English (US) 日本語

Articles in this section

Correspondence between the risk level provided by Vex and the CVSS Base score

Avatar
UBsecure
  • Updated
Follow

[Vex 8.0.0.0 or later]

Previously, the vulnerability risk level was based on Vex's own standard, but we have applied the CVSS v3 for the assessment of risk levels since Vex 8.0.0.0.

To check the correspondence between the risk level on Vex and the CVSS v3, see the "Vex Risk level correspondence table" in the Tool icon in the upper right of the screen.

Vex_Risk_correspondence_table_CVSS_v3_Compliance_.jpg

*Vex Risk Level is scored based on the CVSS v3 Base Metric against the behavior that can be seen from the execution result of the signature (primary damage).

[Reference Information]
FIRST (Forum of Incident Response and Security Teams):
"Common Vulnerability Scoring System v3.0: Specification Document"

https://www.first.org/cvss/v3.0/specification-document

 [Vex7.2.2.0 and earlier]

For the versions prior to Vex7.2.2.0, the risk level corresponds to CVSS v2, see below for details.

Risk Level: High
CVSS Base score: 7.0 - 10.0
-The system may be completely controlled remotely.
-Most of the information may be leaked
-Most of the information may be falsified
-The possibility of denial of service (DoS) that stops all systems, OS command injection, SQL injection, execution of commands due to buffer overflow, etc.


● Risk Level: Medium
CVSS Base score: 4.0 - 6.9
-Some information may be leaked.
-Some information may be falsified.
-Service outage may be occurred.
-The possibility of cross-site scripting, directory traversal that causes information leakage, denial of service (DoS) that stops systems, etc.
-Other threats that fall under Level III but have low reproducibility.


● Risk Level: Low
CVSS Base score: 0.1 - 3.9
-There are threats that require complicated conditions to attack.
-Other threats that fall under Level II but have low reproducibility.

● Risk Level: Remarks
CVSS Base score: 0
-The detected event may not cause damage on its own, or there is no available means of exploitation at the present time.
However, remediation should be considered in order to enhance security.

[Reference Information]
FIRST (Forum of Incident Response and Security Teams):
"A Complete Guide to the Common Vulnerability Scoring System"

https://www.first.org/cvss/v2/guide

Was this article helpful?
3 out of 3 found this helpful
Return to top

Comments

0 comments

Please sign in to leave a comment.