(
+ name="Boundary Proximity",
+ key="BP",
+ definition="Indicates whether another value is near a boundary condition, indicating that special consideration may be needed.",
+ version="1.0.0",
+ values=(
+ NOT_NEAR_BOUNDARY,
+ JUST_ABOVE_BOUNDARY,
+ JUST_BELOW_BOUNDARY,
+ ),
+)
+
+VERSIONS = (BOUNDARY_PROXIMITY,)
+LATEST = VERSIONS[-1]
+
+
+def main():
+ print_versions_and_diffs(VERSIONS)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/src/ssvc/decision_points/basic/probability/__init__.py b/src/ssvc/decision_points/basic/probability/__init__.py
new file mode 100644
index 00000000..26276cf3
--- /dev/null
+++ b/src/ssvc/decision_points/basic/probability/__init__.py
@@ -0,0 +1,20 @@
+# Copyright (c) 2025 Carnegie Mellon University.
+# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE
+# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS.
+# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND,
+# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT
+# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR
+# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE
+# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE
+# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM
+# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
+# Licensed under a MIT (SEI)-style license, please see LICENSE or contact
+# permission@sei.cmu.edu for full terms.
+# [DISTRIBUTION STATEMENT A] This material has been approved for
+# public release and unlimited distribution. Please see Copyright notice
+# for non-US Government use and distribution.
+# This Software includes and/or makes use of Third-Party Software each
+# subject to its own license.
+# DM24-0278
+
+"""Provides basic probability bin decision points."""
diff --git a/src/ssvc/decision_points/basic/probability/cis_wep.py b/src/ssvc/decision_points/basic/probability/cis_wep.py
new file mode 100644
index 00000000..47afab41
--- /dev/null
+++ b/src/ssvc/decision_points/basic/probability/cis_wep.py
@@ -0,0 +1,98 @@
+#!/usr/bin/env python
+"""
+Provides probability-based decision points for SSVC
+"""
+# Copyright (c) 2025 Carnegie Mellon University.
+# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE
+# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS.
+# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND,
+# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT
+# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR
+# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE
+# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE
+# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM
+# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
+# Licensed under a MIT (SEI)-style license, please see LICENSE or contact
+# permission@sei.cmu.edu for full terms.
+# [DISTRIBUTION STATEMENT A] This material has been approved for
+# public release and unlimited distribution. Please see Copyright notice
+# for non-US Government use and distribution.
+# This Software includes and/or makes use of Third-Party Software each
+# subject to its own license.
+# DM24-0278
+
+from ssvc.decision_points.base import DecisionPointValue
+from ssvc.decision_points.basic.base import BasicDecisionPoint
+from ssvc.decision_points.helpers import print_versions_and_diffs
+
+# based on https://www.cisecurity.org/ms-isac/services/words-of-estimative-probability-analytic-confidences-and-structured-analytic-techniques
+ALMOST_NO_CHANCE = DecisionPointValue(
+ name="Almost No Chance",
+ key="ANC",
+ definition="Probability < 0.05. Almost no chance, remote",
+)
+
+VERY_UNLIKELY = DecisionPointValue(
+ name="Very Unlikely",
+ key="VU",
+ definition="0.05 <= Probability < 0.20. Very unlikely, highly improbable.",
+)
+
+UNLIKELY = DecisionPointValue(
+ name="Unlikely",
+ key="U",
+ definition="0.20 <= Probability < 0.45. Unlikely, improbable.",
+)
+
+ROUGHLY_EVEN_CHANCE = DecisionPointValue(
+ name="Roughly Even Chance",
+ key="REC",
+ definition="0.45 <= Probability < 0.55. Roughly even chance, roughly even odds.",
