Vulnerabilities Checklists Product Dictionary Impact Metrics Data Feeds Statistics
Home SCAP SCAP Validated Tools SCAP Events About Contact Vendor Comments

CVSS Vector Definitions

Every application or service that uses the Common Vulnerability Scoring System (CVSS) should provide not only the CVSS score, but also a vector describing the components from which the score was calculated. This provides users of the score confidence in its correctness and provides insight into the nature of the vulnerability.

CVSS vectors always include base metrics and may contain temporal metrics. See the CVSS standard's guide for detailed descriptions of CVSS metrics and their possible values.

CVSS Base Vectors

CVSS vectors containing only base metrics take the following form:
(AV:[R,L]/AC:[H,L]/Au:[R,NR]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C]/B:[N,C,I,A])

The letters within brackets represent possible values of a CVSS metric. Exactly one option must be chosen for each set of brackets. Letters not within brackets are mandatory and must be included in order to create a valid CVSS vector. Each letter or pair of letters is an abbreviation for a metric or metric value within CVSS. These abbreviations are defined below.

Example 1: (AV:L/AC:H/Au:NR/C:N/I:P/A:C/B:C)
Example 2: (AV:R/AC:L/Au:R/C:C/I:N/A:P/B:N)

Metric: AV = AccessVector (Related exploit range)
Possible Values: R = Remote, L = Local

Metric: AC = AccessComplexity (Required attack complexity)
Possible Values: H = High, L = Low

Metric: Au = Authentication (Level of authentication needed to exploit)
Possible Values: R = Required, NR = Not Required

Metric: C = ConfImpact (Confidentiality impact)
Possible Values: N = None, P = Partial, C = Complete

Metric: I = IntegImpact (Integrity impact)
Possible Values: N = None, P = Partial, C = Complete

Metric: A = AvailImpact (Availability impact)
Possible Values: N = None, P = Partial, C = Complete

Metric: B = ImpactBias (Impact value weighting)
Possible Values: N = Normal, C = Confidentiality, I = Integrity, A = Availability

CVSS Temporal Vectors

CVSS vectors containing temporal metrics are formed by appending the temporal metrics to the base vector. The temporal metrics appended to the base vector take the following form:
/E:[U,P,F,H]/RL:[O,T,W,U]/RC:[U,Uc,C]

Example 1: (AV:L/AC:H/Au:NR/C:N/I:P/A:C/B:C/E:U/RL:O/RC:U)
Example 2: (AV:R/AC:L/Au:R/C:C/I:N/A:P/B:N/E:P/RL:T/RC:Uc)

Metric: E = Exploitability (Availability of exploit)
Possible Values: U = Unproven, P = Proof-of-concept, F = Functional, H = High

Metric: RL = RemediationLevel (Type of fix available)
Possible Values: O = Official-fix, T = Temporary-fix, W = Workaround, U = Unavailable

Metric: RC = ReportConfidence (Level of verification that the vulnerability exists)
Possible Values: U = Unconfirmed, Uc = Uncorroborated, C = Confirmed

CVSS Vectors and CVSS Compatible Products

CVSS compatible products may provide their users access to the NVD CVSS calculator by creating a hyperlink that includes the CVSS vector and, optionally, the vulnerability name. This works for both base and temporal vectors. The hyperlinks should take one of the following forms.

Example base vector hyperlinks to CVSS calculator (with and without vulnerability name):
1. http://nvd.nist.gov/cvss.cfm?vector=(AV:L/AC:H/Au:NR/C:N/I:P/A:C/B:C)
2. http://nvd.nist.gov/cvss.cfm?name=example&vector=(AV:L/AC:H/Au:NR/C:N/I:P/A:C/B:C)

Example temporal vector hyperlinks to CVSS calculator (with and without vulnerability name):
1. http://nvd.nist.gov/cvss.cfm?vector=(AV:L/AC:H/Au:NR/C:N/I:P/A:C/B:C/E:U/RL:O/RC:U)
2. http://nvd.nist.gov/cvss.cfm?name=example&vector=(AV:L/AC:H/Au:NR/C:N/I:P/A:C/B:C/E:U/RL:O/RC:U)

Disclaimer Notice & Privacy Statement / Security Notice

Send comments or suggestions to nvd@nist.gov

NIST Computer Security Resource Center (CSRC)

NIST is an Agency of the U.S. Commerce Department

Full vulnerability listing