这是用户在 2025-1-9 14:39 为 https://www.first.org/cvss/v4.0/specification-document 保存的双语快照页面,由 沉浸式翻译 提供双语支持。了解如何保存?

CVSS logo

Common Vulnerability Scoring System version 4.0: Specification Document
通用漏洞评分系统 4.0 版:规范文档

Also available in PDF format.
提供 PDF 格式

Document Version: 1.2  文档版本: 1.2

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of four metric groups: Base, Threat, Environmental, and Supplemental. The Base group represents the intrinsic qualities of a vulnerability that are constant over time and across user environments, the Threat group reflects the characteristics of a vulnerability that change over time, and the Environmental group represents the characteristics of a vulnerability that are unique to a user's environment. Base metric values are combined with default values that assume the highest severity for Threat and Environmental metrics to produce a score ranging from 0 to 10. To further refine a resulting severity score, Threat and Environmental metrics can then be amended based on applicable threat intelligence and environmental considerations. Supplemental metrics do not modify the final score, and are used as additional insight into the characteristics of a vulnerability. A CVSS vector string consists of a compressed textual representation of the values used to derive the score. This document provides the official specification for CVSS version 4.0.
通用漏洞评分系统 (CVSS) 是一个开放式框架,用于传达软件漏洞的特征和严重性。CVSS 由四个指标组组成:Base、Threat、Environment 和 Supplemental。Base 组表示漏洞的内在特性,这些特性在一段时间内和用户环境中保持不变,Threat 组反映随时间变化的漏洞特征,而 Environmental 组表示用户环境独有的漏洞特征。基本指标值与假定 Threat (威胁) 和 Environmental (环境) 指标最高严重性的默认值相结合,以生成 0 到 10 之间的分数。为了进一步优化生成的严重性分数,可以根据适用的威胁情报和环境注意事项修改 Threat (威胁) 和 Environmental (环境) 指标。补充指标不会修改最终分数,并用作对漏洞特征的额外见解。CVSS 向量字符串由用于派生分数的值的压缩文本表示形式组成。本文档提供了 CVSS 版本 4.0 的官方规范。

The most current CVSS resources can be found at https://www.first.org/cvss/
最新的 CVSS 资源可以在 https://www.first.org/cvss/ 中找到

CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. FIRST reserves the right to update CVSS and this document periodically at its sole discretion. While FIRST owns all rights and interest in CVSS, it licenses it to the public freely for use, subject to the conditions below. Membership in FIRST is not required to use or implement CVSS. FIRST does, however, require that any individual or entity using CVSS give proper attribution, where applicable, that CVSS is owned by FIRST and used by permission. Further, FIRST requires as a condition of use that any individual or entity which publishes CVSS data conforms to the guidelines described in this document and provides both the score and the vector string so others can understand how the score was derived.
CVSS 由 FIRST.Org, Inc. (FIRST) 拥有和管理,这是一家总部位于美国的非营利组织,其使命是帮助世界各地的计算机安全事件响应团队。FIRST 保留自行决定定期更新 CVSS 和本文档的权利。虽然 FIRST 拥有 CVSS 的所有权利和利益,但它根据以下条件将其免费许可给公众使用。使用或实施 CVSS 不需要 FIRST 成员资格。但是,FIRST 确实要求任何使用 CVSS 的个人或实体在适用的情况下给出适当的归属,即 CVSS 归 FIRST 所有并经许可使用。此外,FIRST 要求发布 CVSS 数据的任何个人或实体符合本文档中描述的准则,并提供分数和矢量字符串,以便其他人可以了解分数是如何得出的。

Introduction  介绍

The Common Vulnerability Scoring System (CVSS) captures the principal technical characteristics of software, hardware and firmware vulnerabilities. Its outputs include numerical scores indicating the severity of a vulnerability relative to other vulnerabilities.
通用漏洞评分系统 (CVSS) 捕获软件、硬件和固件漏洞的主要技术特征。其输出包括数字分数,指示漏洞相对于其他漏洞的严重性。

CVSS is composed of four metric groups: Base, Threat, Environmental, and Supplemental. The Base Score reflects the severity of a vulnerability according to its intrinsic characteristics which are constant over time and assumes the reasonable worst-case impact across different deployed environments. The Threat Metrics adjust the severity of a vulnerability based on factors, such as the availability of proof-of-concept code or active exploitation. The Environmental Metrics further refine the resulting severity score to a specific computing environment. They consider factors such as the presence of mitigations in that environment and the criticality attributes of the vulnerable system. Finally, the Supplemental Metrics describe and measure additional extrinsic attributes of a vulnerability, intended to add context.
CVSS 由四个指标组组成:Base、Threat、Environment 和 Supplemental。基本分数根据漏洞的内在特征反映漏洞的严重性,这些特征随时间变化不变,并假设在不同部署环境中具有合理的最坏情况影响。威胁指标根据概念验证代码的可用性或主动利用等因素调整漏洞的严重性。Environmental Metrics (环境指标) 进一步将生成的严重性分数细化为特定计算环境。它们考虑了该环境中是否存在缓解措施以及易受攻击系统的关键性属性等因素。最后,补充指标描述和衡量漏洞的其他外在属性,旨在添加上下文。

Base Metrics, and optionally Supplemental Metrics, are provided by the organization maintaining the vulnerable system, or a third party assessment on their behalf. Threat and Environmental information is available to only the end consumer. Consumers of CVSS should enrich the Base metrics with Threat and Environmental metric values specific to their use of the vulnerable system to produce a score that provides a more comprehensive input to risk assessment specific to their organization. Consumers may use CVSS information as input to an organizational vulnerability management process that also considers factors that are not part of CVSS in order to rank the threats to their technology infrastructure and make informed remediation decisions. Such factors may include, but are not limited to: regulatory requirements, number of customers impacted, monetary losses due to a breach, life or property threatened, or reputational impacts of a potential exploited vulnerability. These factors are outside the scope of CVSS.
Base Metrics (基本指标) 和 Supplemental Metrics (可选) 由维护易受攻击的系统的组织提供,或由代表他们的第三方评估提供。威胁和环境信息仅对最终使用者可用。CVSS 的使用者应使用特定于他们对易受攻击系统的使用的 Threat 和 Environmental 指标值来丰富 Base 指标,以生成一个分数,为特定于其组织的风险评估提供更全面的输入。消费者可以使用 CVSS 信息作为组织漏洞管理流程的输入,该流程还考虑了不属于 CVSS 的因素,以便对其技术基础设施的威胁进行排序并做出明智的补救决策。此类因素可能包括但不限于:法规要求、受影响的客户数量、违规造成的金钱损失、生命或财产威胁,或潜在被利用漏洞的声誉影响。这些因素不在 CVSS 的范围内。

The benefits of CVSS include the provisioning of a standardized vendor and platform agnostic vulnerability scoring methodology. It is an open framework, providing transparency to the individual characteristics and methodology used to derive a score.
CVSS 的优势包括提供标准化供应商和与平台无关的漏洞评分方法。它是一个开放的框架,为用于得出分数的个人特征和方法提供透明度。

Metrics  指标

CVSS is composed of four metric groups: Base, Threat, Environmental, and Supplemental, each consisting of a set of metrics, as shown in Figure 1.
CVSS 由四个指标组组成:Base、Threat、Environment 和 Supplemental,每个指标组由一组指标组成,如图 1 所示。

Figure 1: CVSS Metric Groups
图 1:CVSS 指标组

The Base metric group represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. It is composed of two sets of metrics: the Exploitability metrics and the Impact metrics.
Base 指标组表示漏洞的内在特征,这些特征在一段时间内和用户环境中保持不变。它由两组指标组成:Exploitability metrics 和 Impact 指标。

The Exploitability metrics reflect the ease and technical means by which the vulnerability can be exploited. That is, they represent characteristics of the “thing that is vulnerable”, which we refer to formally as the “vulnerable system”. The Impact metrics reflect the direct consequence of a successful exploit, and represent the consequence to the “things that suffer the impact”, which may include impact on the vulnerable system and/or the downstream impact on what is formally called the “subsequent system(s)”.
Exploitability (可利用性) 指标反映了利用漏洞的难易程度和技术手段。也就是说,它们代表了 “易受攻击的事物” 的特征,我们正式地将其称为 “易受攻击的系统”。影响指标反映了成功利用的直接后果,并代表了对“受到影响的事物”的后果,其中可能包括对易受攻击系统的影响和/或对正式称为“后续系统”的下游影响。

While the vulnerable system is typically a software application, operating system, module, driver, etc. (or possibly a hardware device), the subsequent system could be any of those examples but also includes human safety. This potential for measuring the impact of a vulnerability other than the vulnerable system, was a key feature introduced with CVSS v3.0. This property (formerly known as “Scope”), is captured by the separation of impacts to the vulnerable system and to subsequent systems, discussed later.
虽然易受攻击的系统通常是软件应用程序、操作系统、模块、驱动程序等(也可能是硬件设备),但后续系统可以是这些示例中的任何一个,但也包括人身安全。这种用于测量易受攻击系统以外的漏洞影响的潜力是 CVSS v3.0 引入的一项关键功能。此属性(以前称为 “范围”)通过分离对易受攻击系统和后续系统的影响来捕获,稍后将讨论。

The Threat metric group reflects the characteristics of a vulnerability related to threat that may change over time but not necessarily across user environments. For example, confirmation that the vulnerability has neither been exploited nor has any proof-of-concept exploit code or instructions publicly available will lower the resulting CVSS score. The values found in this metric group may change over time.
威胁指标组反映了与威胁相关的漏洞的特征,这些特征可能会随时间而变化,但不一定会跨用户环境发生变化。例如,确认漏洞既未被利用,也没有任何概念验证漏洞利用代码或说明公开可用,将降低最终的 CVSS 分数。此指标组中包含的值可能会随时间而变化。

The Environmental metric group represents the characteristics of a vulnerability that are relevant and unique to a particular consumers’ environment. Considerations include the presence of security controls which may mitigate some or all consequences of a successful attack, and the relative importance of a vulnerable system within a technology infrastructure.
Environmental metric group (环境指标组) 表示与特定使用者环境相关且唯一的漏洞特征。考虑因素包括是否存在可以减轻成功攻击的部分或全部后果的安全控制措施,以及技术基础设施中易受攻击的系统相对重要性。

The Supplemental metric group includes metrics that provide context as well as describe and measure additional extrinsic attributes of a vulnerability. The response to each metric within the Supplemental metric group is to be determined by the CVSS consumer, allowing the usage of an end-user risk analysis system to apply locally significant severity to the metrics and values. No metric will, within its specification, have any impact on the final CVSS score (e.g. CVSS-BTE). Consumer organizations may then assign importance and/or effective impact of each metric, or set/combination of metrics, giving them more, less, or absolutely no effect on the categorization, prioritization, and assessment of the vulnerability. Metrics and values will simply convey additional extrinsic characteristics of the vulnerability itself.
Supplemental 指标组包括提供上下文以及描述和测量漏洞的其他外在属性的指标。对补充指标组中每个指标的响应由 CVSS 使用者确定,从而允许使用最终用户风险分析系统对指标和值应用本地显著严重性。在其规范范围内,任何指标都不会对最终的 CVSS 分数(例如 CVSS-BTE)产生任何影响。然后,消费者组织可以分配每个指标的重要性和/或有效影响,或指标集/组合,从而对漏洞的分类、优先级和评估产生更多、更少或绝对没有影响。指标和值将简单地传达漏洞本身的其他外在特征。

Each of these metrics are discussed in further detail below. The User Guide contains scoring rubrics for the Base Metrics that may be useful when scoring.
下面将进一步详细讨论这些指标中的每一个。用户指南包含基本量度的评分量规,这些评分量规在评分时可能很有用。

Assessment  评估

When the Base metrics are assigned values by an analyst, the Base metrics assessment results in a score ranging from 0.0 to 10.0.
当分析师为 Base metrics 分配值时,Base metrics 评估的分数范围为 0.0 到 10.0。

The Base metrics assessment can then be further refined by assessing the Threat and Environmental metrics in order to more accurately reflect the relative severity posed by a vulnerability to a user’s environment at a specific point in time. Assessment of the Threat and Environmental metrics is not required, but is highly recommended for more meaningful results.
然后,可以通过评估 Threat 和 Environmental 指标来进一步优化 Base 指标评估,以便更准确地反映漏洞在特定时间点对用户环境造成的相对严重性。评估 Threat 和 Environmental 指标不是必需的,但强烈建议评估以获得更有意义的结果。