+)
+
+LIKELY = DecisionPointValue(
+ name="Likely",
+ key="L",
+ definition="0.55 <= Probability < 0.80. Likely, probable.",
+)
+
+VERY_LIKELY = DecisionPointValue(
+ name="Very Likely",
+ key="VL",
+ definition="0.80 <= Probability < 0.95. Very likely, highly probable.",
+)
+
+ALMOST_CERTAIN = DecisionPointValue(
+ name="Almost Certain",
+ key="AC",
+ definition="0.95 <= Probability. Almost certain, nearly certain.",
+)
+
+CIS_CTI_WEP = BasicDecisionPoint(
+ key="CIS_WEP",
+ version="1.0.0",
+ name="CIS-CTI Words of Estimative Probability",
+ definition="A scale for expressing the likelihood of an event or outcome.",
+ values=(
+ ALMOST_NO_CHANCE,
+ VERY_UNLIKELY,
+ UNLIKELY,
+ ROUGHLY_EVEN_CHANCE,
+ LIKELY,
+ VERY_LIKELY,
+ ALMOST_CERTAIN,
+ ),
+)
+
+VERSIONS = [
+ CIS_CTI_WEP,
+]
+LATEST = VERSIONS[-1]
+
+
+def main():
+ print_versions_and_diffs(VERSIONS)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/src/ssvc/decision_points/basic/probability/five_equal.py b/src/ssvc/decision_points/basic/probability/five_equal.py
new file mode 100644
index 00000000..f2017422
--- /dev/null
+++ b/src/ssvc/decision_points/basic/probability/five_equal.py
@@ -0,0 +1,76 @@
+#!/usr/bin/env python
+"""
+Provides a 5-level ascending probability scale decision point for SSVC
+"""
+# Copyright (c) 2025 Carnegie Mellon University.
+# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE
+# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS.
+# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND,
+# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT
+# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR
+# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE
+# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE
+# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM
+# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
+# Licensed under a MIT (SEI)-style license, please see LICENSE or contact
+# permission@sei.cmu.edu for full terms.
+# [DISTRIBUTION STATEMENT A] This material has been approved for
+# public release and unlimited distribution. Please see Copyright notice
+# for non-US Government use and distribution.
+# This Software includes and/or makes use of Third-Party Software each
+# subject to its own license.
+# DM24-0278
+from ssvc.decision_points.base import DecisionPointValue
+from ssvc.decision_points.basic.base import BasicDecisionPoint
+from ssvc.decision_points.helpers import print_versions_and_diffs
+
+P0_20 = DecisionPointValue(
+ name="Less than 20%",
+ key="P0_20",
+ definition="Probability < 0.2",
+)
+P20_40 = DecisionPointValue(
+ name="20% to 40%",
+ key="P20_40",
+ definition="0.2 <= Probability < 0.4",
+)
+P40_60 = DecisionPointValue(
+ name="40% to 60%",
+ key="P40_60",
+ definition="0.4 <= Probability < 0.6",
+)
+P60_80 = DecisionPointValue(
+ name="60% to 80%",
+ key="P60_80",
+ definition="0.6 <= Probability < 0.8",
+)
+P80_100 = DecisionPointValue(
+ name="Greater than 80%",
+ key="P80_100",
+ definition="0.8 <= Probability <= 1.0",
+)
+
+P5A = BasicDecisionPoint(
+ key="P_5A",
+ version="1.0.0",
+ name="Probability Scale in 5 equal levels, ascending",
+ definition="A probability scale with 20% increments",
+ values=(
+ P0_20,
+ P20_40,
+ P40_60,
+ P60_80,
+ P80_100,
+ ),
+)
+
+VERSIONS = [P5A]
+LATEST = VERSIONS[-1]
+
+
+def main():
+ print_versions_and_diffs(VERSIONS)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/src/ssvc/decision_points/basic/probability/five_weighted.py b/src/ssvc/decision_points/basic/probability/five_weighted.py
new file mode 100644
index 00000000..54488f09
--- /dev/null
+++ b/src/ssvc/decision_points/basic/probability/five_weighted.py
@@ -0,0 +1,76 @@
+#!/usr/bin/env python
+"""
+Provides a 5-level ascending probability scale decision point for SSVC
+"""
+# Copyright (c) 2025 Carnegie Mellon University.
+# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE
+# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS.
+# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND,
+# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT
+# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR
+# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE
+# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE
+# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM
+# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
+# Licensed under a MIT (SEI)-style license, please see LICENSE or contact
+# permission@sei.cmu.edu for full terms.
+# [DISTRIBUTION STATEMENT A] This material has been approved for
+# public release and unlimited distribution. Please see Copyright notice
+# for non-US Government use and distribution.
+# This Software includes and/or makes use of Third-Party Software each
+# subject to its own license.
+# DM24-0278
+from ssvc.decision_points.base import DecisionPointValue
+from ssvc.decision_points.basic.base import BasicDecisionPoint
+from ssvc.decision_points.helpers import print_versions_and_diffs
+
+P0_30 = DecisionPointValue(
+ name="Less than 30%",
+ key="P0_30",
+ definition="Probability < 0.3",
+)
+P30_55 = DecisionPointValue(
+ name="30% to 55%",
+ key="P30_55",
+ definition="0.3 <= Probability < 0.55",
+)
+P55_75 = DecisionPointValue(
+ name="55% to 75%",
+ key="P55_75",
+ definition="0.55 <= Probability < 0.75",
+)
+P75_90 = DecisionPointValue(
+ name="75% to 90%",
+ key="P75_90",
+ definition="0.75 <= Probability < 0.9",
+)
+P90_100 = DecisionPointValue(
+ name="Greater than 90%",
+ key="P90_100",
+ definition="0.9 <= Probability <= 1.0",
+)
+
+P5W = BasicDecisionPoint(
+ key="P_5W",
+ version="1.0.0",
+ name="Probability Scale in 5 weighted levels, ascending",
+ definition="A probability scale with higher resolution as probability increases",
+ values=(
+ P0_30,
+ P30_55,
+ P55_75,
+ P75_90,
+ P90_100,
+ ),
+)
+
+VERSIONS = [P5W]
+LATEST = VERSIONS[-1]
+
+
+def main():
+ print_versions_and_diffs(VERSIONS)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/src/ssvc/decision_points/basic/probability/nist5.py b/src/ssvc/decision_points/basic/probability/nist5.py
new file mode 100644
index 00000000..0249d700
--- /dev/null
+++ b/src/ssvc/decision_points/basic/probability/nist5.py
@@ -0,0 +1,79 @@
+#!/usr/bin/env python
+"""
+Provides a 5-level ascending probability scale decision point for SSVC
+"""
+# Copyright (c) 2025 Carnegie Mellon University.
+# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE
+# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS.
+# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND,
+# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT
+# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR
+# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE
+# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE
+# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM
+# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
+# Licensed under a MIT (SEI)-style license, please see LICENSE or contact
+# permission@sei.cmu.edu for full terms.
+# [DISTRIBUTION STATEMENT A] This material has been approved for
+# public release and unlimited distribution. Please see Copyright notice
+# for non-US Government use and distribution.
+# This Software includes and/or makes use of Third-Party Software each
+# subject to its own license.
