Cvss Calculator 3.0
'/%3E%3Ccircle cx='48' cy='39' r='19' fill='%23f2c9a5'/%3E%3Cpath d='M27 35c3-16 39-17 42 2-8-8-27-9-42-2z' fill='%23374151'/%3E%3Cpath d='M21 86c5-24 49-28 56 0z' fill='%232563eb'/%3E%3Ccircle cx='41' cy='41' r='2' fill='%23111827'/%3E%3Ccircle cx='55' cy='41' r='2' fill='%23111827'/%3E%3Cpath d='M42 52c4 3 9 3 13 0' stroke='%2392400e' stroke-width='3' fill='none' stroke-linecap='round'/%3E%3C/svg%3E)
Reviewed by Calculator Editorial Team
The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. CVSS 3.0 is the latest version of this standard, offering more precise metrics for assessing vulnerability impact.
What is CVSS 3.0?
CVSS 3.0 is a standardized method for assessing the severity of software vulnerabilities. It provides a numerical score (from 0 to 10) that reflects the characteristics of a vulnerability, including its exploitability, impact, and remediation level.
The scoring system is based on three metric groups:
- Base metrics - Characteristics of a vulnerability that are constant over time
- Temporal metrics - Characteristics of a vulnerability that change over time
- Environmental metrics - Characteristics of a vulnerability that are unique to a user's environment
This calculator focuses on the base metrics, which are the most commonly used in vulnerability assessments.
How to Use This Calculator
To calculate a CVSS 3.0 score, follow these steps:
- Select the appropriate values for each of the base metrics
- Click the "Calculate" button
- Review the resulting score and severity rating
- Use the chart to visualize the impact of different metric values
Note: This calculator uses the base metrics only. For a complete CVSS assessment, you would also need to consider temporal and environmental metrics.
CVSS Metrics Explained
Exploitability Metrics
These metrics describe the ease and technical means by which the vulnerability can be exploited.
| Metric | Description |
|---|---|
| Attack Vector (AV) | How the vulnerability is exploited (Network, Adjacent Network, Local, Physical) |
| Attack Complexity (AC) | How complex the attack is (Low, High) |
| Privileges Required (PR) | Level of privileges an attacker needs (None, Low, High) |
| User Interaction (UI) | Whether user interaction is required (None, Required) |
Impact Metrics
These metrics describe the impact on the confidentiality, integrity, and availability of a system if the vulnerability is exploited.
| Metric | Description |
|---|---|
| Scope (S) | Whether a vulnerability in one software component affects resources in other components (Unchanged, Changed) |
| Confidentiality Impact (C) | Impact on confidentiality (None, Low, High) |
| Integrity Impact (I) | Impact on integrity (None, Low, High) |
| Availability Impact (A) | Impact on availability (None, Low, High) |
Base Score Formula:
BaseScore = round_to_1_decimal(min((3.04 × Impact + 0.95 × Exploitability + 1.04), 10.0))
where:
- Impact = 10.0 × (1.0 - ((1.0 - C) × (1.0 - I) × (1.0 - A)))
- Exploitability = 8.22 × AV × AC × PR × UI
Scoring Examples
Here are some examples of how different metric combinations result in different CVSS scores:
Example 1: Low Severity Vulnerability
AV: Network, AC: High, PR: None, UI: None, S: Unchanged, C: None, I: None, A: Low
Resulting Score: 2.8
This represents a vulnerability that is difficult to exploit but has some impact on availability.
Example 2: Medium Severity Vulnerability
AV: Local, AC: Low, PR: Low, UI: None, S: Unchanged, C: Low, I: Low, A: Low
Resulting Score: 5.3
This represents a vulnerability that is relatively easy to exploit and has some impact on confidentiality, integrity, and availability.
Example 3: High Severity Vulnerability
AV: Network, AC: Low, PR: None, UI: None, S: Changed, C: High, I: High, A: High
Resulting Score: 9.8
This represents a critical vulnerability that is easy to exploit and has significant impact on confidentiality, integrity, and availability.
Frequently Asked Questions
What is the difference between CVSS 2.0 and CVSS 3.0?
CVSS 3.0 introduces several improvements over CVSS 2.0, including:
- More precise metrics for assessing vulnerability impact
- Better handling of network topology and component interactions
- More accurate scoring of vulnerabilities with different impact levels
- Support for new types of vulnerabilities that weren't covered in CVSS 2.0
How do I interpret the CVSS score?
CVSS scores are typically interpreted as follows:
- 0.0 - 3.9: Low severity
- 4.0 - 6.9: Medium severity
- 7.0 - 8.9: High severity
- 9.0 - 10.0: Critical severity
The score provides a relative measure of the severity of a vulnerability compared to others.
Can I use this calculator for temporal and environmental metrics?
This calculator focuses on the base metrics only. For a complete CVSS assessment, you would need to consider temporal and environmental metrics as well.
How often should I reassess vulnerability scores?
Vulnerability scores should be reassessed whenever there are changes to the vulnerability, its exploitability, or the environment in which it exists. This could include:
- New patches or updates that address the vulnerability
- Changes to the network topology or security controls
- New information about the vulnerability's impact