Generally, the Base metrics are specified by vulnerability bulletin analysts, product vendors, or application vendors because they typically possess the most accurate information about the characteristics of a vulnerability. The Threat and Environmental metrics are specified by consumer organizations because they are best able to assess the potential impact of a vulnerability within their own computing environment, at a given point in time.
通常,Base 指标由漏洞公告分析师、产品供应商或应用程序供应商指定,因为它们通常拥有有关漏洞特征的最准确信息。Threat (威胁) 和 Environmental (环境) 指标由消费者组织指定,因为他们最有能力在给定的时间点评估漏洞在自己的计算环境中的潜在影响。

Assessing CVSS metrics also produces a vector string, a textual representation of the metric values used to derive a quantitative score and qualitative rating for the vulnerability. This vector string is a specifically formatted text string that contains each value assigned to each metric, and should be displayed with the vulnerability score.
评估 CVSS 指标还会生成一个向量字符串,这是用于得出漏洞的定量分数和定性评级的指标值的文本表示形式。此矢量字符串是专门格式化的文本字符串,其中包含分配给每个指标的每个值,并且应与漏洞评分一起显示。

The scoring assessment and vector string are explained further below.
下面将进一步解释评分评估和向量字符串。

Note that all metrics should be assessed under the assumption that the attacker has perfect knowledge of the vulnerability. That is, the analyst need not consider the means by which the vulnerability was identified. In addition, it is likely that many different types of individuals will be assessing vulnerabilities (e.g., software vendors, vulnerability bulletin analysts, security product vendors), however, note that CVSS assessment is intended to be agnostic to the individual and their organization.
请注意,所有指标都应在攻击者完全了解漏洞的情况下进行评估。也就是说,分析师无需考虑识别漏洞的方法。此外,可能会有许多不同类型的个人(例如,软件供应商、漏洞公告分析师、安全产品供应商)评估漏洞,但是,请注意,CVSS 评估旨在与个人及其组织无关。

Nomenclature  命名法

Numerical CVSS Scores have very different meanings based on the metrics used to calculate them. Regarding prioritization, the usefulness of a numerical CVSS score is directly proportional to the CVSS metrics leveraged to generate that score. Therefore, numerical CVSS scores should be labeled using nomenclature that communicates the metrics used in its generation.
根据用于计算 CVSS 分数的指标,数字 CVSS 分数的含义非常不同。关于优先级,数字 CVSS 分数的有用性与用于生成该分数的 CVSS 指标成正比。因此,数字 CVSS 分数应使用传达其生成中使用的指标的命名法进行标记。

CVSS Nomenclature  CVSS 命名法 CVSS Metrics Used  使用的 CVSS 指标
CVSS-B Base metrics  基本指标
CVSS-BE Base and Environmental metrics
基础和环境指标
CVSS-BT Base and Threat metrics  基本和威胁指标
CVSS-BTE Base, Threat, Environmental metrics
Base, Threat, Environmental 指标

Additional Notes:  附注事项:

Base Metrics  基本度量

Exploitability Metrics  可利用性指标

As previously mentioned, the Exploitability metrics reflect the characteristics of the “thing that is vulnerable”, which we refer to formally as the vulnerable system. Therefore, each of the Exploitability metrics listed below should be assessed relative to the vulnerable system, and reflect the properties of the vulnerability that lead to a successful attack.
如前所述,可利用性指标反映了“易受攻击的东西”的特征,我们正式将其称为易受攻击的系统。因此,下面列出的每个 Exploitability 指标都应该相对于易受攻击的系统进行评估,并反映导致成功攻击的漏洞属性。

When assessing Base metrics, it should be assumed that the attacker has advanced knowledge of the target system, including general configuration and default defense mechanisms (e.g., built-in firewalls, rate limits, traffic policing). For example, exploiting a vulnerability that results in repeatable, deterministic success should still be considered a Low value for Attack Complexity, independent of the attacker's knowledge or capabilities. Furthermore, target-specific attack mitigation (e.g., custom firewall filters, access lists) should instead be reflected in the Environmental metric scoring group.
在评估 Base 指标时,应假定攻击者对目标系统有深入的了解,包括一般配置和默认防御机制(例如,内置防火墙、速率限制、流量管制)。例如,利用导致可重复、确定性成功的漏洞仍应被视为 Attack Complexity 的 Low 值,这与攻击者的知识或能力无关。此外,特定于目标的攻击缓解措施(例如,自定义防火墙过滤器、访问列表)应反映在环境指标评分组中。

Specific configurations should not impact any attribute contributing to the CVSS Base metric assessment , i.e., if a specific configuration is required for an attack to succeed, the vulnerable system should be assessed assuming it is in that configuration.
特定配置不应影响任何有助于 CVSS Base metric assessment 的属性,即,如果攻击成功需要特定配置,则应评估易受攻击的系统,假设它处于该配置中。

Attack Vector (AV)  攻击媒介 (AV)

This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity. The list of possible values is presented in Table 1.
此指标反映了可能利用漏洞的环境。攻击者为了利用易受攻击的系统而距离(逻辑上和物理上)越远,此指标值(以及由此产生的严重性)就越大。假设可以从网络中利用的漏洞的潜在攻击者数量大于可能利用需要物理访问设备的漏洞的潜在攻击者数量,因此需要更高的严重性。表 1 中列出了可能的值。

Table 1: Attack Vector  表 1:攻击向量

Metric Value  指标值 Description  描述
Network (N)  网络 (N) The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service (DoS) by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
易受攻击的系统绑定到网络堆栈,可能的攻击者集超出了下面列出的其他选项,一直延伸到并包括整个 Internet。此类漏洞通常称为“可远程利用”,可以认为是一种攻击,可在一个或多个网络跃点之外的协议级别(例如,跨一个或多个路由器)被利用。网络攻击的一个示例是攻击者通过广域网发送特制的 TCP 数据包(例如 CVE-2004-0230),从而导致拒绝服务 (DoS)。
Adjacent (A)  相邻 (A) The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone). One example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery (IPv6) flood leading to a denial of service on the local LAN segment (e.g., CVE-2013-6014).
易受攻击的系统绑定到协议堆栈,但攻击在协议级别仅限于逻辑上相邻的拓扑。这可能意味着攻击必须从相同的共享邻近区域(例如蓝牙、NFC 或 IEEE 802.11)或逻辑网络(例如本地 IP 子网)发起,或者从安全或其他受限的管理域(例如 MPLS、管理网络区域内的安全 VPN)发起。相邻攻击的一个示例是 ARP (IPv4) 或邻居发现 (IPv6) 泛洪,导致本地 LAN 网段拒绝服务(例如 CVE-2013-6014)。
Local (L)  局部 (L) The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either:
易受攻击的系统未绑定到网络堆栈,攻击者的路径是通过读/写/执行功能。也:

the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or
攻击者通过本地访问目标系统(例如键盘、控制台)或通过终端仿真(例如 SSH)来利用漏洞;

the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
攻击者依靠他人的用户交互来执行利用漏洞所需的操作(例如,使用社会工程技术诱骗合法用户打开恶意文档)。
Physical (P)  物理 (P) The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent. An example of such an attack is a cold boot attack in which an attacker gains access to disk encryption keys after physically accessing the target system. Other examples include peripheral attacks via FireWire/USB Direct Memory Access (DMA).
该攻击要求攻击者以物理方式触摸或操纵易受攻击的系统。身体互动可以是短暂的(例如,邪恶的女仆攻击 1 (evil maid attack1))或持续的。此类攻击的一个示例是冷启动攻击,攻击者在物理访问目标系统后获得对磁盘加密密钥的访问权限。其他示例包括通过 FireWire/USB 直接内存访问 (DMA) 进行的外围设备攻击。

Assessment Guidance: When deciding between Network and Adjacent, if an attack can be launched over a wide area network or from outside the logically adjacent administrative network domain, use Network.
评估指南:在决定 Network 和 Adadjacent 之间时,如果可以通过广域网或从逻辑上相邻的管理网络域之外发起攻击,请使用 Network。

Attack Complexity (AC)  攻击复杂度 (AC)

This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system, and does not relate to the amount of time or attempts it would take for an attacker to succeed, e.g. a race condition. If the attacker does not take action to overcome these conditions, the attack will always fail.
此指标捕获攻击者为主动规避或规避现有的内置安全增强条件而必须采取的可衡量操作 以获得有效的漏洞。这些条件的主要目的是 是提高安全性和/或增加漏洞利用工程的复杂性。一个 Vulnerability exploitable without a target-specific variable 的 比需要非平凡定制的漏洞更复杂。 该指标旨在捕获弱势群体使用的安全机制 系统,并且与所需的时间或尝试次数无关 攻击者成功,例如争用条件。如果攻击者没有采取 操作来克服这些条件,则攻击将始终失败。

The evasion or satisfaction of authentication mechanisms or requisites is included in the Privileges Required assessment and is not considered here as a factor of relevance for Attack Complexity.
对身份验证机制或先决条件的规避或满足包含在“所需权限”评估中,此处被视为与“攻击复杂性”相关的因素。

Table 2: Attack Complexity
表 2:攻击复杂性

Metric Value  指标值 Description  描述
Low (L)  低 (L) The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
攻击者不得采取任何可衡量的操作来利用此漏洞。该攻击不需要针对特定目标的规避来利用该漏洞。攻击者可以预期对易受攻击的系统可重复成功。
High (H)  高 (H) The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include:
成功的攻击取决于规避或规避现有的安全增强技术,否则这些技术会阻碍攻击。这些包括:

Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place. For example, circumvention of address space randomization (ASLR) or data execution prevention (DEP) must be performed for the attack to be successful.
规避漏洞利用缓解技术。攻击者必须有其他可用的方法来绕过现有的安全措施。例如,必须执行地址空间随机化 (ASLR) 或数据执行保护 (DEP) 的规避操作,攻击才能成功。

Obtaining target-specific secrets. The attacker must gather some target-specific secret before the attack can be successful. A secret is any piece of information that cannot be obtained through any amount of reconnaissance. To obtain the secret the attacker must perform additional attacks or break otherwise secure measures (e.g. knowledge of a secret key may be needed to break a crypto channel). This operation must be performed for each attacked target.
获取特定于目标的密钥。攻击者必须收集一些特定于目标的密钥,攻击才能成功。密钥是无法通过任何数量的侦察获得的任何信息。要获取密钥,攻击者必须执行其他攻击或破解其他安全措施(例如,可能需要了解密钥才能破解加密通道)。必须对每个被攻击的目标执行此操作。

As described in Section 2.1, detailed knowledge of the vulnerable system is outside the scope of Attack Complexity. Refer to that section for additional guidance when scoring Attack Complexity when target-specific attack mitigation is present.
如第 2.1 节所述,有关易受攻击系统的详细信息不在 Attack Complexity 的范围之内。在存在特定于目标的攻击缓解措施时,在对 Attack Complexity 进行评分时,请参阅该部分以获取其他指导。

Attack Requirements (AT)  攻击要求 (AT)

This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system. If the attacker does not take action to overcome these conditions, the attack may succeed only occasionally or not succeed at all.
此指标捕获启用攻击的易受攻击系统的先决条件部署和执行条件或变量。这些与安全增强技术/技术(参考攻击复杂性)不同,因为这些条件的主要目的不是明确缓解攻击,而是作为易受攻击系统的部署和执行的结果自然出现。如果攻击者不采取措施来克服这些情况,则攻击可能只是偶尔成功或根本不会成功。

Table 3: Attack Requirements
表 3:攻击要求

Metric Value  指标值 Description  描述
None (N)  无 (N) The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability.
攻击成功并不取决于易受攻击系统的部署和执行条件。攻击者可以预期能够到达漏洞并在漏洞的所有或大多数实例下执行漏洞利用。
Present (P)  目前 (P) The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack. These include:
攻击的成功取决于是否存在支持攻击的易受攻击的系统的特定部署和执行条件。这些包括:

A race condition must be won to successfully exploit the vulnerability. The successfulness of the attack is conditioned on execution conditions that are not under full control of the attacker. The attack may need to be launched multiple times against a single target before being successful.
必须赢得争用条件才能成功利用此漏洞。攻击的成功取决于攻击者无法完全控制的执行条件。在成功之前,可能需要对单个目标发起多次攻击。

Network injection. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim (e.g. vulnerabilities requiring an on-path attacker).
网络注入。攻击者必须将自己注入目标和受害者请求的资源之间的逻辑网络路径中(例如,需要中间攻击者的漏洞)。

Privileges Required (PR)  所需权限 (PR)

This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.
此指标描述攻击者在成功利用漏洞之前必须拥有的权限级别。攻击者在攻击之前获取特权凭证的方法(例如,免费试用账户)不在此指标范围内。通常,如果攻击者可以在攻击过程中授予自己权限,则自助式预置账户不构成权限要求。

The resulting score is greatest if no privileges are required. The list of possible values is presented in Table 4.
如果不需要权限,则生成的分数最高。表 4 中列出了可能的值。

