CVSS scores
The CVSS score reflects the overall security impact of a vulnerability, and is a composite score that reflects the metrics in three distinct categories: Base, Temporal, and Environmental.
The score is calculated based on the information (for example, values) that is available for one or more of these metrics. The more information that is available in each metric, the more focused the CVSS score becomes. In AppScan Enterprise, the values for each metric are mapped to the attributes of an issue (security vulnerability) or the application where the issue was found. These attributes cannot be deleted or modified in AppScan Enterprise, although you can modify their values.
Metrics group | Metrics name | Issue or Application attribute | Definition required to calculate the CVSS score | Metric description |
---|---|---|---|---|
Base | Access Vector | Issue | Yes | Whether the vulnerability can be exploited only locally, also from adjacent networks, or from any network connection ("remotely exploitable"). |
Access Complexity | Issue | Yes | The difficulty that is involved in exploiting this vulnerability. | |
Authentication | Issue | Yes | The number of times that an attacker must authenticate to a target to exploit the vulnerability. | |
Confidentiality Impact | Issue | Yes | The impact on confidentiality if this vulnerability is successfully exploited. | |
Integrity Impact | Issue | Yes | The extent to which system integrity (the accuracy of information that is supplied by the application) is compromised if this vulnerability is successfully exploited. | |
Availability Impact | Issue | Yes | The impact on the availability of information resources if this vulnerability is successfully exploited. | |
Temporal | Exploitability | Issue | No* | The current state of exploit techniques or code vulnerability. |
Remediation Level | Issue | No* | The level of remediation available to protect against the vulnerability. | |
Report Confidence | Issue | No* | The degree of confidence in the existence and technical details of the vulnerability. | |
Environmental These metrics also contribute to the overall severity rating of the application. |
Collateral Damage Potential | Application | No* | The potential for damage or theft if the application is vulnerable. |
Target Distribution | Application | No* | The proportion of systems in the environment that are potential targets. | |
Availability Requirement | Application | No* | The relative importance of availability of information. | |
Confidentiality Requirement | Application | No* | The relative importance of confidentiality of user information. | |
Integrity Requirement | Application | No* | The relative importance of integrity, or accuracy, of information. |
- * While it is not a requirement that these attributes be defined, the CVSS score is more focused when more metrics are defined to describe the issue.
- Any optional attribute that is not defined is not included in the CVSS score calculation.
- The CVSS score cannot be calculated if any required attribute is not defined. In this case, the issue severity is categorized as Undetermined.