CVSS scores

The CVSS score reflects the overall security impact of a vulnerability, and is a composite score that reflects the metrics in three distinct categories: Base, Temporal, and Environmental.

The score is calculated based on the information (for example, values) that is available for one or more of these metrics. The more information that is available in each metric, the more focused the CVSS score becomes. In AppScan Enterprise, the values for each metric are mapped to the attributes of an issue (security vulnerability) or the application where the issue was found. These attributes cannot be deleted or modified in AppScan Enterprise, although you can modify their values.

Table 1. CVSS metrics

Metrics group Metrics name Issue or Application attribute Definition required to calculate the CVSS score Metric description
Base Access Vector Issue Yes Whether the vulnerability can be exploited only locally, also from adjacent networks, or from any network connection ("remotely exploitable").
Access Complexity Issue Yes The difficulty that is involved in exploiting this vulnerability.
Authentication Issue Yes The number of times that an attacker must authenticate to a target to exploit the vulnerability.
Confidentiality Impact Issue Yes The impact on confidentiality if this vulnerability is successfully exploited.
Integrity Impact Issue Yes The extent to which system integrity (the accuracy of information that is supplied by the application) is compromised if this vulnerability is successfully exploited.
Availability Impact Issue Yes The impact on the availability of information resources if this vulnerability is successfully exploited.
Temporal Exploitability Issue No* The current state of exploit techniques or code vulnerability.
Remediation Level Issue No* The level of remediation available to protect against the vulnerability.
Report Confidence Issue No* The degree of confidence in the existence and technical details of the vulnerability.
Environmental

These metrics also contribute to the overall severity rating of the application.

Collateral Damage Potential Application No* The potential for damage or theft if the application is vulnerable.
Target Distribution Application No* The proportion of systems in the environment that are potential targets.
Availability Requirement Application No* The relative importance of availability of information.
Confidentiality Requirement Application No* The relative importance of confidentiality of user information.
Integrity Requirement Application No* The relative importance of integrity, or accuracy, of information.
Note:
  • * While it is not a requirement that these attributes be defined, the CVSS score is more focused when more metrics are defined to describe the issue.
  • Any optional attribute that is not defined is not included in the CVSS score calculation.
  • The CVSS score cannot be calculated if any required attribute is not defined. In this case, the issue severity is categorized as Undetermined.