Table 4: Privileges Required
表 4:所需的权限

Metric Value  指标值 Description  描述
None (N)  无 (N) The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
攻击者在攻击前未经身份验证,因此不需要访问易受攻击系统的设置或文件即可执行攻击。
Low (L)  低 (L) The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
攻击者需要提供基本功能的权限,这些功能通常仅限于单个低权限用户拥有的设置和资源。或者,具有 Low 权限的攻击者只能访问非敏感资源。
High (H)  高 (H) The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files.
攻击者需要对易受攻击的系统提供重要(例如管理)控制的权限,从而允许对易受攻击系统的设置和文件进行完全访问。

Assessment Guidance: Privileges Required is usually None for hard-coded credential vulnerabilities or vulnerabilities requiring social engineering (e.g., reflected cross-site scripting, cross-site request forgery, or file parsing vulnerability in a PDF reader). Default credentials that have not been changed or are not unique across each environment should be treated similarly to hard-coded credentials.
评估指南:对于硬编码凭证漏洞或需要社会工程的漏洞(例如,反映的跨站点脚本、跨站点请求伪造或 PDF 阅读器中的文件解析漏洞),“所需权限”通常为“无”。未更改或在每个环境中不唯一的默认凭证应与硬编码凭证类似。

User Interaction (UI)  用户交互 (UI)

This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required. The list of possible values is presented in Table 5.
此指标捕获了攻击者以外的人类用户参与成功入侵易受攻击的系统的要求。此指标确定是否可以仅根据攻击者的意愿利用漏洞,或者是否必须以某种方式参与单独的用户(或用户启动的进程)。当不需要用户交互时,生成的分数最高。表 5 中列出了可能的值。

Table 5: User Interaction
表 5:用户交互

Metric Value  指标值 Description  描述
None (N)  无 (N) The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
攻击者无需与攻击者以外的任何人类用户交互即可利用易受攻击的系统。示例包括: 远程攻击者能够将数据包发送到目标系统 本地身份验证的攻击者执行代码以提升权限
Passive (P)  被动 (P) Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system. Examples include:
要成功利用此漏洞,需要目标用户与易受攻击的系统和攻击者的有效载荷进行有限的交互。这些交互将被视为非自愿的,不需要用户主动破坏易受攻击系统中内置的保护措施。示例包括:

utilizing a website that has been modified to display malicious content when the page is rendered (most stored XSS or CSRF)
利用经过修改的网站在呈现页面时显示恶意内容(存储最多的 XSS 或 CSRF)

running an application that calls a malicious binary that has been planted on the system
运行调用已植入到系统上的恶意二进制文件的应用程序

using an application which generates traffic over an untrusted or compromised network (vulnerabilities requiring an on-path attacker)
使用通过不受信任或受损网络生成流量的应用程序(需要 On-Live 攻击者的漏洞)
Active (A)  主动 (A) Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability. Examples include:
成功利用此漏洞需要目标用户与易受攻击的系统和攻击者的有效载荷执行特定的、有意识的交互,否则用户的交互会主动破坏保护机制,从而导致漏洞被利用。示例包括:

importing a file into a vulnerable system in a specific manner
以特定方式将文件导入易受攻击的系统

placing files into a specific directory prior to executing code
在执行代码之前将文件放入特定目录

submitting a specific string into a web application (e.g. reflected or self XSS) dismiss or accept prompts or security warnings prior to taking an action (e.g. opening/editing a file, connecting a device).
将特定字符串提交到 Web 应用程序(例如反射或自身 XSS)之前,在执行操作(例如打开/编辑文件、连接设备)之前消除或接受提示或安全警告。

Impact Metrics  影响指标

The Impact metrics capture the effects of a successfully exploited vulnerability. Analysts should constrain impacts to a reasonable, final outcome which they are confident an attacker is able to achieve.
Impact (影响) 指标捕获成功利用的漏洞的影响。分析师应将影响限制在他们确信攻击者能够实现的合理最终结果上。

Only an increase in access, privileges gained, or other negative outcome as a result of successful exploitation should be considered when assessing the Impact metrics of a vulnerability. For example, consider a vulnerability that requires read-only permissions prior to being able to exploit the vulnerability. After successful exploitation, the attacker maintains the same level of read access, and gains write access. In this case, only the Integrity impact metric should be scored, and the Confidentiality and Availability Impact metrics should be set as None.
在评估漏洞的影响指标时,只应考虑成功利用导致的访问权限、获得的权限增加或其他负面结果。例如,考虑一个漏洞,该漏洞需要只读权限才能利用该漏洞。成功利用该漏洞后,攻击者将保持相同级别的读取访问权限,并获得写入访问权限。在这种情况下,只应对 Integrity impact 指标进行评分,并将 Confidentiality 和 Availability Impact 指标设置为 None。

Note that when scoring a delta change in impact, the final impact should be used. For example, if an attacker starts with partial access to restricted information (Confidentiality Low) and successful exploitation of the vulnerability results in complete loss in confidentiality (Confidentiality High), then the resultant CVSS Base metric value should reference the “end game” Impact metric value (Confidentiality High).
请注意,在对影响的增量变化进行评分时,应使用最终影响。例如,如果攻击者从部分访问受限信息开始(机密性低),并且成功利用漏洞导致机密性完全丧失(机密性高),则生成的 CVSS Base 指标值应引用“最终游戏”影响指标值(机密性高)。

When identifying values for the impact metrics, assessment providers need to account for impacts both to the Vulnerable System and impacts outside of the Vulnerable System. These impacts are established by two sets of impact metrics: “Vulnerable System impact” and “Subsequent System impact”. When establishing the boundaries for the Vulnerable System metric values, assessment providers should use the conceptual model of a system of interest.
在确定影响指标的值时,评估提供商需要 考虑对易受攻击系统的影响以及 易受攻击的系统。这些影响由两组影响指标确定: “易受攻击的系统影响”“后续系统影响”。在为 Vulnerable System 指标值建立边界时,评估提供商应使用相关系统的概念模型。

Formally, a system of interest for scoring a vulnerability is defined as the set of computing logic that executes in an environment with a coherent function and set of security policies. The vulnerability exists in one or more components of such a system. A technology product or a solution that serves a purpose or function from a consumer's perspective is considered a system (e.g., a server, workstation, containerized service, etc.).
从形式上讲,用于对漏洞进行评分的关注系统被定义为在具有连贯功能和一组安全策略的环境中执行的一组计算逻辑。该漏洞存在于此类系统的一个或多个组件中。从消费者的角度来看,服务于某种目的或功能的技术产品或解决方案被视为系统(例如,服务器、工作站、容器化服务等)。

When a system provides its functionality solely to another system, or it is designed to be exclusively used by another system, then together they are considered as the system of interest for scoring. For example, a database used solely by a smart speaker is considered a part of that smart speaker system. Both the database and the smart speaker it serves would be considered the vulnerable system if a vulnerability in that database leads to the malfunction of the smart speaker. When a vulnerability does not have impact outside of the vulnerable system assessment providers should leave the subsequent system impact metrics as NONE (N).
当一个系统仅向另一个系统提供其功能,或者它被设计为专门由另一个系统使用时,它们一起被视为值得评分的系统。例如,仅由智能扬声器使用的数据库被视为该智能扬声器系统的一部分。如果数据库中存在漏洞导致智能扬声器出现故障,则该数据库及其服务的智能扬声器都将被视为易受攻击的系统。当漏洞在易受攻击的系统之外没有影响时,评估提供商应将后续系统影响指标保留为 NONE (N)。

All impacts, if any, that occur outside of the vulnerable system should be reflected in the subsequent system impact set. When assessed in the environmental metric group only, the subsequent system impact may, in addition to the logical systems defined for System of Interest, also include impacts to humans. This human impact option in the environmental metric group is explained further in Safety (S), below.
在易受攻击的系统之外发生的所有影响(如果有)都应反映在后续的系统影响集中。当仅在环境度量组中进行评估时,除了为感兴趣系统定义的逻辑系统外,后续系统影响可能还包括对人类的影响。环境度量组中的这个人类影响选项将在下面的安全 (S) 中进一步解释。

Confidentiality (VC/SC)  保密性 (VC/SC)

This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest. The list of possible values is presented in Table 6 (for the Vulnerable System) and Table 7 (when there is a Subsequent System impacted).
此指标衡量由于成功利用漏洞而对系统管理的信息的机密性的影响。机密性是指将信息访问和披露限制为仅授权用户,以及防止未经授权的用户访问或披露。当系统损失最大时,生成的分数最大。表 6(对于易受攻击的系统)和表 7(当后续系统受到影响时)中列出了可能的值列表。

Table 6: Confidentiality Impact to the Vulnerable System (VC)
表 6:对易受攻击系统 (VC) 的机密性影响

Metric Value  指标值 Description  描述
High (H)  高 (H) There is a total loss of confidentiality, resulting in all information within the Vulnerable System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.
机密性完全丢失,导致易受攻击系统内的所有信息都泄露给攻击者。或者,仅获得对一些受限信息的访问权限,但披露的信息会产生直接、严重的影响。例如,攻击者窃取了管理员的密码或 Web 服务器的私有加密密钥。
Low (L)  低 (L) There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Vulnerable System.
存在一些机密性损失。获得了对一些受限信息的访问权限,但攻击者无法控制获取的信息,或者损失的数量或种类受到限制。信息泄露不会对易受攻击的系统造成直接的严重损失。
None (N)  无 (N) There is no loss of confidentiality within the Vulnerable System.
易受攻击的系统内没有机密性损失。

Table 7: Confidentiality Impact to the Subsequent System (SC)
表 7:对后续系统 (SC) 的机密性影响

Metric Value  指标值 Description  描述
High (H)  高 (H) There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.
机密性完全丢失,导致后续系统中的所有资源都泄露给攻击者。或者,仅获得对一些受限信息的访问权限,但披露的信息会产生直接、严重的影响。例如,攻击者窃取了管理员的密码或 Web 服务器的私有加密密钥。
Low (L)  低 (L) There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System.
存在一些机密性损失。获得了对一些受限信息的访问权限,但攻击者无法控制获取的信息,或者损失的数量或种类受到限制。信息泄露不会对后续系统造成直接的、严重的损失。
None (N)  无 (N) There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System.
后续系统内不存在机密性损失,或者所有机密性影响都仅限于易受攻击的系统。

Integrity (VI/SI)  完整性 (VI/SI)

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).
此指标衡量成功利用的漏洞对完整性的影响。诚信是指信息的可信度和真实性。当攻击者未经授权修改系统数据时,系统的完整性会受到影响。当系统用户可以拒绝在系统上下文中执行的关键操作(例如,由于日志记录不足)时,完整性也会受到影响。

The resulting score is greatest when the consequence to the system is highest. The list of possible values is presented in Table 8 (for the Vulnerable System) and Table 9 (when there is a Subsequent System impacted).
当对系统的影响最大时,生成的分数最高。表 8(对于易受攻击的系统)和表 9(当后续系统受到影响时)中列出了可能的值列表。

Table 8: Integrity Impact to the Vulnerable System (VI)
表 8:完整性对易受攻击系统的影响 (VI)

Metric Value  指标值 Description  描述
High (H)  高 (H) There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Vulnerable System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Vulnerable System.
完全失去了完整性,或者完全失去了保护。例如,攻击者能够修改受易受攻击系统保护的任何/所有文件。或者,只有一些文件可以修改,但恶意修改会给易受攻击的系统带来直接的严重后果。
Low (L)  低 (L) Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System.
可以修改数据,但攻击者无法控制修改的后果,或者修改的数量有限。数据修改不会对易受攻击的系统产生直接的严重影响。
None (N)  无 (N) There is no loss of integrity within the Vulnerable System.
易受攻击的系统内没有完整性损失。

Table 9: Integrity Impact to the Subsequent System (SI)
表 9:对后续系统 (SI) 的完整性影响

Metric Value  指标值 Description  描述
High (H)  高 (H) There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System.
完全失去了完整性,或者完全失去了保护。例如,攻击者能够修改受 Subsequent System 保护的任何/所有文件。或者,只有一些文件可以修改,但恶意修改会给后续系统带来直接的严重后果。
Low (L)  低 (L) Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System.
可以修改数据,但攻击者无法控制修改的后果,或者修改的数量有限。数据修改不会对后续系统产生直接的严重影响。
None (N)  无 (N) There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System.
后续系统内没有完整性损失,或者所有完整性影响都仅限于易受攻击的系统。

Availability (VA/SA)  可用性 (VA/SA)

