CVSS Score

The Common Vulnerability Scoring System (CVSS) object provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.

Attributes

Caption	Name	Type	Description
Access Complexity (AC)	`access_complexity_id`	Integer	Name: Access Complexity (AC). Group: Base. CVSS Version: v1, v2 🚧 WARNING: DEPRECATED Access Complexity (AC) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: Low (L) (`LOW_(L)`) `1`: Medium (M) (`MEDIUM_(M)`) `2`: High (H) (`HIGH_(H)`)
Access Vector (AV)	`access_vector_id`	Integer	Name: Access Vector (AV). Group: Base. CVSS version: v1, v2 🚧 WARNING: DEPRECATED Access Vector (AV) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: Local (L) (`LOCAL_(L)`) `1`: Adjacent Network (A) (`ADJACENT_NETWORK_(A)`) `2`: Network (N) (`NETWORK_(N)`)
Attack Complexity (AC)	`attack_complexity_id`	Integer	The Attack Complexity Common Vulnerability Scoring System (CVSS) metric. Name: Attack Complexity (AC). Group: Base. CVSS version: v3 🚧 WARNING: DEPRECATED Attack Complexity (AC) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: Low (L) (`LOW_(L)`) `1`: High (H) (`HIGH_(H)`)
Attack Vector (AV)	`attack_vector_id`	Integer	Name: Attack Vector (AV). Group: Base. CVSS version: v3 🚧 WARNING: DEPRECATED Attack Vector (AV) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: Network (N) (`NETWORK_(N)`) `1`: Adjacent (A) (`ADJACENT_(A)`) `2`: Local (L) (`LOCAL_(L)`) `3`: Physical (P) (`PHYSICAL_(P)`)
Authentication (Au)	`authentication_id`	Integer	Name: Authentication (Au). Group: Base. CVSS version: v1, v2 🚧 WARNING: DEPRECATED Authentication (Au) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: None (`NONE`) `1`: Single (S) (`SINGLE_(S)`) `2`: Multiple (M) (`MULTIPLE_(M)`)
Availability (A)	`availability_id`	Integer	Name: Availability (A). Group: Base. CVSS version: v3 🚧 WARNING: DEPRECATED Availability (A) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: None (N) (`NONE_(N)`) `1`: Low (L) (`LOW_(L)`) `2`: High (H) (`HIGH_(H)`)
Availability Impact (A)	`availability_impact_id`	Integer	Name: Availability Impact (A). Group: Base, CVSS version: v1, v2 🚧 WARNING: DEPRECATED Availability Impact (A) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: None (N) (`NONE_(N)`) `1`: Partial (P) (`PARTIAL_(P)`) `2`: Complete (C) (`COMPLETE_(C)`)
Availability Requirement (AR)	`availability_requirement_id`	Integer	Name: Availability Requirement (AR). Group: Environmental. CVSS version: v2, v3 🚧 WARNING: DEPRECATED Availability Requirement (AR) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: Not Defined (X, ND) (`NOT_DEFINED_(X,_ND)`) `1`: Low (L) (`LOW_(L)`) `2`: Medium (LM) (`MEDIUM_(LM)`) `3`: High (H) (`HIGH_(H)`)
Base Score	`base_score`	Float	The CVSS base score. For example: `9.1`.
Collateral Damage Potential (CDP)	`collateral_damage_potential_id`	Integer	Name: Collateral Damage Potential (CDP). Group: Environmental. CVSS version: v1, v2 🚧 WARNING: DEPRECATED Collateral Damage Potential (CDP) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: None (N) (`NONE_(N)`) `1`: Low (L) (`LOW_(L)`) `2`: Low-Medium (LM) (`LOW-MEDIUM_(LM)`) `3`: Medium-High (MH) (`MEDIUM-HIGH_(MH)`) `4`: High (H) (`HIGH_(H)`) `5`: Not Defined (ND) (`NOT_DEFINED_(ND)`)
Confidentiality (C)	`confidentiality_id`	Integer	The Confidentiality Common Vulnerability Scoring System (CVSS) metric. Name: Confidentiality (C). Group: Base. CVSS version: v3 🚧 WARNING: DEPRECATED Confidentiality (C) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `-1`: Other (`OTHER`) `0`: None (N) (`NONE_(N)`) `1`: Low (L) (`LOW_(L)`) `2`: High (H) (`HIGH_(H)`) `3`: Secret (`SECRET`) `4`: Top Secret (`TOP_SECRET`) `5`: Private (`PRIVATE`) `6`: Restricted (`RESTRICTED`) `99`: Other (`OTHER`)
