跳到内容
🛠️ToolsShed

CVE CVSS Calculator

计算CVSS v3.1基础分数用于漏洞严重性评估。

9.8
Critical
CVSS v3.1 Base Score
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
矢量字符串
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
None
0.0
Low
0.1–3.9
Medium
4.0–6.9
High
7.0–8.9
Critical
9.0–10.0

关于此工具

通用漏洞评分系统(CVSS)是一项开放标准,用于在0到10的范围内评定软件漏洞的严重程度。由于多数团队面对的已披露漏洞数量远超其能够一次性修复的能力,统一的评分对于排定修复优先级、决定先修补哪一项至关重要。

使用本计算器时,请为所评估的漏洞选择CVSS v3.1基础指标:攻击途径、攻击复杂度、所需权限、用户交互、影响范围,以及对机密性、完整性和可用性的影响。工具会立即返回数值化的基础分数及其定性严重等级,分为无、低、中、高、严重。它是安全分析师、渗透测试人员和分诊团队的日常工作助手。

请注意,基础分数反映漏洞固有且恒定的属性,而时间指标和环境指标则会根据利用成熟度以及你的具体部署情况进行调整。评分可为决策提供参考,但不能取代针对自身资产和暴露面、结合上下文的风险判断。

常见问题

代码实现

import math

# CVSS v3.1 Base Score Calculator
WEIGHTS = {
    'AV': {'N': 0.85, 'A': 0.62, 'L': 0.55, 'P': 0.20},
    'AC': {'L': 0.77, 'H': 0.44},
    'PR_U': {'N': 0.85, 'L': 0.62, 'H': 0.27},  # Unchanged scope
    'PR_C': {'N': 0.85, 'L': 0.68, 'H': 0.50},  # Changed scope
    'UI': {'N': 0.85, 'R': 0.62},
    'CIA': {'N': 0.00, 'L': 0.22, 'H': 0.56},
}

def roundup(x: float) -> float:
    """CVSS-specific roundup to 1 decimal place."""
    return math.ceil(x * 10) / 10

def calculate_cvss_base(av, ac, pr, ui, scope, c_impact, i_impact, a_impact) -> tuple[float, str]:
    """Calculate CVSS v3.1 Base Score."""
    scope_changed = scope == 'C'
    pr_w = WEIGHTS['PR_C'][pr] if scope_changed else WEIGHTS['PR_U'][pr]

    iss = 1 - (1 - WEIGHTS['CIA'][c_impact]) * (1 - WEIGHTS['CIA'][i_impact]) * (1 - WEIGHTS['CIA'][a_impact])

    if scope_changed:
        impact = 7.52 * (iss - 0.029) - 3.25 * (iss - 0.02) ** 15
    else:
        impact = 6.42 * iss

    exploitability = 8.22 * WEIGHTS['AV'][av] * WEIGHTS['AC'][ac] * pr_w * WEIGHTS['UI'][ui]

    if impact <= 0:
        score = 0.0
    elif scope_changed:
        score = roundup(min(1.08 * (impact + exploitability), 10))
    else:
        score = roundup(min(impact + exploitability, 10))

    # Severity
    severity = 'None' if score == 0 else 'Low' if score < 4 else 'Medium' if score < 7 else 'High' if score < 9 else 'Critical'
    return score, severity

# Example: Critical vulnerability (Log4Shell-like)
score, severity = calculate_cvss_base(
    av='N', ac='L', pr='N', ui='N',  # Network, Low complexity, No privileges, No user interaction
    scope='C',                          # Scope Changed
    c_impact='H', i_impact='H', a_impact='H'  # High CIA impact
)
print(f"Log4Shell-like score: {score} ({severity})")

# Example: Local privilege escalation
score, severity = calculate_cvss_base('L', 'L', 'L', 'N', 'U', 'H', 'H', 'N')
print(f"Local privesc: {score} ({severity})")

Comments & Feedback

Comments are powered by Giscus. Sign in with GitHub to leave a comment.