This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system. The resulting score is greatest when the consequence to the system is highest. The list of possible values is presented in Table 10 (for the Vulnerable System) and Table 11 (when there is a Subsequent System impacted).
此指标衡量成功利用的漏洞对受影响系统的可用性的影响。虽然机密性和完整性影响指标适用于系统使用的数据(例如信息、文件)的机密性或完整性损失,但该指标是指受影响系统本身(例如网络、数据库、电子邮件)的可用性损失。由于可用性是指信息资源的可访问性,因此消耗网络带宽、处理器周期或磁盘空间的攻击都会影响系统的可用性。当对系统的影响最大时,生成的分数最高。表 10(对于易受攻击的系统)和表 11(当后续系统受到影响时)中列出了可能的值列表。

Table 10: Availability Impact to the Vulnerable System (VA)
表 10:对易受攻击系统 (VA) 的可用性影响

Metric Value  指标值 Description  描述
High (H)  高 (H) There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Vulnerable System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the Vulnerable System (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).
完全失去可用性,导致攻击者能够完全拒绝对易受攻击系统中的资源的访问;这种损失可以是持续的(当攻击者继续提供攻击时)或持续的(即使在攻击完成后,情况仍然存在)。或者,攻击者有能力拒绝某些可用性,但可用性的丧失会给易受攻击的系统带来直接的严重后果(例如,攻击者无法中断现有连接,但可以阻止新的连接;攻击者可以反复利用一个漏洞,在每次成功攻击的实例中,该漏洞只泄漏少量内存。 但在反复利用后导致服务变得完全不可用)。
Low (L)  低 (L) Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System.
性能降低或资源可用性中断。即使可以重复利用此漏洞,攻击者也无法完全拒绝向合法用户提供服务。易受攻击系统中的资源要么始终部分可用,要么仅在部分时间完全可用,但总体而言,不会对易受攻击系统造成直接的严重后果。
None (N)  无 (N) There is no impact to availability within the Vulnerable System.
对易受攻击系统内的可用性没有影响。

Table 11: Availability Impact to the Subsequent System (SA)
表 11:对后续系统 (SA) 的可用性影响

Metric Value  指标值 Description  描述
High (H)  高 (H) There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the Subsequent System (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).
完全失去可用性,导致攻击者能够完全拒绝对 Subsequent System 中资源的访问;这种损失可以是持续的(当攻击者继续提供攻击时)或持续的(即使在攻击完成后,情况仍然存在)。或者,攻击者有能力拒绝某些可用性,但可用性的丢失会给后续系统带来直接的严重后果(例如,攻击者无法中断现有连接,但可以阻止新的连接;攻击者可以反复利用一个漏洞,在每次成功攻击的实例中,该漏洞只泄漏少量内存。 但在反复利用后导致服务变得完全不可用)。
Low (L)  低 (L) Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Subsequent System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Subsequent System.
性能降低或资源可用性中断。即使可以重复利用此漏洞,攻击者也无法完全拒绝向合法用户提供服务。后续系统中的资源要么始终部分可用,要么仅在部分时间完全可用,但总体而言,不会对后续系统产生直接的严重后果。
None (N)  无 (N) There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System.
对后续系统中的可用性没有影响,或者所有可用性影响都仅限于易受攻击的系统。

Threat Metrics  威胁指标

The Threat metrics measure the current state of exploit techniques or code availability for a vulnerability.
Threat metrics (威胁) 指标衡量漏洞利用技术的当前状态或漏洞的代码可用性。

Exploit Maturity (E)  漏洞利用成熟度 (E)

This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. Public availability of easy-to-use exploit code or exploitation instructions increases the number of potential attackers by including those who are unskilled. Initially, real-world exploitation may only be theoretical. Publication of proof-of-concept exploit code, functional exploit code, or sufficient technical details necessary to exploit the vulnerability may follow. Furthermore, the available exploit code or instructions may progress from a proof-of-concept demonstration to exploit code that is successful in exploiting the vulnerability consistently. In severe cases, it may be delivered as the payload of a network-based worm or virus or other automated attack tools.
该指标衡量漏洞受到攻击的可能性,并基于漏洞利用技术的当前状态、漏洞利用代码可用性或主动的“在野”利用。易于使用的漏洞利用代码或漏洞利用指令的公开可用性会增加潜在攻击者的数量,因为这些攻击者包括了不熟练的攻击者。最初,现实世界的开发可能只是理论上的。随后可能会发布概念验证漏洞利用代码、功能漏洞利用代码或利用漏洞所需的足够技术细节。此外,可用的漏洞利用代码或指令可能会从概念验证演示发展为持续成功利用漏洞的漏洞利用代码。在严重的情况下,它可能作为基于网络的蠕虫或病毒或其他自动攻击工具的有效负载提供。

It is the responsibility of the CVSS consumer to populate the values of Exploit Maturity (E) based on information regarding the availability of exploitation code/processes and the state of exploitation techniques. This information will be referred to as “threat intelligence” throughout this document.
CVSS 使用者有责任根据有关漏洞利用代码/进程的可用性和漏洞利用技术的状态的信息来填充漏洞利用成熟度 (E) 的值。在本文档中,此信息将称为“威胁情报”。

Operational Recommendation: Threat intelligence sources that provide Exploit Maturity information for all vulnerabilities should be preferred over those with only partial coverage. Also, it is recommended to use multiple sources of threat intelligence as many are not comprehensive. This information should be updated as frequently as possible and its application to CVSS assessment should be automated.
操作建议:应优先使用为所有漏洞提供漏洞利用成熟度信息的威胁情报源,而不是仅部分覆盖的威胁情报源。此外,建议使用多个威胁情报来源,因为许多来源并不全面。此信息应尽可能频繁地更新,并且应自动将其应用于 CVSS 评估。

The list of possible values is presented in Table 12. The more easily a vulnerability can be exploited, the higher the vulnerability score.
表 12 中列出了可能的值。漏洞越容易被利用,漏洞评分就越高。

Table 12: Exploit Maturity
表 12:漏洞利用成熟度

Metric Value  指标值 Description  描述
Not Defined (X)  未定义 (X) Reliable threat intelligence is not available to determine Exploit Maturity characteristics. This is the default value and is equivalent to Attacked (A) for the purposes of the calculation of the score by assuming the worst case.
可靠的威胁情报无法用于确定漏洞利用成熟度特征。这是默认值,等效于 Attacked (A),用于通过假设最坏情况来计算分数。
Attacked (A)  被攻击 (A) Based on available threat intelligence either of the following must apply:
根据可用的威胁情报,以下任一条件必须适用:
Attacks targeting this vulnerability (attempted or successful) have been reported
已报告针对此漏洞的攻击(未遂或成功)
Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)
简化漏洞利用尝试的解决方案是公开或私有的(例如漏洞利用工具包)
Proof-of-Concept (P)  概念验证 (P) Based on available threat intelligence each of the following must apply:
根据可用的威胁情报,以下各项必须适用:
Proof-of-concept exploit code is publicly available
概念验证漏洞利用代码已公开提供
No knowledge of reported attempts to exploit this vulnerability
不知道报告的利用此漏洞的尝试
No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)
不知道用于简化利用漏洞的尝试的公开可用解决方案(即,“Attacked” 值不适用)
Unreported (U)  未报告 (U) Based on available threat intelligence each of the following must apply:
根据可用的威胁情报,以下各项必须适用:
No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability
不知道公开可用的概念验证漏洞利用代码 不知道关于利用此漏洞的尝试报告
No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)
不知道用于简化利用漏洞的尝试的公开可用解决方案(即,“POC”和“Attacked”值均不适用)

Environmental Metrics  环境指标

These metrics enable the consumer analyst to customize the resulting score depending on the importance of the affected IT asset to a user’s organization, measured in terms of complementary/alternative security controls in place, Confidentiality, Integrity, and Availability. The metrics are the modified equivalent of Base metrics and are assigned values based on the system placement within organizational infrastructure.
这些指标使消费者分析师能够根据受影响的 IT 资产对用户组织的重要性来自定义结果分数,并根据适当的补充/替代安全控制、机密性、完整性和可用性进行衡量。这些量度是 Base 量度的修改后等效项,并根据系统在组织基础架构中的位置分配值。

Confidentiality, Integrity, and Availability Requirements (CR, IR, AR)
机密性、完整性和可用性要求(CR、IR、AR)

These metrics enable the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability metrics relative to Confidentiality and Integrity. Each Security Requirement has three possible values: Low, Medium, or High, or the default value of Not Defined (X).
这些指标使使用者能够根据受影响的 IT 资产对分析师组织的重要性(以机密性、完整性和可用性来衡量)来自定义评估。也就是说,如果 IT 资产支持可用性最重要的业务功能,则分析师可以相对于机密性和完整性为可用性指标分配更大的价值。每个 Security Requirement 都有三个可能的值:Low、Medium 或 High,或者默认值 Not Defined (X)。

The full effect on the environmental score is determined by the corresponding Modified Base Impact metrics. Following the concept of assuming “reasonable worst case”, in absence of explicit values, these metrics are set to the default value of Not Defined (X), which is equivalent to the metric value of High (H).
对环境评分的全面影响由相应的 Modified Base Impact (修改后的基础影响) 指标确定。遵循假设“合理的最坏情况”的概念,在没有明确值的情况下,这些量度将设置为默认值 未定义 (X),这相当于量度值 高 (H)。

The list of possible values is presented in Table 13. For brevity, the same table is used for all three metrics. The lower the Security Requirement, the lower the score (recall that High is considered the default).
表 13 中列出了可能的值。为简洁起见,所有三个指标都使用同一个表。Security Requirement 越低,分数越低(回想一下,High 被认为是默认值)。

Table 13: Security Requirements
表 13:安全要求

Metric Value  指标值 Description  描述
Not Defined (X)  未定义 (X) This is the default value. Assigning this value indicates there is insufficient information to choose one of the other values. This has the same effect as assigning High as the worst case.
这是默认值。分配此值表示没有足够的信息来选择其他值之一。这与将 High 指定为最坏情况具有相同的效果。
High (H)  高 (H) Loss of [Confidentiality | Integrity | Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).
[机密性 |诚信 |可用性] 可能会对组织或与组织相关的个人(例如,员工、客户)产生灾难性的不利影响。
Medium (M)  培养基 (M) Loss of [Confidentiality | Integrity | Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).
[机密性 |诚信 |可用性] 可能会对组织或与组织相关的个人(例如,员工、客户)产生严重的不利影响。
Low (L)  低 (L) Loss of [Confidentiality | Integrity | Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).
[机密性 |诚信 |可用性] 可能仅对组织或与组织相关的个人(例如,员工、客户)产生有限的不利影响。

Modified Base Metrics  修改后的基本量度

These metrics enable the consumer analyst to override individual Base metric values based on specific characteristics of a user’s environment. Characteristics that affect Exploitability or Impact can be reflected via an appropriately modified Environmental metric value.
这些量度使使用者分析师能够根据用户环境的特定特征覆盖各个 Base 量度值。影响 Exploitability (可利用性) 或 Impact (影响) 的特征可以通过适当修改的 Environmental metric (环境) 指标值来反映。

The full effect on the resulting score is determined by the corresponding Base metrics as follows
对结果分数的完整影响由相应的 Base 量度决定,如下所示

Example: If a provider sets the Base Metric Privileges Required to Low (PR:L) and an analyst overrides Modified Privileges Required to High (MPR:H), then the resulting score will be calculated as if the Base Metric Privileges Requires was set to High. Similarly, if a provider sets the Base Metric Attack Vector to Network (AV:N) and an analyst sets Modified Attack Vector to Physical (MAV:P), then the resulting score will be calculated as if the Base Attack Vector was set to Physical.
示例:如果提供商将“基本指标权限要求”设置为“低”(PR:L),而分析师将“修改后的权限要求”覆盖为“高”(MPR:H),则计算结果分数时,将视同“基本指标权限要求”设置为“高”一样计算。同样,如果提供商将 Base Metric Attack Vector(基本指标攻击向量)设置为 Network (AV:N),分析师将 Modified Attack Vector(修改后的攻击向量)设置为 Physical (MAV:P),则计算结果分数时,将按照 Base Attack Vector(基本攻击向量)设置为 Physical(物理)的方式计算。

A special case to this rule applies to the Modified Subsequent System Integrity (MSI) and the Modified Subsequent System Availability (MSA) which can be set to an additional special value of Safety (S) which is not included in the Base Subsequent System impact metrics. In this particular case, the special value will be directly used for the calculation of the score as explained in the section 4.2.1 below.
此规则的一个特殊情况适用于修改后的后续系统完整性 (MSI) 和修改后的后续系统可用性 (MSA),它们可以设置为额外的特殊值安全性 (S),该值不包括在基本后续系统影响指标中。在这种特殊情况下,特殊值将直接用于计算分数,如下面的第 4.2.1 节所述。