Confidentiality Impact (C)	`confidentiality_impact_id`	Integer	Name: Confidentiality Impact (C). Group: Base CVSS version: v1, v2 🚧 WARNING: DEPRECATED Confidentiality Impact (C) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: None (N) (`NONE_(N)`) `1`: Partial (P) (`PARTIAL_(P)`) `2`: Complete (C) (`COMPLETE_(C)`)
Confidentiality Requirement (CR)	`confidentiality_requirement_id`	Integer	Name: Confidentiality Requirement (CR). Group: Environmental. CVSS version: v2, v3 🚧 WARNING: DEPRECATED Confidentiality Requirement (CR) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: Not Defined (X, ND) (`NOT_DEFINED_(X,_ND)`) `1`: Low (L) (`LOW_(L)`) `2`: Medium (LM) (`MEDIUM_(LM)`) `3`: High (H) (`HIGH_(H)`)
CVSS Depth	`depth`	String	The CVSS depth represents a depth of the equation used to calculate CVSS score. `Base`: Base (`BASE`) `Environmental`: Environmental (`ENVIRONMENTAL`) `Temporal`: Temporal (`TEMPORAL`)
CVSS Depth	`depth_id`	Integer	The CVSS depth. Representing a depth of the equation used to calculate CVSS score. 🚧 WARNING: DEPRECATED CVSS Depth has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: Base (`BASE`) `1`: Temporal (`TEMPORAL`) `2`: Environmental (`ENVIRONMENTAL`)
Exploit Code Maturity (E)	`exploit_code_maturity_id`	Integer	Name: Exploit Code Maturity (E). Group: Temporal. CVSS version: v3 🚧 WARNING: DEPRECATED Exploit Code Maturity (E) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: Not Defined (X) (`NOT_DEFINED_(X)`) `1`: High (H) (`HIGH_(H)`) `2`: Functional (F) (`FUNCTIONAL_(F)`) `3`: Proof-of-Concept (P) (`PROOF-OF-CONCEPT_(P)`) `4`: Unproven (U) (`UNPROVEN_(U)`)
Exploitability (E)	`exploitability_id`	Integer	Name: Exploitability (E). Group: Temporal. CVSS version: v1, v2 🚧 WARNING: DEPRECATED Exploitability (E) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: Not Defined (ND) (`NOT_DEFINED_(ND)`) `1`: High (H) (`HIGH_(H)`) `2`: Functional (F) (`FUNCTIONAL_(F)`) `3`: Proof-of-Concept (POC) (`PROOF-OF-CONCEPT_(POC)`) `4`: Unproven (U) (`UNPROVEN_(U)`)
Integrity (I)	`integrity_id`	Integer	The Integrity Common Vulnerability Scoring System (CVSS) metric. Name: Integrity (I). Group: Base. CVSS version: v3 🚧 WARNING: DEPRECATED Integrity (I) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: None (N) (`NONE_(N)`) `1`: Low (L) (`LOW_(L)`) `2`: High (H) (`HIGH_(H)`) `3`: Medium (`MEDIUM`) `4`: High (`HIGH`) `5`: System (`SYSTEM`) `6`: Protected (`PROTECTED`) `99`: Other (`OTHER`)
Integrity Impact (I)	`integrity_impact_id`	Integer	Name: Integrity Impact (I). Group: Base. CVSS version: v1, v2 🚧 WARNING: DEPRECATED Integrity Impact (I) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: None (N) (`NONE_(N)`) `1`: Partial (P) (`PARTIAL_(P)`) `2`: Complete (C) (`COMPLETE_(C)`)
Integrity Requirement (IR)	`integrity_requirement_id`	Integer	Name: Integrity Requirement (IR). Group: Environmental. CVSS version: v2, v3 🚧 WARNING: DEPRECATED Integrity Requirement (IR) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: Not Defined (X, ND) (`NOT_DEFINED_(X,_ND)`) `1`: Low (L) (`LOW_(L)`) `2`: Medium (LM) (`MEDIUM_(LM)`) `3`: High (H) (`HIGH_(H)`)
Metrics	`metrics`	Metric[]	The Common Vulnerability Scoring System metrics. This attribute contains information on the CVE's impact. If the CVE has been analyzed, this attribute will contain any CVSSv2 or CVSSv3 information associated with the vulnerability. For example: `{ {"Access Vector", "Network"}, {"Access Complexity", "Low"}, ...}`.
