CVSS得分计算公式
- Base Metrics计算方式
基础分(Base Score,简称BS)是通过影响子因子分数(Impact sub score,简称ISC)和可用性子因子分数(Exploitability sub score,简称ESC)计算出来的。
其中,
ESC=8.22*AV*AC*PR*UI
(AV-attack vector,AC-attack complexity,RP-Privileges required,UI-user interaction)
ISCBase=1-[(1-ImpactConf)*(1-ImpacInteg)*(1-ImpactAvail)]
基础分得分计算公式:
当ISCBase<=0 or ISCBase>1
BS=0
当0<ISCBase<=1
当Scope=unchanged
ISC=6.42*ISCBase
BS = Roundup(Min[(ESC+ISC),10])
当Scope=changed
ISC=7.52*[ ISCBase-0.029]-3.25*[ ISCBase -0.02]15
BS = Roundup(Min[1.08*(ESC+ISC),10])
注释:Roundup是使用进一法保留一位小数,eg,Roundup(4.01)=4,1,Roundup(4.00)=4.0
- Temporal 计算方式
临时分数(Temporal Score ,以下简称TS)的计算公式为:
TS = Roundup(BS*ECM*RL*RC)
(BS-BaseScore,ECM-ExploitCodeMaturity,RL-RemediationLevel,RC-ReportConfidence)
- Environmental Score计算方式
计算环境分数(Environmental Score,以下简称ES)需要首先计算被更改当ISC(简称ISCModified),被更改当ESC(简称ESCModified)。
其中,
ESCModified=8.22*AVModified* ACModified * PRModified * UIModified
ISCBaseModified=Min{[1-(1-ImpactConfModified*CR)*(1-ImpactIntegModified*IR)*(1-ImpactAvailModified*AR)],0.915}
(CR-Confidentiality Requirements,IR-Integrity Requirements,AR-Availablity Requirements)
ES的计算公式为:
当ISCModified <= 0
ES=0
当ISCModified != 0
当ScopeModified = unchanged
ISCModified=6.42*ISCBaseModified
ES = Roundup(Roundup(Min[(ISCModified+ESCModified),10])*ECM*RL*RC)
当ScopeModified = changed
ISCModified=7.52*(ISCBaseModified-0.029)-3.25*(ISCBaseModified -0.02)15
ES = Roundup(Roundup(Min[1.08*(ISCModified+ESCModified),10])*ECM*RL*RC)
- 定制化漏洞等级-厂商等级映射表
根据不同厂商情况,将ESC得分与问题级别进行调整,具体明细如下表所示。
| A类厂商 | B类厂商 | C类厂商 | |
| Critical | 8.5<=ES<=10 | 9<=ES<=10 | 9.5<=ES<=10 |
| High | 6.5<=ES<8.5 | 7<=ES<9 | 7.5<=ES<9.5 |
| Medium | 3.5<=ES<6.5 | 4<=ES<7 | 4.5<=ES<7.5 |
| Low | 0<=ES<3.5 | 0<=ES<4 | 0<=ES<4.5 |
- 度量值权重表
| metric | metric value | numerical value | |
| Attack Vector(AV)/Modified AttackVector(AVModified) | Network | 0.85 | |
| Adjacent Network | 0.62 | ||
| Local | 0.55 | ||
| Physical | 0.2 | ||
| Attack Complexity(AC)/Modified Attack Complexity(ACModified) | Low | 0.77 | |
| High | 0.44 | ||
| Privilege Required(PR)/Modified Privilege Required(PRModified) | None | 0.85 | |
| Low | 0.62 | scope=unchanged | |
| 0.68 | scope=changed | ||
| High | 0.27 | scope=unchanged | |
| 0.5 | scope=changed | ||
| User Interaction(UI)/Modified User Interaction(UIModified) | None | 0.85 | |
| Required | 0.62 | ||
| C,I,A Impact/Modified C,I,A Impact | High | 0.56 | |
| Low | 0.22 | ||
| None | 0 | ||
| Exploit Code Maturity(ECM) | Not Defined | 1 | |
| High | 1 | ||
| Functional | 0.97 | ||
| Proof of Concept | 0.94 | ||
| Unproven | 0.91 | ||
| Remediation Level(RL) | Not Defined | 1 | |
| Unavailable | 1 | ||
| Workaround | 0.97 | ||
| Temporary Fix | 0.96 | ||
| Official Fix | 0.95 | ||
| Report Condifence(RC) | Not Defined | 1 | |
| Confirmed | 1 | ||
| Reasonable | 0.96 | ||
| Unknown | 0.92 | ||
| Security Requirements-C,I,A Requirement(CR,IR,AR) | Not Defined | 1 | |
| High | 1.5 | ||
| Medium | 1 | ||
| Low | 0.5 | ||