The intent of these metrics are to define the mitigations and compensating controls that are in place for a given environment. It is acceptable to use the modified metrics to represent situations that increase the resulting score. Here are some examples:
这些指标的目的是定义针对给定环境实施的缓解措施和补偿控制措施。使用修改后的量度来表示增加结果分数的情况是可以接受的。以下是一些示例:

Example 1: The default configuration of a component may require high privileges to access a particular function. However, in the consumer analyst’s environment, administrative privileges might be granted by default without authenticating the user. The analyst can set Privileges Required to High and Modified Privileges Required to None to reflect this more serious condition in their particular environment.
示例 1:组件的默认配置可能需要高权限才能访问特定功能。但是,在使用者分析师的环境中,默认情况下可能会授予管理权限,而无需对用户进行身份验证。分析师可以将 Privileges Required 设置为 High,将 Modified Privileges Required 设置为 None,以反映其特定环境中的这种更严重的情况。

Example 2: The default configuration for a vulnerable system may be to run a listening service with administrator privileges, for which a compromise might grant an attacker Confidentiality, Integrity, and Availability impacts that are all High. Yet, in the consumer analyst’s environment, that same Internet service might be running with reduced privileges; in that case, the Modified Confidentiality, Modified Integrity, and Modified Availability might each be set to Low.
示例 2:易受攻击的系统的默认配置可能是使用管理员权限运行侦听服务,对于该服务,泄露可能会使攻击者的机密性、完整性和可用性影响全部为 High。但是,在消费者分析师的环境中,相同的 Internet 服务可能以较低的权限运行;在这种情况下,Modified Confidentiality、Modified Integrity 和 Modified Availability 可能都设置为 Low。

Example 3: Systems and appliances located in an isolated network with no access to or from the Internet are not able to be attacked through the Wide Area Network (WAN). All vulnerabilities found on those systems may have the Attack Vector (AV) values of “Network” reduced to “Adjacent”.
示例 3:位于无法访问 Internet 的隔离网络中的系统和设备无法通过广域网 (WAN) 受到攻击。在这些系统上发现的所有漏洞都可能将攻击向量 (AV) 值从“Network”降低到“Adjacent”。

For brevity, only the names of the Modified Base metrics are mentioned. Each Modified Environmental metric has the same values as its corresponding Base metric, plus values of Not Defined and Safety. Not Defined is the default and uses the metric value of the associated Base metric.
为简洁起见,仅提及 Modified Base 量度的名称。每个 Modified Environmental 指标的值与其对应的 Base 指标相同,外加 Not Defined 和 Safety 的值。未定义 是默认值,并使用关联的 Base 量度值。

4.2.1 Modified Base Metrics and Safety
4.2.1 修改后的基本指标和安全性

When a system may have safety implications as a matter of how or where it is deployed, it is possible that exploiting a vulnerability within that system may have safety impact(s) which can be represented in the Environmental Metrics group.
当系统可能因其部署方式或位置而产生安全影响时,利用该系统中的漏洞可能会产生安全影响,这些影响可以在 Environmental Metrics 组中表示。

If the exploitation of a technical vulnerability (with impact to either the availability or integrity of the vulnerable system) has the potential to impact human safety, the modified subsequent system impact of Safety (s) should be used (i.e., MSI:S/MSA/S).
如果利用技术漏洞(影响易受攻击系统的可用性或完整性)有可能影响人身安全,则应使用修改后的 Safety (s) 后续系统影响(即 MSI:S/MSA/S)。

The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited. Unlike other impact metric values, Safety can only be associated with the Subsequent System impact set and should be considered in addition to the N/L/H impact values for Availability and Integrity metrics.
安全指标值衡量对人类行为者或参与者的安全的影响,这些行为者或参与者可能会因漏洞被利用而受到可预见的伤害。与其他影响指标值不同,安全性只能与后续系统影响集相关联,并且除了可用性和完整性指标的 N/L/H 影响值之外,还应考虑安全性。

Note: If Safety is applicable, it should be explicitly assigned even if, and in addition to, impact values of H are already supplied for Availability and Integrity metrics.
注: 如果 Safety 适用,则应明确分配它,即使已经为 Availability 和 Integrity 指标提供了 H 的影响值,并且除了 H 的影响值之外,还应明确分配该安全性。

Safety impact is applicable when it is predictable that an exploited vulnerability may result in injuries categorized as Marginal or worse using the IEC 61508 definitions outlined in the chart below.
使用下表中概述的 IEC 61508 定义,当可以预见到被利用的漏洞可能导致被归类为边缘或更严重的伤害时,安全影响适用。

Table 14: IEC 61508 Definitions
表 14:IEC 61508 定义

Category  类别 Definition  定义
Catastrophic  灾难的 Multiple loss of life  多人死亡
Critical  危急 Loss of a single life
失去一条生命
Marginal  边缘的 Major injuries to one or more persons
一人或多人受重伤
Negligible  微不足道 Minor injuries at worst  最严重的是轻伤

Note: Safety metric values are leveraged in both the Supplemental Metric Group (provided by the assessment providers) and the Environmental Metric Group (provided by the consumer analyst). The list of possible values is presented below.
注意:安全指标值在补充指标组(由评估提供商提供)和环境指标组(由消费者分析师提供)中使用。可能的值列表如下所示。

Table 15: Modified Base Metrics
表 15:修改后的基本指标

Modified Base Metric  修改后的基本量度 Corresponding Values  对应值
Modified Attack Vector (MAV)
修改后的攻击向量 (MAV)		 The same values as the corresponding Base Metric (see Base Metrics, above) as well as Not Defined (the default). Note: For MSC, MSI, and MSA, the lowest metric value is “Negligible” (N), not “None” (N).
与相应的 Base Metric(请参阅上面的 Base Metric)以及 Not Defined(默认值)相同的值。注意:对于 MSC、MSI 和 MSA,最低指标值为“可忽略”(N),而不是“无”(N)。
Modified Attack Complexity (MAC)
修改后的攻击复杂性 (MAC)
Modified Attack Requirements (MAT)
修改后的攻击要求 (MAT)
Modified Privileges Required (MPR)
需要修改的权限 (MPR)
Modified User Interaction (MUI)
修改后的用户交互 (MUI)
Modified Vulnerable System Confidentiality (MVC)
修改后的易受攻击系统机密性 (MVC)
Modified Vulnerable System Integrity (MVI)
修改后的漏洞系统完整性 (MVI)
Modified Vulnerable System Availability (MVA)
修改后的易受攻击系统可用性 (MVA)
Modified Subsequent System Confidentiality (MSC)
修改后的后续系统机密性 (MSC)
Modified Subsequent System Integrity (MSI)
修改后的后续系统完整性 (MSI)		 There is also a highest severity level, Safety (S), in addition to the same values as the corresponding Base Metric (High, Medium, Low). The value Not Defined (X) is the default value.
除了与相应的基本指标相同的值(高、中、低)外,还有一个最高严重性级别,即安全 (S)。值 Not Defined (X) 是默认值。
Modified Subsequent System Availability (MSA)
修改后的后续系统可用性 (MSA)

Supplemental Metrics  补充指标

A new, optional metric group called the Supplemental metric group provides new metrics that describe and measure additional extrinsic attributes of a vulnerability. While the assessment of Supplemental metrics is provisioned by the provider, the usage and response plan of each metric within the Supplemental metric group is determined by the consumer. This contextual information may be employed differently in each consumer’s environment. No metric will have any impact on the final calculated CVSS score (e.g. CVSS-BTE). Organizations may then assign importance and/or effective impact of each metric, or set/combination of metrics, giving them more, less, or absolutely no effect on the final risk analysis. Metrics and values will simply convey additional extrinsic characteristics of the vulnerability itself.
一个名为 Supplemental metric group (补充指标组) 的新可选指标组提供了描述和测量漏洞的其他外部属性的新指标。虽然 Supplemental 指标的评估由提供商预置,但 Supplemental 指标组中每个指标的使用和响应计划由使用者决定。这些上下文信息在每个消费者的环境中可能以不同的方式使用。任何指标都不会对最终计算的 CVSS 分数(例如 CVSS-BTE)产生任何影响。然后,组织可以分配每个指标的重要性和/或有效影响,或指标的集合/组合,从而对最终风险分析产生更多、更少或绝对没有影响。指标和值将简单地传达漏洞本身的其他外在特征。

Safety (S)  安全性 (S)

Like all Supplemental Metrics, providing a value for Safety is completely optional. Suppliers and vendors (AKA: scoring providers) may or may not provide Safety as a Supplemental Metric as they see fit.
与所有补充指标一样,为 Safety (安全) 提供值是完全可选的。供应商和供应商(又名:评分提供商)可能会也可能不会提供他们认为合适的补充指标。

When a system does have an intended use or fitness of purpose aligned to safety, it is possible that exploiting a vulnerability within that system may have Safety impact which can be represented in the Supplemental Metrics group. Lack of a Safety metric value being supplied does NOT mean that there may not be any Safety-related impacts. The possible values for the Safety Supplemental Metric are as follows:
当系统确实具有与安全一致的预期用途或适用性时,利用该系统中的漏洞可能会产生安全影响,这可以在 Supplemental Metrics 组中表示。缺少安全指标值并不意味着可能没有任何与安全相关的影响。安全补充指标的可能值如下:

Table 16: Safety  表 16:安全

Metric Value  指标值 Description  描述
Not Defined (X)  未定义 (X) The metric has not been evaluated.
尚未评估该指标。
Present (P)  目前 (P) Consequences of the vulnerability meet definition of IEC 61508 consequence categories of "marginal," "critical," or "catastrophic."
漏洞的后果符合 IEC 61508 的“边际”、“关键”或“灾难性”后果类别的定义。
Negligible (N)  可忽略不计 (N) Consequences of the vulnerability meet definition of IEC 61508 consequence category "negligible."
漏洞的后果符合 IEC 61508 后果类别“可忽略不计”的定义。

The Safety supplemental metric value indicates the degree of impact to the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited.
Safety supplemental metric (安全补充) 指标值表示由于漏洞被利用而可预见地受伤的人类行为者或参与者对安全的影响程度。

Note that Safety metrics are defined in both Environmental and Supplemental contexts, although the vector string values differ. As a Supplemental metric, and consistent with the above table, Safety can be described with metric values of S:X, S:P, or S:N.
请注意,安全指标是在 Environmental 和 Supplemental 上下文中定义的,尽管向量字符串值不同。作为补充指标,与上表一致,安全性可以用 S:X、S:P 或 S:N 的指标值来描述。

The IEC 61508 consequence categories are defined in Table 14 above (as of this writing).
IEC 61508 后果类别在上面的表 14 中定义(截至撰写本文时)。

Automatable (AU)  可自动化 (AU)

The “Automatable” metric captures the answer to the question ”Can an attacker automate exploitation events for this vulnerability across multiple targets?” based on steps 1-4 of the kill chain2 [Hutchins et al., 2011]. These steps are reconnaissance, weaponization, delivery, and exploitation. If evaluated, the metric can take the values no or yes:
“可自动化”指标根据杀伤链2 的步骤 1-4 捕获了“攻击者能否跨多个目标自动利用此漏洞事件”问题的答案 [Hutchins et al., 2011]。这些步骤是侦察、武器化、交付和利用。如果经过评估,则度量可以采用值 no 或 yes:

Table 17: Automatable  表 17:可自动化

Metric Value  指标值 Description  描述
Not Defined (X)  未定义 (X) The metric has not been evaluated.
尚未评估该指标。
No (N)  否 (N) Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation.
由于某种原因,攻击者无法可靠地自动执行此漏洞的杀伤链的所有 4 个步骤。这些步骤是侦察、武器化、交付和利用。
Yes (Y)  是 (Y) Attackers can reliably automate all 4 steps of the kill chain. These steps are reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is “wormable”).
攻击者可以可靠地自动执行杀伤链的所有 4 个步骤。这些步骤是侦察、武器化、交付和利用(例如,漏洞是“可蠕虫的”)。

Provider Urgency (U)  提供商紧急度 (U)

Many vendors currently provide supplemental severity ratings to consumers via product security advisories. Other vendors publish Qualitative Severity Ratings from the CVSS Specification Document in their advisories.
许多供应商目前通过产品安全建议向消费者提供补充严重性评级。其他供应商在其公告中发布了 CVSS 规范文档中的定性严重性评级。

To facilitate a standardized method to incorporate additional provider-supplied assessment, an optional “pass-through” Supplemental Metric called Provider Urgency is available.
为了促进采用标准化方法来纳入额外的提供商提供的评估,可以使用称为 Provider Urgency 的可选“直通”补充指标。

Note: While any assessment provider along the product supply chain may provide a Provider Urgency rating:
注意:虽然产品供应链中的任何评估提供商都可能提供提供商紧急程度评级:

