exploit access complexity authentication
network Worst: Can be exploited over a network (Internet or intranet) aka "remotely exploitable" low Worst: Very easy to exploit. Do not consider complexity of creating a working exploit. (eg. default passwords, buffer overflows) none Worst: Exploit needs no authentication. If the attacker has local shell/terminal access then this should be none.
adjacent Worse: Can only be exploited on a network link (eg. wifi, bluetooth, ethernet link) medium Worse: Not easy, may require timing, special conditions or fooling people. (eg. XSS, phishing) single Worse: Credentials are checked once during an exploit or requires an additional privilege (eg. password prompt, a role account)
local Bad: Exploit requires physical access or local account (eg. terminal or shell access) high Bad: Very difficult to exploit. (eg. requires rare configurations and conditions, fooling knowledgeable people, lot of resources or good luck) multiple Bad: Credentials are checked many times or requires extra privileges. (same password may be asked twice)
impact confidentiality integrity availability
complete Worst: Attacker can read anything in the system complete Worst: Attacker can modify anything in the system complete Worst: Attacker can cause complete denial of service (eg. system hang, crash or reboot)
partial Bad: Attacker can only read somethings (eg. reading some files, leakage of some bytes) partial Bad: Attacker can only modify somethings (eg. add, insert, change, rename or delete something) partial Bad: Attacker can disrupt some services. (eg. crashing a service, an application)
none Good: Attacker can not access any information none Good: Attacker can not modify anything none Good: Attacker can not disrupt any service
Copyright 2011 © Chandan
Free to use; Copy, modification or use in other sites requires attribution or link back to this site; Share alike.
CVSS (Common Vulnerability Scoring System) is a free and open standard. It is under the custodial care of the FIRST.