NVD - CVSS v3.1 Equations

CVSS v3.1 Equations

The CVSS v3.1 equations are defined below.

Base

The Base Score is a function of the Impact and Exploitability sub score equations. Where the Base score is defined as,

If (Impact sub score <= 0) 0 else,
Scope Unchanged₄   𝑅𝑜𝑢𝑛𝑑𝑢𝑝(𝑀𝑖𝑛𝑖𝑚𝑢𝑚[(𝐼𝑚𝑝𝑎𝑐𝑡 + 𝐸𝑥𝑝𝑙𝑜𝑖𝑡𝑎𝑏𝑖𝑙𝑖𝑡𝑦), 10])
   Scope Changed 𝑅𝑜𝑢𝑛𝑑𝑢𝑝(𝑀𝑖𝑛𝑖𝑚𝑢𝑚[1.08 × (𝐼𝑚𝑝𝑎𝑐𝑡 + 𝐸𝑥𝑝𝑙𝑜𝑖𝑡𝑎𝑏𝑖𝑙𝑖𝑡𝑦), 10])

and the Impact sub score (ISC) is defined as,

   Scope Unchanged 6.42 × 𝐼𝑆𝐶_Base
   Scope Changed 7.52 × [𝐼𝑆𝐶_{𝐵𝑎𝑠𝑒} − 0.029] − 3.25 × [𝐼𝑆𝐶_{𝐵𝑎𝑠𝑒} − 0.02]¹⁵

Where,

   𝐼𝑆𝐶_{𝐵𝑎𝑠𝑒} = 1 − [(1 − 𝐼𝑚𝑝𝑎𝑐𝑡_{𝐶𝑜𝑛𝑓}) × (1 − 𝐼𝑚𝑝𝑎𝑐𝑡_{𝐼𝑛𝑡𝑒𝑔}) × (1 − 𝐼𝑚𝑝𝑎𝑐𝑡_{𝐴𝑣𝑎𝑖𝑙})]

And the Exploitability sub score is,

8.22 × 𝐴𝑡𝑡𝑎𝑐𝑘𝑉𝑒𝑐𝑡𝑜𝑟 × 𝐴𝑡𝑡𝑎𝑐𝑘𝐶𝑜𝑚𝑝𝑙𝑒𝑥𝑖𝑡𝑦 × 𝑃𝑟𝑖𝑣𝑖𝑙𝑒𝑔𝑒𝑅𝑒𝑞𝑢𝑖𝑟𝑒𝑑 × 𝑈𝑠𝑒𝑟𝐼𝑛𝑡𝑒𝑟𝑎𝑐𝑡𝑖𝑜𝑛

Temporal

The Temporal score is defined as,

𝑅𝑜𝑢𝑛𝑑𝑢𝑝(𝐵𝑎𝑠𝑒𝑆𝑐𝑜𝑟𝑒 × 𝐸𝑥𝑝𝑙𝑜𝑖𝑡𝐶𝑜𝑑𝑒𝑀𝑎𝑡𝑢𝑟𝑖𝑡𝑦 × 𝑅𝑒𝑚𝑒𝑑𝑖𝑎𝑡𝑖𝑜𝑛𝐿𝑒𝑣𝑒𝑙 × 𝑅𝑒𝑝𝑜𝑟𝑡𝐶𝑜𝑛𝑓𝑖𝑑𝑒𝑛𝑐𝑒)

Environmental

The environmental score is defined as,

   If (Modified Impact Sub score <= 0) 0 else,

   If Modified Scope is Unchanged Round up(Round up (Minimum [ (M.Impact + M.Exploitability) ,10]) × Exploit Code Maturity × Remediation Level × Report Confidence)

   If Modified Scope is Changed Round up(Round up (Minimum [1.08 × (M.Impact + M.Exploitability) ,10]) × Exploit Code Maturity × Remediation Level × Report Confidence)

And the modified Impact sub score is defined as,

   If Modified Scope is Unchanged 6.42 × [𝐼𝑆𝐶_{𝑀𝑜𝑑𝑖𝑓𝑖𝑒𝑑}]

   If Modified Scope is Changed 7.52 × [𝐼𝑆𝐶_{𝑀𝑜𝑑𝑖𝑓𝑖𝑒𝑑} − 0.029]-3.25× [𝐼𝑆𝐶_{𝑀𝑜𝑑𝑖𝑓𝑖𝑒𝑑} × 0.9731 − 0.02] 13

Where,
   𝐼𝑆𝐶_{𝑀𝑜𝑑𝑖𝑓𝑖𝑒𝑑} = 𝑀𝑖𝑛𝑖𝑚𝑢𝑚 [[1 − (1 − 𝑀. 𝐼𝐶𝑜𝑛𝑓 × 𝐶𝑅) × (1 − 𝑀. 𝐼𝐼𝑛𝑡𝑒𝑔 × 𝐼𝑅) × (1 − 𝑀. 𝐼𝐴𝑣𝑎𝑖𝑙 × 𝐴𝑅)], 0.915]

The Modified Exploitability sub score is,

   8.22 × 𝑀. 𝐴𝑡𝑡𝑎𝑐𝑘𝑉𝑒𝑐𝑡𝑜𝑟 × 𝑀. 𝐴𝑡𝑡𝑎𝑐𝑘𝐶𝑜𝑚𝑝𝑙𝑒𝑥𝑖𝑡𝑦 × 𝑀. 𝑃𝑟𝑖𝑣𝑖𝑙𝑒𝑔𝑒𝑅𝑒𝑞𝑢𝑖𝑟𝑒𝑑 × 𝑀. 𝑈𝑠𝑒𝑟𝐼𝑛𝑡𝑒𝑟𝑎𝑐𝑡𝑖𝑜n

4 Where “Round up” is defined as the smallest number, specified to one decimal place, that is equal to or higher than its input. For example, Round up (4.02) is 4.1; and Round up (4.00) is 4.0.