+# DM24-0278
+from ssvc.decision_points.base import DecisionPointValue
+from ssvc.decision_points.basic.base import BasicDecisionPoint
+from ssvc.decision_points.helpers import print_versions_and_diffs
+
+# These ranges are based on NIST SP 800-30 Rev. 1 Appendix G
+
+VERY_HIGH = DecisionPointValue(
+ name="Very High",
+ key="VH",
+ definition="96% <= Probability <= 100%. Almost certain.",
+)
+HIGH = DecisionPointValue(
+ name="High",
+ key="H",
+ definition="80% <= Probability < 96%. Highly likely.",
+)
+MODERATE = DecisionPointValue(
+ name="Moderate",
+ key="M",
+ definition="21% <= Probability < 80%. Somewhat likely.",
+)
+LOW = DecisionPointValue(
+ name="Low",
+ key="L",
+ definition="5% <= Probability < 21%. Unlikely.",
+)
+VERY_LOW = DecisionPointValue(
+ name="Very Low",
+ key="VL",
+ definition="0% <= Probability < 5%. Highly unlikely.",
+)
+
+
+P5X = BasicDecisionPoint(
+ key="P_5X",
+ version="1.0.0",
+ name="Probability Scale in 5 weighted levels, ascending",
+ definition="A probability scale with finer resolution at both extremes",
+ values=(
+ VERY_LOW,
+ LOW,
+ MODERATE,
+ HIGH,
+ VERY_HIGH,
+ ),
+)
+
+VERSIONS = [P5X]
+LATEST = VERSIONS[-1]
+
+
+def main():
+ print_versions_and_diffs(VERSIONS)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/src/ssvc/decision_points/basic/probability/two_equal.py b/src/ssvc/decision_points/basic/probability/two_equal.py
new file mode 100644
index 00000000..e5c5309e
--- /dev/null
+++ b/src/ssvc/decision_points/basic/probability/two_equal.py
@@ -0,0 +1,58 @@
+#!/usr/bin/env python
+"""
+Provides a 2-level ascending probability scale decision point for SSVC
+"""
+# Copyright (c) 2025 Carnegie Mellon University.
+# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE
+# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS.
+# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND,
+# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT
+# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR
+# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE
+# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE
+# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM
+# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
+# Licensed under a MIT (SEI)-style license, please see LICENSE or contact
+# permission@sei.cmu.edu for full terms.
+# [DISTRIBUTION STATEMENT A] This material has been approved for
+# public release and unlimited distribution. Please see Copyright notice
+# for non-US Government use and distribution.
+# This Software includes and/or makes use of Third-Party Software each
+# subject to its own license.
+# DM24-0278
+from ssvc.decision_points.base import DecisionPointValue
+from ssvc.decision_points.basic.base import BasicDecisionPoint
+from ssvc.decision_points.helpers import print_versions_and_diffs
+
+P0_50 = DecisionPointValue(
+ name="Less than 50%",
+ key="LT50",
+ definition="0.0 <= Probability < 0.5",
+)
+P50_100 = DecisionPointValue(
+ name="Greater than 50%",
+ key="GT50",
+ definition="0.5 <= Probability <= 1.0",
+)
+
+P2A = BasicDecisionPoint(
+ key="P_2A",
+ version="1.0.0",
+ name="Probability Scale in 2 equal levels, ascending",
+ definition="A probability scale that divides between less than 50% and greater than or equal to 50%",
+ values=(
+ P0_50,
+ P50_100,
+ ),
+)
+
+VERSIONS = [P2A]
+LATEST = VERSIONS[-1]
+
+
+def main():
+ print_versions_and_diffs(VERSIONS)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/src/ssvc/decision_points/basic/quantiles/__init__.py b/src/ssvc/decision_points/basic/quantiles/__init__.py
new file mode 100644
index 00000000..d5494b4d
--- /dev/null
+++ b/src/ssvc/decision_points/basic/quantiles/__init__.py
@@ -0,0 +1,20 @@
+# Copyright (c) 2025 Carnegie Mellon University.
+# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE
+# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS.
+# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND,
+# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT
+# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR
+# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE
+# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE
+# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM
+# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
+# Licensed under a MIT (SEI)-style license, please see LICENSE or contact
+# permission@sei.cmu.edu for full terms.
+# [DISTRIBUTION STATEMENT A] This material has been approved for
+# public release and unlimited distribution. Please see Copyright notice
+# for non-US Government use and distribution.
+# This Software includes and/or makes use of Third-Party Software each
+# subject to its own license.
+# DM24-0278
+
+"""Provides basic quantile bin decision points."""
diff --git a/src/ssvc/decision_points/basic/quantiles/median.py b/src/ssvc/decision_points/basic/quantiles/median.py
new file mode 100644
index 00000000..ce382e0b
--- /dev/null
+++ b/src/ssvc/decision_points/basic/quantiles/median.py
@@ -0,0 +1,61 @@
+#!/usr/bin/env python
+"""
+Provides median-based decision points for SSVC
+"""
+# Copyright (c) 2025 Carnegie Mellon University.
+# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE
+# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS.
+# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND,
+# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT
+# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR
+# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE
+# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE
+# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM
+# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
+# Licensed under a MIT (SEI)-style license, please see LICENSE or contact
+# permission@sei.cmu.edu for full terms.
+# [DISTRIBUTION STATEMENT A] This material has been approved for
+# public release and unlimited distribution. Please see Copyright notice
+# for non-US Government use and distribution.
+# This Software includes and/or makes use of Third-Party Software each
+# subject to its own license.
+# DM24-0278
+
+from ssvc.decision_points.base import DecisionPointValue
+from ssvc.decision_points.basic.base import BasicDecisionPoint
+from ssvc.decision_points.helpers import print_versions_and_diffs
+
+BELOW = DecisionPointValue(
+ name="Below Median",
+ key="B",
+ definition="Quantile < 0.50. The lower half of the range of possible values.",
+)
+ABOVE = DecisionPointValue(
+ name="Above Median",
+ key="A",
+ definition="0.50 <= Quantile <= 1.0. The upper half of the range of possible values.",
+)
+
+
+MEDIAN = BasicDecisionPoint(
+ name="Median Split",
+ definition="A median split divides a distribution into two equal parts, with 50% of the values falling below the median and 50% above it.",
+ key="MEDIAN",
+ version="1.0.0",
+ values=(
+ BELOW,
+ ABOVE,
+ ),
+)
+
+VERSIONS = [MEDIAN]
+LATEST = VERSIONS[-1]
+
+
+def main():
+ print_versions_and_diffs(VERSIONS)
+ pass
+
+
+if __name__ == "__main__":
+ main()
diff --git a/src/ssvc/decision_points/basic/quantiles/quartiles.py b/src/ssvc/decision_points/basic/quantiles/quartiles.py
new file mode 100644
index 00000000..dd55b481
--- /dev/null
+++ b/src/ssvc/decision_points/basic/quantiles/quartiles.py
@@ -0,0 +1,72 @@
+#!/usr/bin/env python
+"""
+Provides quartile-based decision points for SSVC
+"""
+# Copyright (c) 2025 Carnegie Mellon University.
+# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE
+# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS.
+# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND,
+# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT
+# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR
+# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE
+# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE
+# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM
+# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
+# Licensed under a MIT (SEI)-style license, please see LICENSE or contact
+# permission@sei.cmu.edu for full terms.
+# [DISTRIBUTION STATEMENT A] This material has been approved for
+# public release and unlimited distribution. Please see Copyright notice
+# for non-US Government use and distribution.
+# This Software includes and/or makes use of Third-Party Software each
+# subject to its own license.
+# DM24-0278
+
+from ssvc.decision_points.base import DecisionPointValue
+from ssvc.decision_points.basic.base import BasicDecisionPoint
+from ssvc.decision_points.helpers import print_versions_and_diffs
+
+FIRST_QUARTILE = DecisionPointValue(
+ name="First Quartile",
+ key="Q1",
+ definition="Quantile < 0.25. The lowest 25% of the range of possible values.",
+)
+SECOND_QUARTILE = DecisionPointValue(
+ name="Second Quartile",
+ key="Q2",
+ definition="0.25 <= Quantile < 0.50. The second lowest 25% of the range of possible values.",
+)
+THIRD_QUARTILE = DecisionPointValue(
+ name="Third Quartile",
+ key="Q3",
+ definition="0.50 <= Quantile < 0.75. The second highest 25% of the range of possible values.",
+)
+FOURTH_QUARTILE = DecisionPointValue(
+ name="Fourth Quartile",
+ key="Q4",
+ definition="0.75 <= Quantile <= 1.0. The highest 25% of the range of possible values.",
+)
+
+QUARTILES = BasicDecisionPoint(
+ name="Quartiles",
+ definition="A quartile is one of four equal groups that a population can be divided into according to the distribution of values of a particular variable.",
+ key="QUARTILES",
+ version="1.0.0",
+ values=(
+ FIRST_QUARTILE,
+ SECOND_QUARTILE,
+ THIRD_QUARTILE,
+ FOURTH_QUARTILE,
+ ),
+)
+
+VERSIONS = [QUARTILES]
+LATEST = VERSIONS[-1]
+
+
+def main():
+ print_versions_and_diffs(VERSIONS)
+ pass
+
+
+if __name__ == "__main__":
+ main()
diff --git a/src/ssvc/decision_points/basic/quantiles/quintiles.py b/src/ssvc/decision_points/basic/quantiles/quintiles.py
new file mode 100644
index 00000000..39b47608
--- /dev/null
+++ b/src/ssvc/decision_points/basic/quantiles/quintiles.py
@@ -0,0 +1,78 @@
+#!/usr/bin/env python
+"""
+Provides quintile-based decision points for SSVC
+"""
+# Copyright (c) 2025 Carnegie Mellon University.
+# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE
+# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS.
+# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND,
+# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT
+# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR
+# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE
+# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE
+# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM
+# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
+# Licensed under a MIT (SEI)-style license, please see LICENSE or contact
+# permission@sei.cmu.edu for full terms.
+# [DISTRIBUTION STATEMENT A] This material has been approved for
+# public release and unlimited distribution. Please see Copyright notice
+# for non-US Government use and distribution.
+# This Software includes and/or makes use of Third-Party Software each
+# subject to its own license.
+# DM24-0278
+
+from ssvc.decision_points.base import DecisionPointValue
+from ssvc.decision_points.basic.base import BasicDecisionPoint
+from ssvc.decision_points.helpers import print_versions_and_diffs
+
+FIRST_QUINTILE = DecisionPointValue(
+ name="First Quintile",
+ key="Q1",
+ definition="Quantile < 0.20. The lowest 20% of the range of possible values.",
+)
+SECOND_QUINTILE = DecisionPointValue(
+ name="Second Quintile",
+ key="Q2",
+ definition="0.20 <= Quantile < 0.40. The second lowest 20% of the range of possible values.",
+)
+THIRD_QUINTILE = DecisionPointValue(
+ name="Third Quintile",
+ key="Q3",
+ definition="0.40 <= Quantile < 0.60. The middle 20% of the range of possible values.",
+)
+FOURTH_QUINTILE = DecisionPointValue(
+ name="Fourth Quintile",
+ key="Q4",
+ definition="0.60 <= Quantile < 0.80. The second highest 20% of the range of possible values.",
+)
+FIFTH_QUINTILE = DecisionPointValue(
+ name="Fifth Quintile",
+ key="Q5",
+ definition="0.80 <= Quantile <= 1.0. The highest 20% of the range of possible values.",
+)
+
+QUINTILES = BasicDecisionPoint(
+ name="Quintiles",
+ definition="A quintile is one of five equal groups that a population can be divided into according to the distribution of values of a particular variable.",
+ key="QUINTILES",
+ version="1.0.0",
+ values=(
+ FIRST_QUINTILE,
+ SECOND_QUINTILE,
+ THIRD_QUINTILE,
+ FOURTH_QUINTILE,
+ FIFTH_QUINTILE,
+ ),
+)
+
+VERSIONS = [QUINTILES]
+LATEST = VERSIONS[-1]
+
+
+def main():
+ print_versions_and_diffs(VERSIONS)
+ pass
+
+
+if __name__ == "__main__":
+ main()
diff --git a/src/ssvc/outcomes/basic/__init__.py b/src/ssvc/outcomes/basic/__init__.py
index 482460e8..1444ae29 100644
--- a/src/ssvc/outcomes/basic/__init__.py
+++ b/src/ssvc/outcomes/basic/__init__.py
@@ -21,6 +21,7 @@
"""
from .ike import LATEST as EISENHOWER
+from .lmh import LATEST as LMH
from .mscw import LATEST as MSCW
from .value_complexity import LATEST as VALUE_COMPLEXITY
from .yn import LATEST as YES_NO