Library Maintainer → OS/Distro Maintainer → Provider 1 … Provider n (PPP) → Consumer
Library Maintainer → OS/Distro Maintainer → Provider 1 ...提供商 n (PPP)→ 消费者

The Penultimate Product Provider (PPP) is best positioned to provide a direct assessment of Provider Urgency.
倒数第二产品提供商 (PPP) 最适合提供对提供商紧急程度的直接评估。

Table 18: Provider Urgency
表 18:提供商的紧迫性

Metric Value  指标值 Description  描述
Not Defined (X)  未定义 (X) The metric has not been evaluated.
尚未评估该指标。
Red   Provider has assessed the impact of this vulnerability as having the highest urgency.
提供商已将此漏洞的影响评估为最紧急。
Amber  琥珀 Provider has assessed the impact of this vulnerability as having a moderate urgency.
提供商已将此漏洞的影响评估为中等紧急性。
Green  绿 Provider has assessed the impact of this vulnerability as having a reduced urgency.
提供商已将此漏洞的影响评估为紧急性降低。
Clear  清楚 Provider has assessed the impact of this vulnerability as having no urgency (Informational).
提供商已将此漏洞的影响评估为无紧急性 (信息性)。

Recovery (R)  恢复 (R)

Recovery describes the resilience of a system to recover services, in terms of performance and availability, after an attack has been performed.
恢复描述了系统在执行攻击后恢复服务在性能和可用性方面的弹性。

Table 19: Recovery  表 19:恢复

Metric Value  指标值 Description  描述
Not Defined (X)  未定义 (X) The metric has not been evaluated.
尚未评估该指标。
Automatic (A)  自动 (A) The system recovers services automatically after an attack has been performed.
系统在执行攻击后自动恢复服务。
User (U)  用户 (U) The system requires manual intervention by the user to recover services, after an attack has been performed.
系统要求用户在执行攻击后手动干预以恢复服务。
Irrecoverable (I)  不可恢复 (I) The system services are irrecoverable by the user, after an attack has been performed.
执行攻击后,用户无法恢复系统服务。

Value Density (V)  值密度 (V)

Value Density describes the resources that the attacker will gain control over with a single exploitation event. It has two possible values, diffuse and concentrated:
Value Density 描述了攻击者将通过单个利用事件获得控制的资源。它有两个可能的值:diffuse 和 concentrationd:

Table 20: Value Density  表 20:价值密度

Metric Value  指标值 Description  描述
Not Defined (X)  未定义 (X) The metric has not been evaluated.
尚未评估该指标。
Diffuse (D)  漫反射 (D) The vulnerable system has limited resources. That is, the resources that the attacker will gain control over with a single exploitation event are relatively small. An example of Diffuse (think: limited) Value Density would be an attack on a single email client vulnerability.
易受攻击的系统资源有限。也就是说,攻击者通过单个利用事件获得控制权的资源相对较小。Diffuse (think: limited) Value Density 的一个例子是对单个电子邮件客户端漏洞的攻击。
Concentrated (C)  浓缩 (C) The vulnerable system is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users. An example of Concentrated (think: broad) Value Density would be an attack on a central email server.
易受攻击的系统资源丰富。从启发式的角度来看,此类系统通常是 “系统操作员” 而不是用户的直接责任。集中(想想:广泛)价值密度的一个例子是对中央电子邮件服务器的攻击。

Vulnerability Response Effort (RE)
漏洞响应工作 (RE)

The intention of the Vulnerability Response Effort metric is to provide supplemental information on how difficult it is for consumers to provide an initial response to the impact of vulnerabilities for deployed products and services in their infrastructure. The consumer can then take this additional information on effort required into consideration when applying mitigations and/or scheduling remediation.
Vulnerability Response Effort 指标的目的是提供补充信息,说明消费者对其基础设施中部署的产品和服务的漏洞影响提供初步响应的难度。然后,消费者可以在应用缓解措施和/或安排补救措施时考虑所需的工作量的这些额外信息。

When calculating Vulnerability Response Effort, the effort required to deploy the quickest available response should be considered.
在计算漏洞响应工作量时,应考虑部署最快可用响应所需的工作量。

Table 21: Vulnerability Response Effort
表 21:漏洞响应工作

Metric Value  指标值 Description  描述
Not Defined (X)  未定义 (X) The metric has not been evaluated.
尚未评估该指标。
Low (L)  低 (L) The effort required to respond to a vulnerability is low/trivial. Examples include: communication on better documentation, configuration workarounds, or guidance from the vendor that does not require an immediate update, upgrade, or replacement by the consuming entity, such as firewall filter configuration.
响应漏洞所需的工作量很小/微不足道。示例包括:供应商提供的有关更好的文档、配置解决方法或指导的通信,这些文档、配置解决方法或指导不需要使用实体立即更新、升级或替换,例如防火墙过滤器配置。
Moderate (M)  中度 (M) The actions required to respond to a vulnerability require some effort on behalf of the consumer and could cause minimal service impact to implement. Examples include: simple remote update, disabling of a subsystem, or a low-touch software upgrade such as a driver update.
响应漏洞所需的操作需要使用者付出一些努力,并且实施服务影响可能最小。示例包括:简单的远程更新、禁用子系统或低接触软件升级,例如驱动程序更新。
High (H)  高 (H) The actions required to respond to a vulnerability are significant and/or difficult, and may possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling purposes including honoring any embargo on deployment of the selected response. Alternatively, response to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or replacement). Examples include: a highly privileged driver update, microcode or UEFI BIOS updates, or software upgrades requiring careful analysis and understanding of any potential infrastructure impact before implementation. A UEFI BIOS update that impacts Trusted Platform Module (TPM) attestation without impacting disk encryption software such as Bit locker is a good recent example. Irreparable failures such as non-bootable flash subsystems, failed disks or solid-state drives (SSD), bad memory modules, network devices, or other non-recoverable under warranty hardware, should also be scored as having a High effort.
响应漏洞所需的操作非常重要和/或困难,并且可能会导致长期的计划服务影响。出于计划目的,需要考虑这一点,包括遵守对所选响应部署的任何禁运。或者,无法远程响应现场漏洞。漏洞的唯一解决方案涉及物理更换(例如,部署的单元必须召回以进行仓库级别的维修或更换)。示例包括:高权限驱动程序更新、微码或 UEFI BIOS 更新,或在实施之前需要仔细分析和了解任何潜在基础设施影响的软件升级。最近的一个很好的示例是影响可信平台模块 (TPM) 证明而不影响磁盘加密软件(如 Bit locker)的 UEFI BIOS 更新。无法修复的故障,例如不可启动的闪存子系统、故障磁盘或固态驱动器 (SSD)、损坏的内存模块、网络设备或其他在保修期内无法恢复的硬件,也应评为“工作量大”。

Qualitative Severity Rating Scale
定性严重程度评定量表

For some purposes it is useful to have a textual representation of the resulting numeric Base, Threat and Environmental scores. All CVSS scores regardless of nomenclature can be mapped to the qualitative ratings defined in Table 22.3
对于某些目的,使用生成的数字 Base、Threat 和 Environmental 分数的文本表示非常有用。所有 CVSS 分数,无论命名法如何,都可以映射到表 22 中定义的定性评级。3

Table 22: Qualitative severity rating scale
表 22:定性严重性评定量表

Rating  额定值 CVSS Score  CVSS 评分
None  没有 0.0
Low   0.1 - 3.9
Medium  中等 4.0 - 6.9
High   7.0 - 8.9
Critical  危急 9.0 - 10.0

As an example, a CVSS Base Score of 5.0 has an associated severity rating of Medium. The use of these qualitative severity ratings is optional, and there is no requirement to include them when publishing CVSS scores. They are intended to help organizations properly assess and prioritize their vulnerability management processes.
例如,CVSS 基本分数 5.0 的相关严重性评级为“中等”。使用这些定性严重性评级是可选的,在发布 CVSS 分数时不需要包含它们。它们旨在帮助组织正确评估其漏洞管理流程并确定其优先级。

Vector String  矢量字符串

The CVSS v4.0 vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise and machine-readable form.
CVSS v4.0 矢量字符串是一组 CVSS 指标的文本表示形式。它通常用于以简洁且机器可读的形式记录或传输 CVSS 指标信息。

The CVSS v4.0 vector string begins with the label “CVSS:” and a numeric representation of the current version, “4.0”. Metric information follows in the form of a set of metrics, each preceded by a forward slash, “/”, acting as a delimiter. Each metric is a metric name in abbreviated form, a colon (“:”), and its associated metric value in abbreviated form. The abbreviated forms are defined earlier in this specification (in parentheses after each metric name and metric value, case sensitive), and are summarized in the table below.
CVSS v4.0 矢量字符串以标签“CVSS:”和当前版本的数字表示形式“4.0”开头。指标信息以一组指标的形式出现,每个指标前面都有一个正斜杠 “/”,用作分隔符。每个量度都是缩写形式的度量名称、冒号 (“:”) 及其关联的缩写形式的度量值。缩写形式在本规范的前面定义(在每个指标名称和指标值后面的括号中,区分大小写),并在下表中进行了总结。

A vector string must contain metrics in the order shown in Table 23, every other ordering is invalid. All Base metrics must be included in a vector string. Threat, Environmental, and Supplemental metrics are optional, and omitted metrics are considered to have the value of Not Defined (X). Metrics with a value of Not Defined can be explicitly included in a vector string if desired. Systems that produce or consume CVSS v4.0 vector strings must do so in the following order and treat unspecified Threat, Environmental and Supplemental as Not Defined. A vector string must not include the same metric more than once.
向量字符串必须包含表 23 中所示顺序的度量,其他所有顺序都是无效的。所有 Base 指标都必须包含在矢量字符串中。Threat、Environment 和 Supplemental 指标是可选的,省略的指标被视为具有 Not Defined (X) 的值。如果需要,可以将值为 Not Defined 的量度显式包含在矢量字符串中。生成或使用 CVSS v4.0 向量字符串的系统必须按以下顺序执行此操作,并将未指定的 Threat、Environmental 和 Supplemental 视为 Not Defined。矢量字符串不得多次包含相同的量度。

Table 23: Base, Threat and Environmental Vectors
表 23:基础、威胁和环境向量

Metric Group  度量组 Metric Name (and Abbreviated Form)
度量名称(和缩写形式)		 Possible Values  可能的值 Mandatory?  命令的?
Base  基础 Attack Vector (AV)  攻击媒介 (AV) [N,A,L,P]  [N,A,L,P] Yes  是的
- Attack Complexity (AC)  攻击复杂度 (AC) [L,H]  [长、高] Yes  是的
- Attack Requirements (AT)  攻击要求 (AT) [N,P]  [N,P] Yes  是的
- Privileges Required (PR)  所需权限 (PR) [N,L,H]  [北、长、高] Yes  是的
- User Interaction (UI)  用户交互 (UI) [N,P,A]  [N,P,A] Yes  是的
- Vulnerable System Confidentiality Impact (VC)
易受攻击的系统机密性影响 (VC)		 [H,L,N]  [高、长、北] Yes  是的
- Vulnerable System Integrity Impact (VI)
易受攻击的系统完整性影响 (VI)		 [H,L,N]  [高、长、北] Yes  是的
- Vulnerable System Availability Impact (VA)
易受攻击的系统可用性影响 (VA)		 [H,L,N]  [高、长、北] Yes  是的
- Subsequent System Confidentiality Impact (SC)
后续系统机密性影响 (SC)		 [H,L,N]  [高、长、北] Yes  是的
- Subsequent System Integrity Impact (SI)
后续系统完整性影响 (SI)		 [H,L,N]  [高、长、北] Yes  是的
- Subsequent System Availability Impact (SA)
后续系统可用性影响 (SA)		 [H,L,N]  [高、长、北] Yes  是的
Threat  威胁 Exploit Maturity (E)  漏洞利用成熟度 (E) [X,A,P,U]  [X,A,P,U] No  
Environmental  环境的 Confidentiality Requirement (CR)
保密要求 (CR)		 [X,H,M,L]  [X,H,M,L] No  
- Integrity Requirement (IR)
诚信要求 (IR)		 [X,H,M,L]  [X,H,M,L] No  
- Availability Requirement (AR)
可用性要求 (AR)		 [X,H,M,L]  [X,H,M,L] No  
- Modified Attack Vector (MAV)
修改后的攻击向量 (MAV)		 [X,N,A,L,P]  [X,N,A,L,P] No  
- Modified Attack Complexity (MAC)
修改后的攻击复杂性 (MAC)		 [X,L,H]  [X、L、H] No  
- Modified Attack Requirements (MAT)
修改后的攻击要求 (MAT)		 [X,N,P]  [X,N,P] No  
- Modified Privileges Required (MPR)
需要修改的权限 (MPR)		 [X,N,L,H]  [X,N,L,H] No  
- Modified User Interaction (MUI)
修改后的用户交互 (MUI)		 [X,N,P,A]  [X,N,P,A] No  
- Modified Vulnerable System Confidentiality (MVC)
修改后的易受攻击系统机密性 (MVC)		 [X,N,L,H]  [X,N,L,H] No  
- Modified Vulnerable System Integrity (MVI)
修改后的漏洞系统完整性 (MVI)		 [X,N,L,H]  [X,N,L,H] No  
- Modified Vulnerable System Availability (MVA)
修改后的易受攻击系统可用性 (MVA)		 [X,N,L,H]  [X,N,L,H] No  
- Modified Subsequent System Confidentiality (MSC)
修改后的后续系统机密性 (MSC)		 [X,N,L,H]  [X,N,L,H] No  
- Modified Subsequent System Integrity (MSI)
修改后的后续系统完整性 (MSI)		 [X,N,L,H,S]  [X,N,L,H,S] No  
- Modified Subsequent System Availability (MSA)
修改后的后续系统可用性 (MSA)		 [X,N,L,H,S]  [X,N,L,H,S] No  
Supplemental  补足的 Safety (S)  安全性 (S) [X,N,P]  [X,N,P] No  
- Automatable (AU)  可自动化 (AU) [X,N,Y]  [X、N、Y] No  
- Recovery (R)  恢复 (R) [X,A,U,I]  [X,A,U,I] No  
- Value Density (V)  值密度 (V) [X,D,C]  [X,D,C] No  
- Vulnerability Response Effort (RE)
漏洞响应工作 (RE)		 [X,L,M,H]  [X,L,M,H] No  
- Provider Urgency (U)  提供商紧急度 (U) [X,Clear,Green,Amber,Red]
[X、透明、绿色、琥珀色、红色]		 No  

