CVSS Vector vs. Score Discrepancies

TL;DR

Yes, a CVSS score calculated from a vector string can differ from the score reported by tools or databases. This is usually due to rounding differences, variations in calculator implementations, or incorrect vector strings. Always verify the source of your vector and use a consistent calculator.

Understanding CVSS

CVSS (Common Vulnerability Scoring System) provides a standardized way to assess the severity of software vulnerabilities. It uses a formula based on metrics grouped into three categories:

• Base Metrics: Characteristics inherent to the vulnerability itself (e.g., attack vector, complexity).
• Temporal Metrics: Factors that change over time (e.g., exploit availability, remediation level).
• Environmental Metrics: Considerations specific to your environment (e.g., impact on confidentiality, integrity, and availability).

A CVSS vector string represents these metrics in a concise format. A calculator then uses this string to generate a numerical score.

Why Discrepancies Happen

1. Rounding: The CVSS formula involves several calculations. Different calculators might round intermediate results differently, leading to slight variations in the final score.
2. Calculator Implementations: While the CVSS specification is public, different tools (e.g., NVD Calculator, CVSS v3 Vector String Builder) may have slightly different implementations of the formula or handle edge cases differently.
3. Incorrect Vector Strings: The most common cause! A small error in the vector string can significantly alter the score. This could be a typo, an outdated metric value, or a misunderstanding of the CVSS specification.
4. Version Differences: CVSS has different versions (v2, v3.0, v3.1, v4). Ensure you’re using the correct calculator for the vector string version.

How to Resolve Discrepancies

1. Verify the Vector String: Double-check the vector string against its original source (e.g., vulnerability database, security advisory). Look for typos or inconsistencies.
2. Use a Standard Calculator: Use a well-respected and widely used CVSS calculator to recalculate the score. The NVD Calculator is a good option.
3. Check Vector Version: Confirm that the vector string’s version matches the calculator you are using. For example, if the vector starts with `CVSS:3.1`, use a CVSS v3.1 calculator.
4. Break Down the Metrics: If possible, manually input each metric into the calculator to identify which specific value is causing the difference. This helps pinpoint errors in the vector string.
5. Consider Environmental Impact: Remember that environmental metrics can significantly affect the score. Ensure you’re using appropriate values for your environment.

Example

Let’s say a vulnerability has a reported CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and an initial score of 9.8.

If you input this into a different calculator, it might return 9.6 due to rounding differences in the formula. This is generally acceptable as long as both calculators are using CVSS v3.1.

Using Command-Line Tools (Example)

Some tools allow calculating CVSS scores from the command line:

cvssv3 --vector "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"

(Note: You may need to install a CVSS calculator tool first, such as cvssv3 from Python packages.)

Final Thoughts

CVSS scores are valuable for prioritizing vulnerabilities. However, it’s important to understand that discrepancies can occur. By verifying the vector string and using a consistent calculator, you can ensure accurate scoring and effective risk management.