Security News > 2024 > January > Does CVSS 4.0 solve the exploitability problem?

The newest version of the vulnerability scoring system CVSS 4.0 is here! After a lengthy gap between version 3, as of November 2023 version 4.0 is officially live.

Version 3.0 and CVSS in general, while being quite good at measuring the "Impact" of a vulnerability, wasn't very good at scoring its "Exploitability".

Attack complexity - in version 3.0, the attack complexity parameter was binary, set to two options: high or low - nothing in between - and was open to completely subjective interpretation.

In version 4.0 this has been split into two parameters: attack complexity and attack requirements.

While the attack complexity parameter sadly hasn't changed, attack requirements introduces the prerequisite deployment and execution conditions that need to be in place for the attack to succeed - for example: a specific configuration setting of a web server, presence of a specific code dependency, etc.

This is a welcome addition, since version 3.0 had an "All or nothing" approach: if you required a user to interact 4 or 5 times it was treated the same way as a user requiring a single click of a URL. There are other minor changes to other parameters and wording to streamline scoring, but these are the primary ones.

News URL

https://www.helpnetsecurity.com/2024/01/31/cvss-4-0-scoring-system/