Skip to content

CVSS Definition

CVSS is calculated based on 8 parameters:

  1. Attack Vector
  2. Attack Complexity
  3. Privileges Required
  4. User Interaction
  5. Scope
  6. Confidentiality
  7. Integrity
  8. Availability

Attack Vector

Possible values:

  • Network
    • Unauthenticated users on public networks
    • Unrelated accounts/projects/subscriptions
  • Adjacent
    • IAM entity authenticated via a public API endpoint
    • Another authority accessible from a public network (e.g., AAA database system)
    • Unauthenticated user in a private network
  • Local
    • IAM entity authenticated via a private API endpoint
    • Another authority accessible from a private network (e.g., AAA database system)
  • Physical
    • IAM Admin or root in central management accounts/projects/subscriptions
    • CSP internal or on a network

Attack Complexity

Possible values:

  • Low
    • Minimum steps required
    • Easily repeatable
  • High
    • Requires several steps
    • More likely to be detected

Privileges Required

Possible values:

  • None
    • No IAM permission is required
  • Low
    • Common IAM permission (e.g., in CSP-managed permission sets)
    • Another authority (e.g., AAA database system)
    • No IAM permission but an authenticated identity within the same Org, Account, Domain, or Tenant
  • High
    • High-privileged actions (e.g., Delete, Update, Create)
    • Typically control-plane level permissions

User Interaction

Possible values:

  • None
    • No user interaction is needed apart from the attacker
  • Required
    • Another user must interact
    • A prerequisite action or misconfiguration (not by default) must be present
    • Constraint by timing (e.g., just before auto-patching by CSP)

Scope

Possible values:

  • Unchanged
    • A successful attack does not grant additional access
  • Changed
    • A successful attack provides additional access to this or other systems
    • Example: Creating an account in another system (e.g., a database)

Confidentiality Impact

Possible values:

  • None
    • No loss of confidentiality
  • Low
    • Some data is accessed but is not critical
    • Data exfiltration is uncontrolled or happens at a limited speed
  • High
    • Critical data is accessed
    • Data exfiltration occurs at high speed

Integrity Impact

Possible values:

  • None
    • No loss of integrity
  • Low
    • Data modification is possible but limited in impact
    • The attacker has no control over consequences of modifications
    • Includes Denial of Wallet attacks (increased billing costs)
    • Security boundary bypassed or altered
  • High
    • Total loss of integrity
    • Complete loss of a major security boundary

Availability Impact

Possible values:

  • None
    • No loss of availability of the system (excluding data availability)
  • Low
    • Some slowness, but legitimate users can still access
    • The system can be restored quickly (e.g., by changing firewall rules)
  • High
    • Critical users are unable to access the system
    • The loss of access is sustained even after the attack is finished