Modified Attack Complexity (MAC)	`modified_attack_complexity_id`	Integer	Name: Modified Attack Complexity (MAC). Group: Environmental. Version: v3 🚧 WARNING: DEPRECATED Modified Attack Complexity (MAC) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: Not Defined (X) (`NOT_DEFINED_(X)`) `1`: Low (L) (`LOW_(L)`) `2`: High (H) (`HIGH_(H)`)
Modified Attack Vector (MAV)	`modified_attack_vector_id`	Integer	Name: Modified Attack Vector (MAV). Group: Environmental. Version: v3 🚧 WARNING: DEPRECATED Modified Attack Vector (MAV) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: Not Defined (X) (`NOT_DEFINED_(X)`) `1`: Network (N) (`NETWORK_(N)`) `2`: Adjacent (A) (`ADJACENT_(A)`) `3`: Local (L) (`LOCAL_(L)`) `4`: Physical (P) (`PHYSICAL_(P)`)
Modified Availability (MA)	`modified_availability_id`	Integer	Name: Modified Availability (MA). Group: Environmental. Version: v3 🚧 WARNING: DEPRECATED Modified Availability (MA) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: Not Defined (X) (`NOT_DEFINED_(X)`) `1`: None (N) (`NONE_(N)`) `2`: Low (L) (`LOW_(L)`) `3`: High (H) (`HIGH_(H)`)
Modified Confidentiality (MC)	`modified_confidentiality_id`	Integer	Name: Modified Confidentiality (MC). Group: Environmental. Version: v3 🚧 WARNING: DEPRECATED Modified Confidentiality (MC) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: Not Defined (X) (`NOT_DEFINED_(X)`) `1`: None (N) (`NONE_(N)`) `2`: Low (L) (`LOW_(L)`) `3`: High (H) (`HIGH_(H)`)
Modified Integrity (MI)	`modified_integrity_id`	Integer	Name: Modified Integrity (MI). Group: Environmental. Version: v3 🚧 WARNING: DEPRECATED Modified Integrity (MI) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: Not Defined (X) (`NOT_DEFINED_(X)`) `1`: None (N) (`NONE_(N)`) `2`: Low (L) (`LOW_(L)`) `3`: High (H) (`HIGH_(H)`)
Modified Privileges Required (MPR)	`modified_privileges_required_id`	Integer	Name: Modified Privileges Required (MPR). Group: Environmental. Version: v3 🚧 WARNING: DEPRECATED Modified Privileges Required (MPR) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: Not Defined (X) (`NOT_DEFINED_(X)`) `1`: None (N) (`NONE_(N)`) `2`: Low (L) (`LOW_(L)`) `3`: High (H) (`HIGH_(H)`)
Modified Scope (MS)	`modified_scope_id`	Integer	Name: Modified Scope (MS). Group: Environmental. Version: v3 🚧 WARNING: DEPRECATED Modified Scope (MS) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: Not Defined (X) (`NOT_DEFINED_(X)`) `1`: Unchanged (U) (`UNCHANGED_(U)`) `2`: Changed (C) (`CHANGED_(C)`)
Modified User Interaction (MUI)	`modified_user_interaction_id`	Integer	Name: Modified User Interaction (MUI). Group: Environmental. Version: v3 🚧 WARNING: DEPRECATED Modified User Interaction (MUI) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: Not Defined (X) (`NOT_DEFINED_(X)`) `1`: None (N) (`NONE_(N)`) `2`: Required (R) (`REQUIRED_(R)`)
Overall Score	`overall_score`	Float	The CVSS overall score, impacted by base, temporal, and environmental metrics. For example: `9.1`.
Privileges Required (PR)	`privileges_required_id`	Integer	The Privileges Required (PR) Common Vulnerability Scoring System (CVSS) metric. Name: Privileges Required (PR). Group: Base. CVSS version: v3 🚧 WARNING: DEPRECATED Privileges Required (PR) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: None (N) (`NONE_(N)`) `1`: Low (L) (`LOW_(L)`) `2`: High (H) (`HIGH_(H)`)
