📂 📊 CVE and CVSS: Basics of vulnerability assessment 📂 📊

Image generated by OpenAI's DALL·E

In the area of cyber security, CVE (Common Vulnerabilities and Exposures) and CVSS (Common Vulnerability Scoring System) are established standards. While CVEs serve to clearly identify vulnerabilities, CVSS assesses the criticality and risk of these vulnerabilities. An overview of the background, structure and functionality of CVEs and CVSS.

How is a CVE number assigned?

The assignment of a CVE number follows a clearly defined, standardized and traceable process.

1. Vulnerability discovery: Security researchers, manufacturers or other parties discover a new security vulnerability.

   
   

2. Reporting to a CNA: The vulnerability is reported to a responsible CVE Numbering Authority (CNA). CNAs are organizations that are authorized to assign CVE numbers, such as software manufacturers (Microsoft, Google, etc.) or selected security companies.

   
   

3. Verification of the requirements: The CNA checks whether the vulnerability meets the criteria for a CVE:

   • Is the vulnerability unique?

   • Is this a security-related vulnerability?

   • Can the vulnerability be reproduced and documented?

     
     

4. Assigning a CVE number: If the vulnerability meets the requirements, a CVE number is assigned, e.g. CVE-2024-12345.

   
   

5. Publication and documentation: The CVE is published and registered in the CVE database, which contains information about the vulnerability such as affected products, impact, and – if available – remediation instructions.

   
   

CVE entries are often incomplete when first published and only contain basic information such as the CVE number and the affected context. Further details, such as technical descriptions or suggested solutions, are added over time.

If a vulnerability affects multiple products (e.g. a widely used open source library such as OpenSSL), only one CVE is assigned that applies to all affected products.

How is a CVE number structured?

A CVE number consists of three main components that define its structure:

• Prefix "CVE": Indicates that this is an officially registered vulnerability.

• Year: The year in which the vulnerability was reported (e.g. 2024).

• Sequence number: A unique number assigned by the responsible CNA (e.g. 12345).

Example: CVE-2024-12345.

The year does not have to match the year of discovery or publication, but refers to the CVE registration.

Which vulnerabilities qualify for a CVE?

Not every vulnerability automatically becomes a CVE. Specific criteria apply:

• Uniqueness: The vulnerability must be new and previously unknown.

• Meaning: It must have a safety-relevant impact, e.g.:

  • Unauthorized access to systems.

  • Manipulation or disclosure of sensitive data.

  • Disruption of the availability of services.

• Context: The vulnerability must affect an actively used component (software, hardware or system).

• Verifiability: It must be reproducible and documentable.

The Common Vulnerability Scoring System (CVSS) explains

CVSS was developed to provide a consistent assessment of vulnerabilities and to set priorities for their remediation. The current version, CVSS v3.1, offers a flexible and detailed assessment system.

The CVSS scale

The CVSS score ranges from 0.0 (no impact) to 10.0 (critical impact). It is divided into four categories:

• Low (0.1–3.9): Low impact, e.g. on availability or integrity.

• Medium (4.0–6.9): Relevant but potentially difficult to exploit vulnerabilities.

• High (7.0–8.9): Easily exploitable vulnerabilities with significant consequences.

• Critical (9.0–10.0): Serious vulnerabilities that require urgent action.

Calculating a CVSS score

The CVSS score is calculated based on several metrics that are divided into three categories:

1. Base Score: Evaluates the vulnerability regardless of context.

   • Attack Vector (AV): Local, in the same subnet, across the network (L3) or physical.

   • Attack Complexity (AC): How complex is the attack (low/high)?

   • Privileges Required (PR): Does the attacker need special rights?

   • User Interaction (UI): Is user interaction required?

   • Impact: Confidentiality, integrity and availability.

     
     

2. Temporal Score: Takes into account factors such as available exploits or the development status of a patch.

   
   

3. Environmental Score: Adapts the score to the specific environment, e.g. whether the vulnerability exists in critical systems.

Example of using CVSS

A vulnerability that allows unauthorized access to a system over the network and does not require user interaction could have the following characteristics:

• Base Score: 9.8 (critical).

• Temporal Score: 8.9 - when an exploit is released but no patch is yet available.

• Environmental Score: 6.5 - if the affected system is isolated and not publicly accessible.

Why CVE and CVSS are important together

CVE provides the basis for identifying vulnerabilities, while CVSS assesses their severity and priority. Together, they make it possible not only to document vulnerabilities, but also to respond to them in a targeted manner.

For companies this means:

• Transparency: Vulnerabilities can be clearly identified and communicated.

• Prioritization: Critical vulnerabilities are highlighted.

Conclusion

CVE and CVSS are indispensable mechanisms in cyber security. They create standardization and transparency and help to efficiently assess risks. The use of both systems is essential to keep pace with the growing complexity of modern IT environments. The interaction of clear identification (CVE) and uniform assessment (CVSS) enables companies to take targeted measures and effectively implement their security strategy.