For example, a vulnerability with Base metric values of:
例如,Base 指标值为

The following examples are valid CVSS v4.0 vectors, provided along a short description:
以下示例是有效的 CVSS v4.0 向量,并附有简短说明:

The following vectors are invalid and are provided along a short explanation:
以下向量无效,并附有简短说明:

CVSS v4.0 Scoring  CVSS v4.0 评分

The CVSS v4.0 scoring methodologies are described in the sub-sections below.
CVSS v4.0 评分方法在下面的小节中介绍。

New Scoring System Development
新评分系统开发

The scoring system development for CVSS v4.0 consisted of the following broad steps:
CVSS v4.0 的评分系统开发包括以下主要步骤:

  1. Use metric groups to gather the 15 million CVSS-BTE vectors into 270 disjoint equivalence sets under a relation of comparable qualitative severity
    使用度量组将 1500 万个 CVSS-BTE 向量收集到 270 个不相交的等价集中,这些等价集具有相当的定性严重性关系

  2. Solicit experts to compare vectors representing each equivalence set
    邀请专家比较表示每个等价集的向量

  3. Use the expert comparison data to calculate an order of vectors from least severe to most severe
    使用专家比较数据计算从最严重到最严重的向量顺序

  4. Solicit expert opinion to decide which equivalence set of vectors p in the ordering of vectors represents the boundary between qualitative severity scores to be backwards compatible with qualitative severity score boundaries from CVSS v3.x
    征求专家意见,以确定向量排序中的哪组向量 p 表示定性严重性分数之间的边界,以便向后兼容 CVSS v3.x 中的定性严重性分数边界

  5. Compress the equivalence set of vectors in each qualitative severity bin into the number of available scores in that bin (for example, 9.0 to 10.0 for critical, 7.0 to 8.9 for high, etc.)
    将每个定性严重性 bin 中的等价向量集压缩为该 bin 中的可用分数数(例如,9.0 到 10.0 表示严重,7.0 到 8.9 表示高,等等)。

  6. Create a small score modification factor that adjusts the scores of vectors within a qualitatively equivalent set of vectors so that a change of any metric value results in a resulting score change, where possible. The intent is that the score change is not larger than the uncertainty in the ranking of the vector groups as collected from the expert comparison data in step 2. This is further discussed in section 8.2 below.
    创建一个较小的分数修改因子,该因子调整定性等效向量集中的向量分数,以便在可能的情况下,任何度量值的更改都会导致结果分数更改。目的是分数变化不大于从步骤 2 中的专家比较数据中收集的向量组排名的不确定性。这将在下面的 8.2 节中进一步讨论。

Additional information about the new approach to scoring calculation developed in CVSS v4.0 can be found in Section 2.5 of the CVSS v4.0 User Guide.
有关 CVSS v4.0 中开发的新评分计算方法的其他信息,请参阅 CVSS v4.0 用户指南的第 2.5 节。

CVSS v4.0 Scoring using MacroVectors and Interpolation
使用 MacroVectors 和 Interpolation 的 CVSS v4.0 评分

The CVSS v4.0 formula provides a mathematical approximation of all possible metric combinations ranked in order of severity where vectors are clustered in sets called MacroVectors. A MacroVector is one of the sets of CVSS vectors that the expert evaluation process described in section 8.1 (steps 1-3) determined to be of comparable qualitative severity. Each MacroVector constitutes an equivalence class4 from such a qualitative perspective.
CVSS v4.0 公式提供了所有可能的度量组合的数学近似值,这些组合按严重性顺序排序,其中向量聚集在称为 MacroVector 的集合中。MacroVector 是第 8.1 节(步骤 1-3)中描述的专家评估过程确定具有可比定性严重性的 CVSS 向量集之一。从这种定性的角度来看,每个 MacroVector 都构成一个等价类4

The score of a MacroVector is defined by a lookup table as defined by the subject matter expert process mentioned above and is specified in Section 8.3. The score of a vector within each MacroVector is defined by interpolation.
MacroVector 的分数由上述主题专家流程定义的查找表定义,并在第 8.3 节中指定。每个 MacroVector 中向量的分数由插值定义。

To determine a preliminary set of relevant MacroVectors, The SIG determined the following preliminary metrics subgroups. Additional EQs or levels can be determined for a finer resolution.
为了确定一组初步的相关宏向量,SIG 确定了以下初步指标子组。可以确定额外的 EQ 或电平以获得更精细的分辨率。

Intuitively, each level of a metric subgroup corresponds to a different severity level with zero being the most severe and one or two being the least severe.
直观地说,指标子组的每个级别对应于不同的严重性级别,其中 0 表示最严重,1 或 2 表示最不严重。

Since EQ3 and EQ6 are not independent they must be considered together
由于 EQ3 和 EQ6 不是独立的,因此必须将它们放在一起考虑

A highest severity vector of a MacroVector is a vector that
MacroVector 的最高严重性向量

The lowest severity vector of a MacroVector is determined in a similar way.
MacroVector 的最低严重性向量以类似的方式确定。

One MacroVector might have more than one highest severity vector and more than one lowest severity vector. For example the MacroVectors which satisfy EQ1 at level 1 shown in Table 24 have as highest severity vectors all vectors with
一个 MacroVector 可能具有多个最高严重性向量和多个最低严重性向量。例如,表 24 中所示的在级别 1 满足 EQ1 的 MacroVectors 具有最高严重性向量,所有

as they all satisfy the constraints specified in Table 24.
因为它们都满足表 24 中指定的约束。

Table 24: EQ1 - MacroVectors
表 24:EQ1 - 宏矢量

Levels  水平 Constraints  约束 Highest Severity Vector(s)
最高严重性向量
0 AV:N and PR:N and UI:N
AV:N 和 PR:N 和 UI:N		 AV:N/PR:N/UI:N  AV:N/PR:N/UI:N
1 (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P
(AV:N 或 PR:N 或 UI:N)而不是 (AV:N 和 PR:N 和 UI:N) 而不是 AV:P		 AV:A/PR:N/UI:N or AV:N/PR:L/UI:N or AV:N/PR:N:/UI:P
AV:A/PR:N/UI:N 或 AV:N/PR:L/UI:N 或 AV:N/PR:N:/UI:P
2 AV:P or not(AV:N or PR:N or UI:N)
AV:P 与否(AV:N 或 PR:N 或 UI:N)		 AV:P/PR:N/UI:N or AV:A/PR:L/UI:P
AV:P/PR:N/UI:N 或 AV:A/PR:L/UI:P

Table 25: EQ2 - MacroVectors
表 25:EQ2 - 宏向量

Levels  水平 Constraints  约束 Highest Severity Vector(s)
最高严重性向量
0 AC:L and AT:N  AC:L 和 AT:N AC:L/AT:N  交流:L/AT:N
1 not (AC:L and AT:N)  非 (AC:L 和 AT:N) AC:L/AT:P or AC:H/AT:N  AC:L/AT:P 或 AC:H/AT:N

Table 26: EQ3 - MacroVectors
表 26:EQ3 - 宏矢量

Levels  水平 Constraints  约束 Highest Severity Vector(s)
最高严重性向量
0 VC:H and VI:H  VC:H 和 VI:H VC:H/VI:H/VA:H  VC:H/VI:H/VA:H
1 not (VC:H and VI:H) and (VC:H or VI:H or VA:H)
非 (VC:H 和 VI:H) 和 (VC:H 或 VI:H 或 VA:H)		 VC:L/VI:H/VA:H or VC:H/VI:L/VA:H
VC:L/VI:H/VA:H 或 VC:H/VI:L/VA:H
2 not (VC:H or VI:H or VA:H)
非 (VC:H 或 VI:H 或 VA:H)		 VC:L/VI:L/VA:L  VC:L/VI:L/VA:L

Table 27: EQ4 - MacroVectors
表 27:EQ4 - 宏向量

Levels  水平 Constraints  约束 Highest Severity Vector(s)
最高严重性向量
0 MSI:S or MSA:S  MSI:S 或 MSA:S SC:H/SI:S/SA:S  SC:H/SI:S/SA:S
1 not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)
非 (MSI:S 或 MSA:S) 和 (SC:H 或 SI:H 或 SA:H)		 SC:H/SI:H/SA:H  SC:H/SI:H/SA:H
2 not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)
非 (MSI:S 或 MSA:S) 和非 (SC:H 或 SI:H 或 SA:H)		 SC:L/SI:L/SA:L  SC:L/SI:L/SA:L

If MSI=X or MSA=X they will default to the corresponding value of SI and SA according to the rules of Modified Base Metrics in section 4.2 (See Table 15). So if there are no modified base metrics, the highest value that EQ4 can reach is 1.
如果 MSI=X 或 MSA=X,它们将根据第 4.2 节中修改后的基本指标的规则默认为 SI 和 SA 的相应值(参见表 15)。因此,如果没有修改后的基本指标,则 EQ4 可以达到的最高值为 1。

Table 28: EQ5 - MacroVectors
表 28:EQ5 - 宏矢量

Levels  水平 Constraints  约束 Highest Severity Vector(s)
最高严重性向量
0 E:A  E:A E:A  E:A
1 E:P  E:P E:P  E:P
2 E:U  E:U E:U  E:U

If E=X it will default to the worst case (i.e., E=A).
如果 E=X,它将默认为最坏的情况(即 E=A)。

Table 29: EQ6 - MacroVectors
表 29:EQ6 - 宏向量

Levels  水平 Constraints  约束 Highest Severity Vector(s)
最高严重性向量
0 (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)
(CR:H 和 VC:H) 或 (IR:H 和 VI:H) 或 (AR:H 和 VA:H)		 VC:H/VI:H/VA:H/CR:H/IR:H/AR:H
VC:H/VI:H/VA:H/CR:H/IR:H/AR:H
1 not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)
not (CR:H 和 VC:H) 和 not (IR:H 和 VI:H) 和 not (AR:H 和 VA:H)		 VC:H/VI:H/VA:H/CR:M/IR:M/AR:M or VC:H/VI:H/VA:L/CR:M/IR:M/AR:H or VC:H/VI:L/VA:H/CR:M/IR:H/AR:M or VC:H/VI:L/VA:L/CR:M/IR:H/AR:H or VC:L/VI:H/VA:H/CR:H/IR:M/AR:M or VC:L/VI:H/VA:L/CR:H/IR:M/AR:H or VC:L/VI:L/VA:H/CR:H/IR:H/AR:M or VC:L/VI:L/VA:L/CR:H/IR:H/AR:H
VC:H/VI:H/VA:H/CR:M/IR:M/AR:M 或 VC:H/VI:H/VA:L/CR:M/IR:M/AR:H 或 VC:H/VI:L/VA:H/CR:M/IR:H/AR:M 或 VC:H/VI:L/VA:L/CR:M/IR:H/AR:H 或 VC:L/VI:H/VA:H/CR:H/IR:M/AR:M 或 VC:L/VI:H/VA:L/CR:H/IR:M/AR:H 或 VC:L/VI:L/VA:H/CR:H/IR:H/AR:M 或 VC:L/VI:L/VA:L/CR:H/IR:H/AR:H

