CVSS & National Vulnerability Database

Understanding vulnerability scoring and leveraging the NVD for security assessments

What are CVSS and NVD?

CVSS (Common Vulnerability Scoring System) provides a standardized way to assess vulnerability severity. The NVD (National Vulnerability Database) is NIST's comprehensive repository of vulnerability data.

CVSS Benefits:

Standardized Scoring: 0.0 to 10.0 severity scale
Multiple Metrics: Base, Temporal, and Environmental
Clear Communication: Vector strings describe vulnerabilities
Risk Prioritization: Focus on critical issues first

NVD Features:

CVE (Common Vulnerabilities and Exposures) database
CVSS scores and vector analysis
CPE (Common Platform Enumeration) mappings
API access for automation

CVSS Severity Bands

Severity	Base Score Range	Color Code	Response Time
Critical	9.0 - 10.0	Black	Immediate action required
High	7.0 - 8.9	Red	Within 7-15 days
Medium	4.0 - 6.9	Orange	Within 30 days
Low	0.1 - 3.9	Green	Within 90 days
None	0.0	Gray	No action needed

Note: Response times should be adjusted based on your organization's risk tolerance and the criticality of affected systems.

CVSS v3.1 Base Metrics

Exploitability Metrics

Metric	Values	Description
Attack Vector (AV)	N, A, L, P	Network, Adjacent, Local, Physical
Attack Complexity (AC)	L, H	Low, High
Privileges Required (PR)	N, L, H	None, Low, High
User Interaction (UI)	N, R	None, Required
Scope (S)	U, C	Unchanged, Changed

Impact Metrics

Metric	Values	Impact Level
Confidentiality (C)	N, L, H	None, Low, High
Integrity (I)	N, L, H	None, Low, High
Availability (A)	N, L, H	None, Low, High

CIA Triad: These metrics directly map to the confidentiality, integrity, and availability principles of information security.

Critical: Remote Code Execution

Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Base Score: 10.0

Breakdown:

AV:N - Exploitable from network
AC:L - Easy to exploit
PR:N - No privileges needed
UI:N - No user interaction
S:C - Escapes containment
C/I/A:H - Full system compromise

Example: Unauthenticated RCE in web server

Medium: Local Privilege Escalation

Vector String:

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score: 7.0

Breakdown:

AV:L - Requires local access
AC:H - Complex exploitation
PR:L - Basic user required
UI:N - No user interaction
S:U - Same security context
C/I/A:H - Full local compromise

Example: Kernel exploit requiring race condition

National Vulnerability Database (NVD)

Key Features:

CVE Data

Unique CVE identifiers
Detailed vulnerability descriptions
Affected software versions (CPE)
Reference links and advisories

CVSS Scoring

Base, Temporal, Environmental scores
Vector string breakdowns
Score calculators
Severity ratings

API Access:

# Get specific CVE data
curl "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2023-34362"

# Search by keyword
curl "https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=apache"

# Filter by date range
curl "https://services.nvd.nist.gov/rest/json/cves/2.0?pubStartDate=2023-01-01&pubEndDate=2023-12-31"

Quick Links

NVD Homepage Search Vulnerabilities CVSS Calculator

API Rate Limits:

Without API key: 10 requests/min
With API key: 100 requests/min
Free registration available

Vulnerability Management Workflow

1. Discovery & Assessment

Monitor Sources:
- NVD feeds and email alerts
- Vendor security advisories
- Bug bounty reports
- Threat intelligence feeds
Assess Impact:
- Calculate CVSS base score
- Apply temporal factors (exploit availability)
- Consider environmental factors

2. Prioritization & Remediation

Prioritize Response:
- Critical systems first
- Internet-facing services
- Business-critical applications
- Internal systems by risk
Track Progress:
- Create remediation tickets
- Monitor patch deployment
- Verify successful mitigation
- Document exceptions

Best Practice: Combine CVSS scores with asset criticality and threat intelligence for risk-based prioritization. Not all "Critical" vulnerabilities pose the same risk to your organization.

