CVSS Calculation explained

Owned by Andreas Spall (evolu.software)
Apr 16, 2024
2 min read

In the following we explain our implementation of the CVSS algorithm (used within Security - Incident - CVSS 3.1 )

  1. Variable ISS Initialization:

    #variableISS(1 1 confidentiality - 1 integrity - * 1 availability - * -)

    This line initializes the ISS (Impact Subscore) variable using the formula that incorporates the metrics for confidentiality, integrity, and availability. The formula is expressed in Reverse Polish Notation (RPN), calculating the impact by subtracting and then multiplying the values associated with these three properties. The use of RPN avoids the need for parentheses.

  2. Conditional Impact Calculation Based on Scope:

    #if (scope) == (1) { #variableImpact(6.42 $variableISS *) } else { #variableImpact(7.52 $variableISS 0.029 - * 3.25 $variableISS 0.02 - 15 ^ * -) }

    This section calculates the Impact based on the scope variable. If the scope is 1 (changed), it multiplies ISS by 6.42. Otherwise, for an unchanged scope, it applies a more complex formula to calculate the impact, again using RPN for the operations.

  3. Return 0 if Impact is Non-positive:

    #if ($variableImpact) <= (0) { #return(0) }

    This checks if the calculated Impact is less than or equal to 0. If true, it returns a score of 0, indicating no impact.

  4. Privileges Required Variable Adjustments Based on Scope and Privileges Required:

    These conditions adjust the variable ToUsePrivilegesRequired based on the combination of scope and privileges-required. Each case assigns a different multiplier, reflecting how the scope and the level of privileges required affect the exploitability of the vulnerability.

  5. Exploitability Calculation:

    This line calculates the Exploitability score using the metrics for attack vector, attack complexity, privileges required (adjusted in the previous step), and user interaction. The formula, expressed in RPN, multiplies these factors with the constant 8.22.

  6. Final Score Calculation and Return Based on Scope:

    The final section calculates the CVSS Base Score based on whether the scope has changed. For a changed scope, it adds the Impact and Exploitability scores, then applies a minimum function with 10 and rounds up the result. For an unchanged scope, it first multiplies the sum of Impact and Exploitability by 1.08 before applying the minimum function and rounding up.