National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVSS logo

Vulnerability Metrics

The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability impact scores. Two common uses of CVSS are prioritization of vulnerability remediation activities and in calculating the severity of vulnerabilities discovered on one's systems. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities.

The NVD supports both Common Vulnerability Scoring System (CVSS) v2.0 and v3.0 standards. The NVD provides CVSS 'base scores' which represent the innate characteristics of each vulnerability. We do not currently provide 'temporal scores' (metrics that change over time due to events external to the vulnerability) or 'environmental scores' (scores customized to reflect the impact of the vulnerability on your organization). However, the NVD does provide a CVSS score calculator to allow you to add temporal and environmental score data. This calculator contains support for U.S. government agencies to customize vulnerability impact scores based on FIPS 199 system ratings.

Using CVSS support within NVD

  1. NVD CVSS v3 Calculator or NVD CVSS v2 Calculator
  2. Click on a CVSS score while viewing a vulnerability detail page to customize that score using temporal and environmental metrics.
  3. Download CVSS scores for all published CVE vulnerabilities from the NVD Data Feeds

CVSS standards information

  1. FIRST CVSS Homepage
  2. CVSS v3.0 Standard Specification
  3. CVSS v2.0 Standard Specification

NVD Vulnerability Severity Ratings

NVD provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification.

CVSS v2.0 Ratings

CVSS v3.0 Ratings

Severity Base Score Range Severity Base Score Range
    None 0.0
Low 0.0-3.9 Low 0.1-3.9
Medium 4.0-6.9 Medium 4.0-6.9
High 7.0-10.0 High 7.0-8.9
    Critical 9.0-10.0

Product Integration into CVSS Calculators

CVSS compatible products may provide their users access to the NVD CVSS calculators by creating a hyperlink that includes the CVSS vector or, optionally, the vulnerability name. This works for both base, temporal, and environmental vectors. The hyperlinks should take one of the following forms.

V3 Examples

Example hyperlink to CVSS v3 calculator with vulnerability name:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2016-0051

Example base vector hyperlinks to CVSS v3 calculator:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Example base vector hyperlinks to CVSS v3 calculator with vulnerability name:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2016-0051&vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Example environmental vector hyperlinks to CVSS v3 calculator:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N/CR:H/IR:H/AR:M/MAV:L/MAC:L/MPR:N/MUI:R/MS:C/MC:N/MI:N/MA:L

Example temporal vector hyperlinks to CVSS v3 calculator:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N/E:P/RL:T/RC:R

V2 Examples

Example hyperlink to CVSS v2 calculator with vulnerability name:
https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2007-1001

Example base vector hyperlinks to CVSS v2 calculator:
https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:L/AC:H/Au:N/C:N/I:P/A:C)

Example environmental vector hyperlinks to CVSS v2 calculator:
https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:L/AC:H/Au:N/C:N/I:P/A:C/E:POC/RL:OF/RC:C/CDP:L/TD:M/CR:L/IR:L/AR:H)

Example temporal vector hyperlinks to CVSS v2 calculator:
https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:L/AC:H/Au:N/C:N/I:P/A:C/E:POC/RL:OF/RC:C)

Please see: CVSS v3 Vector Specification and CVSS v2 Vector Specification for more details on the CVSS product integration.

NVD Specific CVSS Information

Incomplete Data

With some vulnerabilities, all of the information needed to create CVSS scores may not be available. This typically happens when a vendor announces a vulnerability but declines to provide certain details. In such situations, NVD analysts assign CVSS scores using a worst case approach. Thus, if a vendor provides no details about a vulnerability, NVD will score that vulnerability as a 10.0 (the highest rating).

Collaboration with Industry

NVD staff are willing to work with the security community on CVSS impact scoring. If you wish to contribute additional information or corrections regarding the NVD CVSS impact scores, please send email to nvd@nist.gov. We actively work with users that provide us feedback.

Legacy CVSS Information
There are currently no plans to associate CVSS v3.0 scores to CVEs that were already analyzed in the NVD prior to 12/20/2015. A subset of CVEs from before this time may be given CVSS v3.0 scores due to special cases or existence as examples in the CVSS v3.0 documentation. 
 

Scores for the CVE vulnerabilities published between to 11/10/2005 and 11/30/2006 have been upgraded from CVSS version 1 data. CVSS v1 metrics did not contain granularity of CVSS v2 and so these scores are marked as "Version 2.0 upgrade from v1.0" within NVD. While these scores are approximation, they are expected to be reasonably accurate CVSS v2 scores.

Scores provided for the 13,000 CVE vulnerabilities published prior to 11/9/2005 are approximated from only partially available CVSS metric data. Such scores are marked as "Version 2.0 Incomplete approximation" within NVD. In particular, the following CVSS metrics are only partially available for these vulnerabilities and NVD assumes certain values based on an approximation algorithm: Access Complexity, Authentication, Confidentiality Impact of 'partial', Integrity Impact of 'partial', Availability Impact of 'partial', and the impact biases.