Beyond Base Scores: Temporal & Environmental

Temporal Metrics

Adjust scores based on current threat landscape:

Exploit Code Maturity:
- Not Defined (X)
- Unproven (U)
- Proof-of-Concept (P)
- Functional (F)
- High (H)
Remediation Level:
- Official Fix (O)
- Temporary Fix (T)
- Workaround (W)
- Unavailable (U)
Report Confidence:
- Confirmed (C)
- Reasonable (R)
- Unknown (U)

Environmental Metrics

Customize based on your environment:

Security Requirements:
- Confidentiality (CR): Low, Medium, High
- Integrity (IR): Low, Medium, High
- Availability (AR): Low, Medium, High
Modified Base Metrics:
- Adjust AV, AC, PR, UI, S if mitigations exist
- Reflect compensating controls
- Account for network segmentation

Example: A Critical web server vulnerability (9.8) might drop to High (7.5) if behind a properly configured WAF.

Practical Examples

Python Script: Check Latest CVEs

import requests
import json
from datetime import datetime, timedelta

# Get CVEs from last 7 days
end_date = datetime.now()
start_date = end_date - timedelta(days=7)

url = "https://services.nvd.nist.gov/rest/json/cves/2.0"
params = {
    "pubStartDate": start_date.strftime("%Y-%m-%d"),
    "pubEndDate": end_date.strftime("%Y-%m-%d")
}

response = requests.get(url, params=params)
data = response.json()

# Display high/critical vulnerabilities
for vuln in data.get("vulnerabilities", []):
    cve = vuln.get("cve", {})
    metrics = cve.get("metrics", {}).get("cvssMetricV31", [])
    
    if metrics:
        score = metrics[0]["cvssData"]["baseScore"]
        if score >= 7.0:
            print(f"{cve['id']}: {score} - {cve.get('descriptions', [{}])[0].get('value', 'N/A')[:100]}...")

Bash: Monitor Specific Product

#!/bin/bash
# Monitor Apache vulnerabilities

KEYWORD="apache"
SEVERITY_THRESHOLD=7.0

# Query NVD API
RESPONSE=$(curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=$KEYWORD")

# Parse and filter by severity
echo "$RESPONSE" | jq -r '.vulnerabilities[] | 
  select(.cve.metrics.cvssMetricV31[0].cvssData.baseScore >= '$SEVERITY_THRESHOLD') | 
  "(.cve.id): Score (.cve.metrics.cvssMetricV31[0].cvssData.baseScore) - (.cve.descriptions[0].value)"' | 
  head -10

Key Takeaways

Remember:

✅ CVSS provides standardized severity ratings
✅ Base scores are just the starting point
✅ NVD is free and provides comprehensive data
✅ API access enables automation
✅ Context matters - adjust for your environment

Best Practices:

📊 Track vulnerability metrics over time
🔄 Automate vulnerability scanning
📋 Document remediation SLAs
🎯 Focus on exploitable vulnerabilities
🛡️ Layer security controls for defense in depth

What are CVSS and NVD?

CVSS Benefits:

NVD Features:

CVSS Severity Bands

CVSS v3.1 Base Metrics

Exploitability Metrics

Impact Metrics

Critical: Remote Code Execution

Vector String:

Base Score: 10.0

Breakdown:

Medium: Local Privilege Escalation

Vector String:

Base Score: 7.0

Breakdown:

National Vulnerability Database (NVD)

Key Features:

CVE Data

CVSS Scoring

API Access:

Quick Links

API Rate Limits:

Vulnerability Management Workflow

1. Discovery & Assessment

2. Prioritization & Remediation

Beyond Base Scores: Temporal & Environmental

Temporal Metrics

Environmental Metrics

Practical Examples

Python Script: Check Latest CVEs

Bash: Monitor Specific Product

Key Takeaways

Remember:

Best Practices:

Related Topics