Raw Data	`raw_data`	JSON	The event data as received from the event source.
Reputation Score	`raw_score`	Float	CVSS Score in the range of 0.0 to 10.0. 🚧 WARNING: DEPRECATED Reputation Score has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0
Record ID	`record_id`	String	Unique identifier for the object
Remediation Level (RL)	`remediation_level_id`	Integer	Name: Remediation Level (RL). Group: Temporal. CVSS version: v1, v2, v3 🚧 WARNING: DEPRECATED Remediation Level (RL) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: Not Defined (X, ND) (`NOT_DEFINED_(X,_ND)`) `1`: Unavailable (U) (`UNAVAILABLE_(U)`) `2`: Workaround (W) (`WORKAROUND_(W)`) `3`: Temporary Fix (T, TF) (`TEMPORARY_FIX_(T,_TF)`) `4`: Official Fix (O, OF) (`OFFICIAL_FIX_(O,_OF)`)
Report Confidence (RC)	`report_confidence_id`	Integer	Name: Report Confidence (RC). Group: Temporal. CVSS version: v1, v2, v3 🚧 WARNING: DEPRECATED Report Confidence (RC) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: Not Defined (X, ND) (`NOT_DEFINED_(X,_ND)`) `1`: Confirmed (C) (`CONFIRMED_(C)`) `2`: Reasonable (R) (`REASONABLE_(R)`) `3`: Unconfirmed (UC) (`UNCONFIRMED_(UC)`) `4`: Uncorroborated (UR) (`UNCORROBORATED_(UR)`) `5`: Unknown (U) (`UNKNOWN_(U)`)
Scope (S)	`scope_id`	Integer	Name: Scope (S). Group: Base. CVSS version: v3 🚧 WARNING: DEPRECATED Scope (S) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: Unchanged (U) (`UNCHANGED_(U)`) `1`: Changed (C) (`CHANGED_(C)`)
Severity	`severity`	String	The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. CVSS v2.0 Low (0.0 – 3.9) Medium (4.0 – 6.9) High (7.0 – 10.0) CVSS v3.0 None (0.0) Low (0.1 - 3.9) Medium (4.0 - 6.9) High (7.0 - 8.9) Critical (9.0 - 10.0)
Qualitative Severity Rating	`severity_id`	Integer	The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. None (0.0), Low (0.1 - 3.9), Medium (4.0 - 6.9), High (7.0 - 8.9), Critical (9.0 - 10.0) 🚧 WARNING: DEPRECATED Qualitative Severity Rating has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `-1`: Other (`OTHER`) `0`: None (`NONE`) `1`: Low (`LOW`) `2`: Medium (`MEDIUM`) `3`: High (`HIGH`) `4`: Critical (`CRITICAL`) `5`: Critical (`CRITICAL`) `6`: Fatal (`FATAL`) `99`: Other (`OTHER`)
Target Distribution (TD)	`target_distribution_id`	Integer	Name: Target Distribution (TD). Group: Environmental. CVSS version: v1, v2 🚧 WARNING: DEPRECATED Target Distribution (TD) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: None (N) (`NONE_(N)`) `1`: Low (L) (`LOW_(L)`) `2`: Medium (LM) (`MEDIUM_(LM)`) `3`: High (H) (`HIGH_(H)`) `4`: Not Defined (ND) (`NOT_DEFINED_(ND)`)
Unmapped Data	`unmapped`	Unmapped[]	The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.
User Interaction (UI)	`user_interaction_id`	Integer	The User Interaction Common Vulnerability Scoring System (CVSS) metric. Name: User Interaction (UI). Group: Base. CVSS version: v3 🚧 WARNING: DEPRECATED User Interaction (UI) has been deprecated since 1.1.0. Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 `0`: None (N) (`NONE_(N)`) `1`: Required (R) (`REQUIRED_(R)`)
Vector String	`vector_string`	String	The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: `3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H`.
Version	`version`	String	The CVSS version. For example: `3.1`.

Relationships

Inbound Relationships

These objects and events reference CVSS Score in their attributes:

Outbound Relationships

CVSS Score references the following objects and events in its attributes:

This page describes qdm-1.3.2+ocsf-1.3.0