Security News > 2023 > September > Inconsistencies in the Common Vulnerability Scoring System (CVSS)
Abstract: The Common Vulnerability Scoring System is a popular method for evaluating the severity of vulnerabilities in vulnerability management.
The goal of CVSS is to provide comparable scores across different evaluators.
Previous works indicate that CVSS might not reach this goal: If a vulnerability is evaluated by several analysts, their scores often differ.
We show that specific CVSS metrics are inconsistently evaluated for widespread vulnerability types, including Top 3 vulnerabilities from the "2022 CWE Top 25 Most Dangerous Software Weaknesses" list.
In a follow-up survey with 59 participants, we found that for the same vulnerabilities from the main study, 68% of these users gave different severity ratings.
Our study reveals that most evaluators are aware of the problematic aspects of CVSS, but they still see CVSS as a useful tool for vulnerability assessment.
News URL
Related news
- Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence (source)
- Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution (source)
- Over 100,000 WordPress Sites at Risk from Critical CVSS 10.0 Vulnerability in Wishlist Plugin (source)
- Cisco Patches CVE-2025-20188 (10.0 CVSS) in IOS XE That Enables Root Exploits via JWT (source)
- Microsoft Fixes 78 Flaws, 5 Zero-Days Exploited; CVSS 10 Bug Impacts Azure DevOps Server (source)
- Why CVSS is failing us and what we can do about it (source)