CVSS 4.0 is here. Will it make vulnerability scores more useful?

Version 4 of the Common Vulnerability Scoring System (CVSS) redefines and removes several v3.1 metrics and adds new ones, notably the supplemental metric group. Most importantly, v4.0 makes it clear from the outset that the base score is only a starting point for calculating the real-life impact and risk for a vulnerability. Invicti is among the first DAST vendors to add CVSS 4.0 support to its products.

CVSS 4.0 is here. Will it make vulnerability scores more useful?

The Common Vulnerability Scoring System (CVSS) has long been due for an overhaul, and November 2023 saw the official publication of CVSS v4.0. Designed to address the shortcomings of CVSS v3.1 and bring the system in line with current cybersecurity realities, version 4.0 includes major changes, notably adding new supplemental metrics for more customizable vulnerability management.

Invicti is among the first dynamic application security testing (DAST) solution vendors to add CVSS 4.0 vulnerability scores into its products. This post presents an overview of CVSS 4.0 and highlights how the new metrics appear in Invicti and Acunetix vulnerability scan results.

What is CVSS?

In dealing with security issues, it’s helpful to have a number that indicates the severity and helps you prioritize your vulnerability response efforts. When faced with hundreds of reports across automated systems, those severity scores become indispensable for vulnerability assessment and prioritization—but how do you calculate them? After all, the severity of any security vulnerability depends on many factors and means different things to different people and for different systems.

Already in 2005, the US National Infrastructure Advisory Council (NIAC) created the unsuccessful CVSS version 1, with the Forum of Incident Response and Security Teams (FIRST) soon being put in charge of developing and maintaining a more practical vulnerability scoring system. CVSSv2 followed in 2007, v3.0 in 2015, v3.1 in 2019, and finally v4.0 in 2023. Each iteration has incorporated industry feedback, observed usage practices, and changes to the threat landscape.

The fundamental thing about any CVSS base score is that it only reflects the technical severity of a vulnerability when considered in isolation. Usually, this value alone is not enough to determine the risk and therefore the remediation priority, yet CVSS scores have frequently been confused with risk scores. One of the main goals for CVSS 4.0 was to redesign the whole scoring system to incorporate additional metrics that could provide a broader picture of each vulnerability in a specific context, resulting in more useful inputs for risk analysis.

What’s new in CVSSv4.0 compared to CVSS v3.1

To make it clear that the base score is only the starting point for building a full picture, version 4.0 also defines a threat score and environmental score, with separate names for each combination of component scores (note that temporal metrics from v3.1 are now called threat metrics):

  • CVSS-B: Base
  • CVSS-BT: Base+Threat
  • CVSS-BE: Base+Environmental
  • CVSS-BTE: Base+Threat+Environmental

The new nomenclature makes it clear whether you’re dealing only with a raw base score or other metrics have also been incorporated—and the more metrics you include, the better your picture of the resulting risk. If systematically and correctly implemented, the extended CVSS-BTE score may allow organizations to determine risk with an accuracy comparable to proprietary risk scoring methods. In theory, you should be able to calculate your own unique CVSS-BTE value by taking the base score from an information provider, the environmental metric values from your asset management database, and the threat score from your threat intelligence data.

CVSS numerical score vs. CVSS vector

Each CVSS score consists of a numerical score and a vector string that encodes all the CVSS metrics and values supplied by a provider using a set of abbreviations. In simple terms, the numerical score provides a quick view of the overall severity, while the vector describes the vulnerability in detail by listing specific metrics and values using their abbreviations. For example, AV:N in the example below means Attack Vector: Network.

 

As more metrics are added, the vector string gets longer. Here’s an example from the CVSS 4.0 specification docs, illustrating how the infamous Heartbleed vulnerability (CVE-2014-0160) would be described in version 4.0 as compared to 3.1:

 

  • CVSS 3.1: Base score 7.5, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVSS 4.0: Base+Threat score 8.7, vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:A

New, changed, and retired base metrics

Starting with the biggest departure, the unloved and ambiguous SCOPE (S) has been removed from the base metric set since it caused scoring inconsistencies depending on how a specific provider interpreted it. Instead of a single vague metric, scope is now defined in terms of the impact on confidentiality, integrity, and availability for both the vulnerable system and any subsequent systems, giving a total of six detailed impact metrics. Other retired metrics include Remediation Level (RL) and Report Confidence (RC).

