CVSS Scoring
Vulnerabilities in AppCheck are generally rated based on their score under the Common Vulnerability Scoring System (CVSS). The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. The Base metrics produce a score ranging from 0 to 10 and is produced from a CVSS "vector" or formula that considers a number of factors such as the complexity required to exploit the vulnerability, and whether it can be exploited remotely.
NVD provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS score ranges - for example a Medium maps to a CVSS score of 4.0-6.9
Severity |
Description & CVSS Score |
High |
Successful exploitation could lead to highly privileged access to the target host or cause a denial of service condition. Vulnerabilities are labelled "High" severity if they have a CVSS base score of 7.0 -10.0. |
Medium |
Exploitation of the vulnerability will not directly lead to privileged access to the host, service or data. However, vulnerabilities with a Medium impact can often be combined with other flaws to elevate their impact. Vulnerabilities will be labelled "Medium" severity if they have a base CVSS score of 4.0-6.9 |
Low |
This impact rating is assigned to vulnerabilities that, when exploited in isolation, have a negligible impact on security. Typically vulnerabilities that disclose information that may be useful to the attacker are considered to have a low impact. Vulnerabilities are labelled "Low" severity if they have a CVSS base score of 0.0-3.9. |
Exceptions
CVSS scores are generally well suited as a standard measurement system for providing accurate and consistent vulnerability severity scores that can be used to factor in prioritization of vulnerability remediation activities. Sometimes, however, there may be a vulnerability for which AppCheck believes that the CVSS score as calculated by the CVSS vector calculation does not properly represent the true risk to customers from exploitation of the vulnerability.
A typical example might be that a given application is vulnerable to cross-site scripting (XSS) and that the site's session cookie is not protected with the HttpOnly flag. In this scenario, an attacker would be able to take advantage of the XSS to capture the user’s session cookies, which they could then replay and gain access to a victim user’s session. This is a very serious exploit that can lead to complete access by the attack to all customer data yet by CVSS vector calculation the two issues would score perhaps a 4.3 (medium) and 0 (low/informational) respectively
AppCheck Approach (Adjusted CVSS)
At AppCheck we therefore set our vulnerability scores (Low/Medium/High) based upon industry-accepted consideration of risk from each vulnerability class. In most cases, the scoring does correlate to the mappings of CVSS score to risk (as in above table) but in some cases it doesn’t. The most common vulnerabilities to have a mismatch are XSS and related vulnerabilities such as HTML 5 CORS configuration issues.
Comments
0 comments
Please sign in to leave a comment.