#cvss
New Common Vulnerability Scoring System (CVSS) v4.0 Released – What’s New!
CVSS (Common Vulnerability Scoring System) is vital for supplier-consumer interaction, offering a numerical score to assess security vulnerabilities’ technical severity that helps in guiding the following entities:-
Businesses
Service providers
Public
CVSS scores interpret the following qualitative ratings for prioritizing vulnerability management and enhancing defense strategies against cyber threats, enabling real-time threat assessment for consumers’ protection:-
FREE Webinar
Webinar on Cyber Resilience for Financial Sector
Ensure your Cyber Resiliance with the recent wave of cyber-attacks targeting the financial services sector. Almost 60% respondents not confident to recover fully from a cyber attack.
Low
Medium
High
Critical
At the 35th Annual FIRST Conference in June 2023, the CVSS version 4.0 was unveiled by FIRST. However, after two months of public input and refinement, CVSS version 4.0 was officially released by FIRST.
The CVSS Special Interest Group is proud to announce the official release of CVSS v4.0 –
[
. This latest version of CVSS seeks to provide all users with the highest fidelity vulnerability assessment.
[
](https://twitter.com/hashtag/FIRSTdotOrg?src=hash&ref_src=twsrc%5Etfw)
[
](https://twitter.com/hashtag/CVSS?src=hash&ref_src=twsrc%5Etfw)
[
](https://twitter.com/hashtag/BuildingTrust?src=hash&ref_src=twsrc%5Etfw)
[
](https://twitter.com/hashtag/PSIRT?src=hash&ref_src=twsrc%5Etfw)
[
](https://twitter.com/hashtag/CSIRT?src=hash&ref_src=twsrc%5Etfw)
[
pic.twitter.com/uhyeqs8lSh
— FIRST.org (@FIRSTdotOrg)
[
November 1, 2023
](https://twitter.com/FIRSTdotOrg/status/1719765366648304051?ref_src=twsrc%5Etfw)
CVSS 4.0 – What’s New?
This new version, CVSS 4.0, aims to offer the most precise vulnerability assessment, as it provides:-
Finer detail
Clarity
Simplification in threat metrics
These are the key elements that make it more effective for assessing security needs and controls. CVSS 4.0 adds new metrics for assessing vulnerabilities, including:-
Automatable
Recovery
Value Density
Response Effort
Urgency
Moreover, it’s also expanded for the OT/ICS/IoT, with Safety metrics included. CVSS 4.0 is a game-changer for global cybersecurity and incident response teams, offering a vital tool in the face of rising threats.
Diverse rating systems were used for severity before 2005 since, at that time, various non-standard severity systems existed.
In February 2005, CVSS version 1 was initially introduced, driven by FIRST to standardize vulnerability measurement, which became an important industry tool.
CVSS evolved from version 1 in 2005 to version 3.1 in 2019. Version 4.0 is a notable advance, emphasizing threat intelligence and environmental metrics for more accurate scoring.
Here below, we have mentioned the new nomenclature that has been adopted in version 4.0:-
CVSS-B: CVSS Base Score
CVSS-BT: CVSS Base + Threat Score
CVSS-BE: CVSS Base + Environmental Score
CVSS-BTE: CVSS Base + Threat + Environmental Score
The rapid rise in cybersecurity challenges shows the importance of global coordination which is crucial. However, introducing standards like CVSS 4.0 plays a vital role in enhancing internet safety for all.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.
The post New Common Vulnerability Scoring System (CVSS) v4.0 Released – What’s New! appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
posted by pod_feeder
Infosec: Seeking advice regarding CVSS scoring.
One of the hardest tasks in my dayjob (at WPScan.com) is to assign CVSS scores. Particularly the Availability impact metric is a source of internal arguments. Personally I think the CVSS v3.1 Users Guide is quite clear on the subject, but we still end up arguing how this should be understood in the context of WordPress plugins.
Typically the argument is that if a vulnerability lets an attacker upload arbitrary files or execute arbitrary code, that amounts to a high impact on availability. The way I read the CVSS docs, this would only affect the Confidentiality and Integrity impact metrics, leaving Availability at None or at most Low.
Does anybody have any advice or insights into how we should understand and score this metric?
