Security Vulnerability Severity Ratings
Mistakes are made in the process of designing and coding technology. When those mistakes are exploited by nefarious actors, the result can be devastating.
The Common Vulnerability Scoring System (CVSS) is an open framework for rating the severity of vulnerabilities. It produces a number based on three metrics: Base, Temporal and Environmental.
These vulnerabilities affect the integrity of an organization’s systems and data. Attackers can use them to gain access to application resources or unintended exposure of data. Examples include XML External Entity Injection, Server Side Request Forgery, and Local File Inclusion/Path Traversal.
Affected systems are vulnerable to attacks that result in sensitive information disclosure and those that could cause a denial of service. The score of these issues varies depending on whether they require additional work on the attacker’s part or privileges to exploit (such as man-in-the-middle or theft of a shared secret key), as well as the scope of information exposed, uniquily identify users, and other factors.
The most dangerous of these vulnerabilities can be exploited without the need for authentication and can be used to gain privileged access or execute code on a host. They are usually rated at CVSS 3.1 between 7.0-8.9. Snyk uses the Base, Temporal and Environmental metrics to evaluate vulnerabilities.
At the Important level, exploitation of a vulnerability would lead to compromise of the confidentiality or integrity of data. It can include flaws that enable attackers to steal session information or conduct a man-in-the-middle attack. These attacks do not require sophisticated technical skills and can be conducted from a remote unauthenticated location.
At this severity rating, the impact on an organization is not as severe as it is with Critical or High vulnerabilities. However, these vulnerabilities should still be fixed as they introduce weakness in your application or systems and may be combined with other issues of higher severity ratings to cause a greater impact.
The base score for this metric takes into account intrinsic characteristics of the flaw that do not change over time, and does not take into account the environment or mitigations your organization has put in place to prevent exploit. It’s important to note that many public vulnerability indices (such as NVD) and scanners use this scoring methodology.
Medium severity vulnerabilities allow attackers to read or modify limited amounts of data, or can be exploited with other bugs to gain unintended access to systems or resources. Examples include reflected XSS and misconfigured web sessions. These flaws are harmful by themselves, but are less impactful than Critical and High severity issues.
High severity vulnerability ratings assume that exploitation will result in complete system compromise (e.g. arbitrary code execution). Attackers must have at least some level of technical skill or intrinsic knowledge to successfully exploit these flaws. Examples include XML External Entity Injection and LFI. These flaws can be exploited to expose or steal session information, or to impersonate other origins or read cross-origin data.
Half red / half yellow severity levels indicate vulnerabilities that are confirmed in some scan results but not in others due to various factors affecting the vulnerability detection process. Until these vulnerabilities are confirmed, they will be considered potential and not appear in the Results.
In the case of Low severity issues, attackers may still access some information but the impact on an organization is much less severe than a critical or high vulnerability. For example, a bank would likely consider the loss of customer confidential banking information to be a low impact issue.
Low severity bugs typically have significant mitigating factors such as non-reproducible crashes or other exceptions to Chrome’s normal operation that prevent the flaw from being exploited in an attack. They can also have other factors such as unlikely or unusual user interaction that reduces the vulnerability’s risk to the end-user.
Other reasons for variation in scores include the presence of source code protection mechanisms that mitigate a vulnerability, and how software is used within a product. For instance, a vulnerability that allows a malicious browser extension to execute arbitrary code in the context of a Google search might be rated higher by some vendors and NIST than others.