If CR=X, IR=X or AR=X they will default to the worst case (i.e., CR=H, IR=H and AR=H).
如果 CR=X、IR=X 或 AR=X,它们将默认为最坏情况(即 CR=H、IR=H 和 AR=H)。

Table 30: Joint EQ3+EQ6 - MacroVectors
表 30:关节 EQ3+EQ6 - 宏矢量

Levels  水平 Constraints  约束 Highest Severity Vector(s)
最高严重性向量
00 VC:H and VI:H and [CR:H or IR:H or (AR:H and VA:H)]
VC:H 和 VI:H 和 [CR:H 或 IR:H 或 (AR:H 和 VA:H)]		 VC:H/VI:H/VA:H/CR:H/IR:H/AR:H
VC:H/VI:H/VA:H/CR:H/IR:H/AR:H
01 VC:H and VI:H and not (CR:H or IR:H) and not (AR:H and VA:H)
VC:H 和 VI:H 而不是 (CR:H 或 IR:H) 和 not (AR:H 和 VA:H)		 VC:H/VI:H/VA:H/CR:M/IR:M/AR:M or VC:H/VI:H/VA:L/CR:M/IR:M/AR:H
VC:H/VI:H/VA:H/CR:M/IR:M/AR:M 或 VC:H/VI:H/VA:L/CR:M/IR:M/AR:H
10 not (VC:H and VI:H) and (VC:H or VI:H or VA:H) and [(CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)]
不是 (VC:H 和 VI:H) 和 (VC:H 或 VI:H 或 VA:H) 和 [(CR:H 和 VC:H) 或 (IR:H 和 VI:H) 或 (AR:H 和 VA:H)]		 VC:L/VI:H/VA:H/CR:H/IR:H/AR:H or VC:H/VI:L/VA:H/CR:H/IR:H/AR:H
VC:L/VI:H/VA:H/CR:H/IR:H/AR:H 或 VC:H/VI:L/VA:H/CR:H/IR:H/AR:H
11 not (VC:H and VI:H) and (VC:H or VI:H or VA:H) and [not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)]
非 (VC:H 和 VI:H) 和 (VC:H 或 VI:H 或 VA:H) 和 [非 (CR:H 和 VC:H) 和非 (IR:H 和 VI:H) 和 非 (AR:H 和 VA:H)]		 VC:H/VI:L/VA:H/CR:M/IR:H/AR:M or VC:H/VI:L/VA:L/CR:M/IR:H/AR:H or VC:L/VI:H/VA:H/CR:H/IR:M/AR:M or VC:L/VI:H/VA:L/CR:H/IR:M/AR:H or VC:L/VI:L/VA:H/CR:H/IR:H/AR:M
VC:H/VI:L/VA:H/CR:M/IR:H/AR:M 或 VC:H/VI:L/VA:L/CR:M/IR:H/AR:H 或 VC:L/VI:H/VA:H/CR:H/IR:M/AR:M 或 VC:L/VI:H/VA:L/CR:H/IR:M/AR:H 或 VC:L/VI:L/VA:H/CR:H/IR:H/AR:M
20 not (VC:H or VI:H or VA:H) and [(CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)]
不是 (VC:H 或 VI:H 或 VA:H) 和 [(CR:H 和 VC:H) 或 (IR:H 和 VI:H) 或 (AR:H 和 VA:H)]		 Cannot exist  不能存在
21 not (VC:H or VI:H or VA:H) and not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)
非 (VC:H 或 VI:H 或 VA:H) 和非 (CR:H 和 VC:H) 和非 (IR:H 和 VI:H) 和非 (AR:H 和 VA:H)		 VC:L/VI:L/VA:L/CR:H/IR:H/AR:H
VC:L/VI:L/VA:L/CR:H/IR:H/AR:H

Given two vectors the severity distance between them is the number of consecutive stepwise changes in individual metrics given Section 2 ordering needed to transform one vector into the other.
给定两个向量,它们之间的严重性距离是将一个向量转换为另一个向量所需的第 2 节顺序的单个指标连续逐步变化的次数。

For example a Vector with VC:H/VI:H/VA:H has a severity distance of 3 from a vector that contains VC:H/VI:L/VA:N and is otherwise identical
例如,具有 VC:H/VI:H/VA:H 的向量与包含 VC:H/VI:L/VA:N 的向量的严重性距离为 3,并且在其他方面相同

The depth of a MacroVector is the maximum severity distance between the highest severity vector(s) and the lowest severity vector(s) of the MacroVector.
MacroVector 的深度是 MacroVector 的最高严重性向量与最低严重性向量之间的最大严重性距离。

The notion of depth can be better understood by a graphical visualization. For example consider EQ3=2 which is defined in Table 26 as all metrics values such that not (VC=H or VI=H or VA=H). Figure 2 shows all metric values of VC, VI, and VA in that MacroVector starting from the highest severity vector (VC:L/VI:L/VA:L) to the lowest severity vector (VC:N/VI:N/VA:N).
通过图形可视化可以更好地理解深度的概念。例如,考虑 EQ3=2,它在表 26 中定义为所有指标值,而不是(VC=H 或 VI=H 或 VA=H)。图 2 显示了该宏向量中 VC、VI 和 VA 的所有度量值,从最高严重性向量 (VC:L/VI:L/VA:L) 开始到最低严重性向量 (VC:N/VI:N/VA:N)。

Figure 2: Vectors included MacroVector with EQ3=2 and everything else fixed.
图 2:矢量包括 EQ3=2 的 MacroVector,其他所有内容都已修复。

The highest severity vector of a MacroVector is always assigned the score of the MacroVector from the cvss_lookup.js file within the CVSS v4.0 calculator reference implementation available on GitHub (see Section 8.3).
在 GitHub 上提供的 CVSS v4.0 计算器参考实现中,MacroVector 的最高严重性向量始终从 cvss_lookup.js 文件中分配 MacroVector 的分数(请参阅第 8.3 节)。

A vector within a MacroVector is assigned the score of the highest severity vector in the MacroVector minus the mean proportional distance from the MacroVectors below it.
MacroVector 中的向量被分配 MacroVector 中最高严重性向量的分数减去与它下面的 MacroVector 的平均比例距离。

This is obtained by the following algorithm.
这是通过以下算法获得的。

  1. For each of the EQs
    对于每个 EQ

    1. The maximal scoring difference is determined as the difference between the current MacroVector and the lower MacroVector
      最大得分差异确定为当前 MacroVector 与下限 MacroVector 之间的差值

      1. if there is no lower MacroVector the available distance is set to NaN and then ignored in the further calculations
        如果没有较低的 MacroVector,则可用距离设置为 NaN,然后在进一步的计算中忽略

    2. The severity distance of the to-be scored vector from a highest severity vector in the same MacroVector is determined
      确定待评分向量与同一 MacroVector 中最高严重性向量的严重性距离

    3. The proportion of the distance is determined by dividing the severity distance of the to-be-scored vector by the depth of the MacroVector
      距离的比例是通过将要评分向量的严重性距离除以 MacroVector 的深度来确定的

    4. The maximal scoring difference is multiplied by the proportion of distance
      最大得分差值乘以距离的比例

  2. The mean of the above computed proportional distances is computed
    计算上述计算的比例距离的平均值

  3. The score of the vector is the score of the MacroVector (i.e. the score of the highest severity vector) minus the mean distance so computed. This score is rounded to one decimal place.
    向量的分数是 MacroVector 的分数(即最高严重性向量的分数)减去这样计算的平均距离。此分数四舍五入到小数点后一位。

Scores of all MacroVectors
所有 MacroVector 的分数

A complete list of all MacroVectors and associated scores can be found in the cvss_lookup.js file within the CVSS v4.0 calculator reference implementation available on GitHub:
所有宏向量和相关分数的完整列表可以在 GitHub 上提供的 CVSS v4.0 计算器参考实现中的 cvss_lookup.js 文件中找到:

https://github.com/FIRSTdotorg/cvss-v4-calculator/blob/main/cvss_lookup.js

Appendix A - Acknowledgments
附录 A - 致谢

FIRST sincerely recognizes the contributions of the following CVSS Special Interest Group (SIG) members, listed in alphabetical order by last name:
FIRST 衷心感谢以下 CVSS 特别兴趣小组 (SIG) 成员的贡献,这些成员按姓氏的字母顺序列出:

FIRST would also like to thank Grace Staley from CAPS, LLC. for her tireless work facilitating the CVSS SIG meetings.
FIRST 还要感谢 CAPS, LLC. 的 Grace Staley 为促进 CVSS SIG 会议所做的不懈努力。

Appendix B - On-Line Resources
附录 B - 在线资源

CVSS v4.0 main page - https://www.first.org/cvss/v4-0
CVSS v4.0 主页 - https://www.first.org/cvss/v4-0

The main web page for all CVSS resources, including the most recent version of the CVSS standard.
所有 CVSS 资源(包括最新版本的 CVSS 标准)的主 Web 页。

CVSS v4.0 Specification Document - https://www.first.org/cvss/v4-0/specification-document
CVSS v4.0 规范文档 - https://www.first.org/cvss/v4-0/specification-document

The latest revision of this document, defining the metrics, formulas, qualitative rating scale and vector string.
本文档的最新版本,定义了量度、公式、定性评分量表和向量字符串。

CVSS v4.0 User Guide - https://www.first.org/cvss/v4-0/user-guide
CVSS v4.0 用户指南 - https://www.first.org/cvss/v4-0/user-guide

A companion to the Specification, the User Guide includes further discussion of the CVSS standard including particular use cases, guidelines on scoring, scoring rubrics, and a glossary of the terms used in the Specification and User Guide documents.
作为规范的配套内容,用户指南包括对 CVSS 标准的进一步讨论,包括特定用例、评分指南、评分标准以及规范和用户指南文档中使用的术语表。

CVSS v4.0 Examples Document - https://www.first.org/cvss/v4-0/examples
CVSS v4.0 示例文档 - https://www.first.org/cvss/v4-0/examples

Includes scores of public vulnerabilities and explanations of why particular metric values were chosen.
包括公共漏洞的分数以及选择特定指标值的原因的说明。

CVSS v4.0 Calculator - https://www.first.org/cvss/calculator/v4-0
CVSS v4.0 计算器 - https://www.first.org/cvss/calculator/v4-0

A reference implementation of the CVSS standard that can be used for generating scores. The underlying code is documented and can be used as part of other implementations.
CVSS 标准的参考实现,可用于生成分数。底层代码已记录在案,可以用作其他实现的一部分。

JSON and XML Schemas - https://www.first.org/cvss/data-representations
JSON 和 XML 架构 - https://www.first.org/cvss/data-representations

Data representations for CVSS metrics, scores and vector strings in JSON Schema and XML Schema Definition (XSD) representations. These can be used to store and transfer CVSS information in defined JSON and XML formats.
JSON 架构和 XML 架构定义 (XSD) 表示形式中 CVSS 指标、分数和向量字符串的数据表示形式。这些可用于以定义的 JSON 和 XML 格式存储和传输 CVSS 信息。

Version History  版本历史记录

Date  日期 Ver   Description  描述
2023-11-01 v1.0  1.0 版 Initial Publication  初始发布
2023-11-09 v1.1  1.1 版 Correct impact metric order Corrected reference to Section 2.5 of the User Guide
更正影响指标顺序更正了对用户指南第 2.5 节的引用
2024-06-18 v1.2  1.2 版 Corrected None metric in Section 2.2.3 Table 7
更正了第 2.2.3 节表 7 中的 None 指标

  1. See [https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html]() for a description of the evil maid attack. 
    参见 [https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html]() 了解邪恶女仆袭击的描述。

  2. Eric M Hutchins, Michael J Cloppert, and Rohan M Amin. Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Leading Issues in Information Warfare & Security Research, 1:80, 2011.
    埃里克·哈钦斯 (Eric M Hutchins)、迈克尔·克洛珀特 (Michael J Cloppert) 和罗汉·阿明 (Rohan M Amin)。智能驱动 通过对对手活动的分析提供计算机网络防御,以及 入侵杀伤链。信息战和安全的主要问题 研究,1:80,2011 年。
    https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf 
    https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf

  3. Note that this mapping between quantitative and qualitative scores applies whether just the Base, or all of Base, Threat, and Environmental metric groups, are assessed. 
    请注意,无论仅评估 Base、Threat 和 Environmental 指标组,还是评估 Base、Threat 和 Environmental 指标组,定量分数和定性分数之间的这种映射都适用。

  4. [https://en.wikipedia.org/wiki/Equivalence_class]() 
    [https://en.wikipedia.org/wiki/Equivalence_class]()