CVSS 4.0 - HackMD

# CVSS 4.0 ###### tags: `iPAS`, `資安`, `法規` - 筆記總表請參閱 [iPAS 資安法規及標準筆記](https://hackmd.io/@ywChen/H192F7VPC) [toc] ## 參考 - [Common Vulnerability Scoring System](https://www.first.org/cvss/v4-0/) ## V4 vs V3 ### Base Score - 不考量 Scope (S) - Attack Requirements (AT) 是否要滿足某些條件才能攻擊成功 - None (N) - Present \(P) - Subsequent System Impact Metrics 後續系統影響指標 - Confidentiality (SC) - Integrity (SI) - Availability (SA) ### Threat Metrics - Exploit Maturity (E) 可攻擊性評比 - Not Defined (X) - Attacked (A) 已有攻擊行為 - POC (P) 有 POC - Unreported (U) 未有 POC ### Environmental Metrics 根據使用者環境而調整的指標 - Security Requirements 跟安全需求有關 - Confidentiality Requirement (CR) - Not Defined (X) Low (L) Medium (M) High (H) - Integrity Requirement (IR) - Not Defined (X) Low (L) Medium (M) High (H) - Availability Requirement (AR) - Not Defined (X) Low (L) Medium (M) High (H) - Modified Base Metrics 基本上是拿 base matrics 來改 - Attack Vector (MAV) - Attack Complexity (MAC) - Attack Requirements (MAT) - Privileges Required (MPR) - User Interaction (MUI) - MVI - MVC - MVA - MSC - MSI - MSA ### Supplemental Metrics - Safety (S) 是否危害安全 - Not Defined (X) - Negligible (N) 參考 ICE 61850 `Negligible` - Present (P) 參考 ICE 61850 `Marginal`, `Critical`, `Catastrophic` - Automatable (AU) 是否可自動化利用 - Not Defined (X) No (N) Yes (Y) - Recovery \(R) 系統恢復難度 - Not Defined (X) Automatic (A) User (U) Irrecoverable (I) - Value Density (V) 攻擊者透過攻擊能取得的資源 - Not Defined (X) - Diffuse (D) 有限度的資源 - Concentrated (C) 大量資源 - Vulnerability Response Effort (RE) 對漏洞的回應力度 - Not Defined (X) Low (L) Moderate (M) High (H) - Provider Urgency (U) 漏洞修補急迫性 - Not Defined (X) Clear Green Amber Red ## CVSS 評分 - CVSS-B 只看 base score - CVSS-BT 看 base + threat score - CVSS-BTE 看 base + threat + environmental score - 不計算 supplemental metrics group