In the Common Vulnerability Scoring System (CVSS) v3.1 severity ratings, what range does medium vulnerability fall in?

In the Common Vulnerability Scoring System (CVSS) v3.1 severity ratings, what range does medium vulnerability fall in?

Option 1 : 4.0-6.9
Option 2 : 3.9-6.9
Option 3 : 3.0-6.9
Option 4 : 4.0-6.0

The Common Vulnerability Scoring System (CVSS) is an open structure for conveying the attributes and seriousness of programming weaknesses. CVSS comprises of three measurement gatherings: Base, Temporal, and Environmental. The Base measurements produce a score going from 0 to 10, which would then be able to be adjusted by scoring the Temporal and Environmental measurements. A CVSS score is likewise addressed as a vector string, a packed printed portrayal of the qualities used to determine the score. Accordingly, CVSS is appropriate as a standard estimation framework for enterprises, associations, and governments that need exact and steady weakness seriousness scores. Two normal employments of CVSS are computing the seriousness of weaknesses found on one’s frameworks and as a factor in prioritization of weakness remediation exercises. The National Vulnerability Database (NVD) gives CVSS scores to practically completely known weaknesses.

The NVD underpins both Common Vulnerability Scoring System (CVSS) v2.0 and v3.X principles. The NVD gives CVSS ‘base scores’ which address the intrinsic qualities of every weakness. The NVD doesn’t as of now give ‘worldly scores’ (measurements that change over the long run because of occasions outer to the weakness) or ‘ecological’s (scores modified to mirror the effect of the weakness on your association). In any case, the NVD supplies a CVSS mini-computer for both CVSS v2 and v3 to permit you to add transient and natural score information.

CVSS is claimed and overseen by FIRST.Org, Inc. (Initial), a US-based non-benefit association, whose mission is to help PC security episode reaction groups across the world. The authority CVSS documentation can be found at

NVD CVSS Calculators

NVD Vulnerability Severity Ratings

NVD gives subjective seriousness rankings of “Low”, “Medium”, and “High” for CVSS v2.0 base score ranges notwithstanding the seriousness appraisals for CVSS v3.0 as they are characterized in the CVSS v3.0 detail.

                            CVSS v2.0 Ratings                                                    CVSS v3.0 Ratings
Severity Base Score Range Severity Base Score Range
None 0.0
Low 0.0-3.9 Low 0.1-3.9
Medium 4.0-6.9 Medium 4.0-6.9
High 7.0-10.0 High 7.0-8.9
Critical 9.0-10.0
NVD Specific CVSS Information
Inadequate Data

For certain weaknesses, the entirety of the data expected to make CVSS scores may not be accessible. This regularly happens when a seller reports a weakness however decays to give certain subtleties. In such circumstances, NVD investigators relegate CVSS scores utilizing a most pessimistic scenario approach. Hence, if a merchant gives no insights concerning a weakness, NVD will score that weakness as a 10.0 (the most elevated rating).

Cooperation with Industry

NVD staff are eager to work with the security local area on CVSS sway scoring. In the event that you wish to contribute extra data or remedies with respect to the NVD CVSS sway scores, if it’s not too much trouble send email to We effectively work with clients that give us criticism.

Heritage CVSS Information

The NVD will start authoritatively supporting the CVSS v3.1 direction on September tenth, 2019. Because of the explanations in direction, there will be a few changes to the scoring rehearses utilized by NVD experts for CVSS v3. The NVD won’t offer CVSS v3.0 and v3.1 vector strings for a similar CVE. All new and re-examined CVEs will be finished utilizing the CVSS v3.1 direction.

There are at present no designs to relate CVSS v3.0 vector strings to CVEs that were at that point examined in the NVD preceding 12/20/2015. A subset of CVEs from before this time might be given CVSS v3.0 vector strings because of uncommon cases or presence as models in the CVSS v3 documentation.

Vector strings for the CVE weaknesses distributed between to 11/10/2005 and 11/30/2006 have been overhauled from CVSS form 1 information. CVSS v1 measurements didn’t contain granularity of CVSS v2 thus these scores are set apart as “Adaptation 2.0 overhaul from v1.0” inside NVD. While these scores are estimation, they are required to be sensibly precise CVSS v2 scores.

Vector strings accommodated the 13,000 CVE weaknesses distributed before 11/9/2005 are approximated from just mostly accessible CVSS metric information. Specifically, the accompanying CVSS measurements are just somewhat accessible for these weaknesses and NVD expects certain qualities dependent on a guess calculation: Access Complexity, Authentication, Confidentiality Impact of ‘incomplete’, Integrity Impact of ‘fractional’, Availability Impact of ‘halfway’, and the effect predispositions.

Learn CEH & Think like hacker

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us –

Leave a Comment