CVSS Vector Strings

CVSS Base and Temporal scores are represented as a numeric value and also as a vector string. The vector string is a textual representation of the metric values used to determine the score.

You'll see CVSS scores and vector strings when you view Vulnerability Information for any QID in the KnowledgeBase and in your scan reports. Not seeing CVSS scores? CVSS Scoring must be enabled for the subscription by a Manager user.

Sample Vector Strings

Here are sample CVSS scores followed by vector strings. (Note: CVSS represents CVSS version 2 and CVSS3 represents CVSS version 3.)

CVSS Base: 5.5   AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Temporal: 4.3   E:POC/RL:OF/RC:C

CVSS3 Base: 6.4   AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVSS3 Temporal: 5.8   E:P/RL:O/RC:C

Vector string format

metric:value/metric:value/metric:value/metric:value/metric:value/metric:value

where / is the separator between metric:value pairs

Use the table below to look up metric values in a vector string

For example, the CVSS v2 base vector string "AV:N/AC:L/Au:S/C:P/I:P/A:N" has these values:

AV:N indicates the Access Vector metric has a value of Network.

AC:L indicates the Access Complexity metric has a value of Low.

Au:S indicates the Authentication metric has a value of Single.

C:P indicates the Confidentiality Impact metric has a value of Partial.

I:P indicates the Integrity Impact metric has a value of Partial.

A:N indicates the Availability Impact metric has a value of None.

 

Metric Values

The CVSS v2 and v3 metric values as defined by the CVSS standard are listed below.

CVSS v2: Base Score Metrics

Metric Value

Displayed as

Access Vector (AV)

Local

L

Adjacent Network

A

Network

N

Access Complexity (AC)

Low

L

Medium  

M

High

H

Authentication (Au)

None

N

Single

S

Multiple

M

Confidentiality Impact (C)

None

N

Partial

P

Complete

C

Integrity Impact (I)

None

N

Partial

P

Complete

C

Availability Impact (A)

None

N

Partial

P

Complete

C

CVSS v2: Temporal Score Metrics

Metric Value

Displayed as

Exploitability (E)

Not Defined

ND

Unproven

U

Proof-of-Concept

POC

Functional  

F

High

H

Remediation Level (RL)

Not Defined

ND

Official Fix  

OF

Temporary Fix

TF

Workaround

W

Unavailable

U

Report Confidence (RC)

Not Defined

ND

Unconfirmed

UC

Uncorroborated

UR

Confirmed

C

CVSS v3: Base Score Metrics

Metric Value

Displayed as

Attack Vector (AV)

Network

N

Adjacent Network

A

Local

L

Physical

P

Attack Complexity (AC)

Low

L

High  

H

Privileges Required (PR)

None

N

Low

L

High

H

User Interaction (UI)

None

N

Required

R

Scope

Unchanged

U

Changed

C

Confidentiality Impact (C)

None  

N

Low

L

High

H

Integrity Impact (I)

None  

N

Low

L

High

H

Availability Impact (A)

None

N

Low

L

High

H

CVSS v3: Temporal Score Metrics

Metric Value

Displayed as

Exploit Code Maturity (E)

Not Defined

X

Unproven

U

Proof-of-Concept

P

Functional

F

High

H

Remediation Level (RL)

Not Defined

X

Official Fix

O

Temporary Fix

T

Workaround  

W

Unavailable

U

Report Confidence (RC)

Not Defined  

X

Unknown

U

Reasonable  

R

Confirmed

C