An important change is that the single Attack Complexity (AC) metric, which in CVSS3.1 was limited to a low or high value, has been redefined and split into two more specific metrics. The new version redefines Attack Complexity (AC) to mean the attacker effort required to overcome any defensive measures. It also adds Attack Requirements (AT because AR was already taken) to specify any prerequisites for a component to be vulnerable.

To account for the growing complexity and diversity of applications and user interfaces, the User Interaction (UI) base metric has been redefined to provide finer granularity than a simple yes/no. With version 4.0, you can specify three levels of user interaction: None, Passive (requires limited and involuntary user interaction), or Active (vulnerability exploitation requires deliberate and specific user actions).

New supplemental metric group

CVSS4.0 adds a whole new set of optional supplemental metrics that, when provided, can allow organizations to define and measure context-dependent vulnerability attributes. Information providers have the option to use these metrics to convey additional information, but it’s up to the information consumer if and how these metrics should affect the final score. Six main supplemental metrics have been added:

  • Automatable (A): Indicates whether the provider believes attackers could automatically exploit the vulnerability across multiple targets (Yes/No).
  • Recovery (R): Describes how an attacked system will be able to recover from an attack on the vulnerability. Possible values are Automatic (meaning that fully automatic recovery is possible), User (if recovery requires manual intervention), or Irrecoverable.
  • Value Density (V): Indicates the value of a single exploitation to an attacker. Possible values are Diffuse (exploiting a single vulnerability provides relatively little value or few system resources) or Concentrated (a single attack can yield lots of resources to the attacker).
  • Vulnerability Response Effort (RE): Indicates how difficult it will be for a consumer to respond to a successful attack, with possible effort values of Low, Moderate, or High.
  • Provider Urgency (U): Allows information providers to recommend an urgency rating using an alert signal code of Red (highest), Amber (moderate), Green (reduced), or Clear (informational only).
  • Safety (S): CVSS versions were limited to computer systems and logical impacts on those systems but provided no way of indicating potential consequences in the physical world. The new Safety metric now allows providers to flag vulnerabilities that could lead to death or injury if exploited—especially important for industrial control systems, healthcare, and high-risk IoT systems. Possible values indicate the presence of physical safety risks: Present, Negligible, or Not Defined.
  • Related to the main Safety metric are two additional metrics for subsequent systems: Modified Integrity of Subsequent System: Safety (MSI:S) and Modified Availability of Subsequent System: Safety (MSA:S). The information consumer can supply these to indicate whether a successful attack can impact the integrity or availability of a related system in a way that threatens safety.

Again, all the supplemental metrics are purely optional and can be supplied or omitted by providers as needed for a specific vulnerability.

CVSSv4.0 support in Invicti and Acunetix

As a CVSS information provider both for CVEs and for newly identified application vulnerabilities, Invicti is leading the way among DAST vendors by adding CVSS 4.0 support to its Invicti and Acunetix products. The CVSS scores and vectors for v4.0 will now appear in vulnerability reports alongside existing CVSS 3.0 and 3.1 information to provide Invicti customers with multiple options to use as inputs for their risk management and vulnerability mitigation efforts.

As of December 2023, CVSS 4.0 support is available in all Invicti and Acunetix products except for Invicti Enterprise on-premises and Acunetix 360 on-premises—for these, the functionality will be added in January 2024.

Conclusion

The changes made to CVSS 4.0 address the most criticized shortcomings of 3.1 and bring the standard up to date with current technologies and threats, though at the cost of making the whole system even more complex. Compared to its predecessor, version 4.0 promises more realistic, granular, and customizable vulnerability scoring that incorporates real-world impacts where applicable. Assuming they are correctly and consistently used, CVSS-BTE scores could, in theory, replace many existing proprietary risk calculation methods with a standardized system.

The elephant in the room is that a new standard doesn’t implement itself, so each organization (whether an information provider or consumer) will still need to work to get the most out of it. In fact, as soon as CVSS 4.0 hit public preview, some critical voices were saying that the whole concept of centralized vulnerability scoring and reporting is fundamentally flawed and, despite welcome updates, version 4.0 can do nothing to fix it.

Until the industry comes up with a better alternative, the new CVSS 4.0 will at least allow vulnerability databases like NVD to provide more accurate and informative vulnerability scores for CVEs—and vulnerability information providers like Invicti to supply richer data in their application vulnerability reports.

To learn more about CVSS 4.0, see the full specification document on the first.org site.

Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.