Legacy Security Levels


Last modified: January 8, 2020

Overview

This document explains the previous security levels of advisories that posted on our Security page. These security levels apply to Targeted Security Releases before TSR-2017-0002.

CVSSv2

For Targeted Security Releases from TSR-2015-0001 to TSR-2017-0001, we used the Common Vulnerability Scoring System version 2 (CVSSv2) to score vulnerabilities. When we disclosed a vulnerability, we provided the vulnerability’s CVSSv2 Base Score and its Base Vector. You can use the CVSSv2 Base Vector to determine the complete CVSSv2 score.

Base Score and Base Metrics

The Base Score is a numeric value that ranges from 1 to 10, and increases as vulnerability levels increase. A value of 10 indicates the most severe vulnerabilities. The Base Metrics are vulnerability characteristics that remain constant regardless of changes in time or user environments.

To calculate the Base Score, assign values to the Base Metrics. For information about how to calculate base scores, visit first.org’s A Complete Guide to the CVSSv2 documentation.

Base Vector

The Base Vector describes the components from which the Base Score is calculated. Base Vectors display in the following structure:

(AV:[L,A,N]/AC:[H,M,L]/Au:[N,S,M]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C])
Note:

You must choose one option for each set of brackets.

  • Metrics that the brackets do not contain are mandatory, and you must include them to create a valid CVSS vector.
  • Each letter or pair of letters represents a metric or metric value within CVSS.

The table below defines each Base Vector metric and their possible values:

Metric Description Possible values
AV A vulnerability’s network exploit level.
  • L — Local access
  • A — Adjacent network
  • N — Network
    AC A vulnerability’s required attack complexity.
    • H — High
    • M — Medium
    • L — Low
    Au A vulnerability’s required account authentication level.
    • N — None required
    • S — Requires single instance
    • M — Requires multiple instances
    C A vulnerability’s information confidentiality impact.
    • N — None
    • P — Partial
    • C — Complete
    I A vulnerability’s account integrity impact.
    • N — None
    • P — Partial
    • C — Complete
    A A vulnerability’s account availability impact.
    • N — None
    • P — Partial
    • C — Complete

    For information about security levels prior to TSR-2015-0001, read the Legacy Security Levels section below.

    Legacy Security Levels

    The following lists the security levels in order of severity:

    • Critical — A critical rating applies to vulnerabilities that allow remote, unauthenticated access and code execution, with no user interaction required. These vulnerabilities allow automated scripts such as worms to completely compromise the system.
    • Important — This rating applies to vulnerabilities that allow third parties to compromise system authentication levels. These vulnerabilities occur when you allow the following:
      • Local users to elevate their privilege levels.
      • Unauthenticated remote users to access resources that should require authentication to view.
      • Remote users to execute arbitrary code, which includes any local or remote attack that could result in an denial of service.
    • Moderate — This rating applies to vulnerabilities that rely on unlikely scenarios in order to compromise the system. These scenarios usually consist of a flawed or unlikely system configuration, and only occur in rare situations.
    • Minor — This rating applies to vulnerabilities that do not fit into the higher categories. These vulnerabilities occur in very unlikely situations and configurations, and they require extremely close timing of execution and events to occur that are out of the attacker’s control. This rating also applies to vulnerabilities that, even if successful, result in few or no consequences on the system.

    Additional Documentation