Copyright Acorn Pass https://acornpass.com - All rights reserved. Do not distribute without license (except cvss4.js which is available under MIT).
You can pass in vector stings through the url with "#CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/" but invalid vectors passed this way will fail silently.
CVSS:4.0/
Score color indicates qualitative bands described below. Maturity color matches the maturity model described below.
Base (set by vendors) |
Environmental (set by consumers) |
Metric Value Selection |
||||||
|---|---|---|---|---|---|---|---|---|
| Metric Name | Value | Metric Name | Value | Value Selection Logic | Selected Value | |||
Exploitability |
Attack Vector (AV) | Modified Attack Vector (MAV) | if MAV then MAV else AV | |||||
| Attack Complexity (AC) | Modified Attack Complexity (MAC) | if MAC then MAC else AC | ||||||
| Attack Requirements (AT) | Modified Attack Requirements (MAT) | if MAT then MAT else AT | ||||||
| Privileges Required (PR) | Modified Privileges Required (MPR) | if MPR then MPR else PR | ||||||
| User Interaction (UI) | Modified User Interaction (MUI) | if MUI then MUI else UI | ||||||
| Threat Group (defaulted) | Threat Group (optional) | |||||||
| DEFAULT Exploit Maturity (E) | Attacked (A) | Exploit Maturity (E) | Attacked (A) unless defined E | |||||
Impact |
Security Requirements (defaulted) | Security Requirements (optional) | ||||||
| DEFAULT Confidentiality Requirements (CR) | High (H) | Confidentiality Requirements (CR) | High (H) unless defined CR | |||||
| DEFAULT Integrity Requirements (IR) | High (H) | Integrity Requirements (IR) | High (H) unless defined IR | |||||
| DEFAULT Availability Requirements (AR) | High (H) | Availability Requirements (AR) | High (H) unless defined AR | |||||
| Vulnerable System | Modified Vulnerable System | |||||||
| Vulnerable System Confidentiality (VC) | Modified Vulnerable System Confidentiality (MVC) | if MVC then MVC else VC | ||||||
| Vulnerable System Integrity (VI) | Modified Vulnerable System Integrity (MVI) | if MVI then MVI else VI | ||||||
| Vulnerable System Availability (VA) | Modified Vulnerable System Availability (MVA) | if MVA then MVA else VA | ||||||
| Subsequent System | Modified Subsequent System | |||||||
| Subsequent System Confidentiality (SC) | Modified Subsequent System Confidentiality (MSC) | if MSC then MSC else SC | ||||||
| Subsequent System Integrity (SI) | Modified Subsequent System Integrity (MSI) * | if MSI then MSI else SI | ||||||
| Subsequent System Availability (SA) | Modified Subsequent System Availability (MSA) * | if MSA then MSA else SA | ||||||
| * These metrics allow higher Safety (S) values than their base counterparts. | ||||||||
Supplemental |
Supplemental (optional) | Supplemental (unscored) | ||||||
| Safety (S) | Not Defined (X) unless S | |||||||
| Automatable (AU) | Supplemental metrics are not scored. | Not Defined (X) unless AU | ||||||
| Recovery (R) | Not Defined (X) unless R | |||||||
| Value Density (V) | Any vendor defined value will be overwritten. | Not Defined (X) unless V | ||||||
| Vulnerability Response Effort (RE) | Not Defined (X) unless RE | |||||||
| Provider Urgency (U) | Not Defined (X) unless U | |||||||
| Helix Maturity Model |
Official CVSS Maturity Model |
Metrics |
|---|---|---|
| Level 0 | Level 0 | CVSS is not being used at all |
| Level 1 | Level 1 | Base metrics (AV, AC, AT, PR, UI, VC, VI, VA, SC, SI, SA) |
| Level 2 | Level 2 | Exploit Maturity (E) |
| Level 3a | Level 3 | Security Requirements (CR, IR, AR) |
| Level 3b | Modified metrics (MAV, MAC, MAT, MPR, MUI, MVC, MVI, MVA, MSC, MSI, MSA) | |
| + | N/A | Indicates supplemental metrics are present (S, AU, R, V, RE, U) |
| Qualitative Severity | Lower | Upper | Color |
|---|---|---|---|
| Critical | 9 | 10 | Dark Red |
| High | 7 | 8.9 | Orange |
| Medium | 4 | 6.9 | Yellow-Brown |
| Low | 0.1 | 3.9 | Green |
| None | 0 | 0 | Black |