Skip to content

CVSS v4 Equivalence Set EQ1

Here we describe an example decision model for an analyst assessing the CVSS v4 equivalence set EQ1.

Analyst Units of Work

Analyst Unit of Work

The unit of work for an Analyst is a single vulnerability report.

Analysts are usually tasked with assessing the CVSS score for an individual vulnerability report.

Analyst Decision Outcomes

The analyst's decision is to choose the appropriate level for CVSS v4 EQ1.

Equivalence Set 1 (cvss:EQ1:1.0.0)

AV/PR/UI with 3 levels specified in Table 24

Value Definition
Low (L) 2: AV:P or not(AV:N or PR:N or UI:N)
Medium (M) 1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P
High (H) 0: AV:N and PR:N and UI:N
Equivalence Set 1 (cvss:EQ1:1.0.0) JSON Example 
{
  "namespace": "cvss",
  "key": "EQ1",
  "version": "1.0.0",
  "name": "Equivalence Set 1",
  "description": "AV/PR/UI with 3 levels specified in Table 24",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "L",
      "name": "Low",
      "description": "2: AV:P or not(AV:N or PR:N or UI:N)"
    },
    {
      "key": "M",
      "name": "Medium",
      "description": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"
    },
    {
      "key": "H",
      "name": "High",
      "description": "0: AV:N and PR:N and UI:N"
    }
  ]
}

Analyst Decision Points

Attack Vector (cvss:AV:3.0.1)

This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Value Definition
Physical (P) The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent.
Local (L) The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Adjacent (A) The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone).
Network (N) The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers).
Attack Vector (cvss:AV:3.0.1) JSON Example 
{
  "namespace": "cvss",
  "key": "AV",
  "version": "3.0.1",
  "name": "Attack Vector",
  "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "P",
      "name": "Physical",
      "description": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
    },
    {
      "key": "L",
      "name": "Local",
      "description": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
    },
    {
      "key": "A",
      "name": "Adjacent",
      "description": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
    },
    {
      "key": "N",
      "name": "Network",
      "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
    }
  ]
}

Privileges Required (cvss:PR:1.0.1)

This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

Value Definition
High (H) The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files.
Low (L) The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
None (N) The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.
Privileges Required (cvss:PR:1.0.1) JSON Example 
{
  "namespace": "cvss",
  "key": "PR",
  "version": "1.0.1",
  "name": "Privileges Required",
  "description": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "H",
      "name": "High",
      "description": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
    },
    {
      "key": "L",
      "name": "Low",
      "description": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
    },
    {
      "key": "N",
      "name": "None",
      "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
    }
  ]
}

User Interaction (cvss:UI:2.0.0)

This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.

Value Definition
Active (A) Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability.
Passive (P) Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system.
None (N) The vulnerable system can be exploited without interaction from any human user, other than the attacker.
User Interaction (cvss:UI:2.0.0) JSON Example 
{
  "namespace": "cvss",
  "key": "UI",
  "version": "2.0.0",
  "name": "User Interaction",
  "description": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "A",
      "name": "Active",
      "description": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
    },
    {
      "key": "P",
      "name": "Passive",
      "description": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
    },
    {
      "key": "N",
      "name": "None",
      "description": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
    }
  ]
}

Analyst Decision Model

Below we provide an example deployer prioritization policy that maps the decision points just listed to the outcomes described above.

Decision Model Visualization

The following diagram shows the decision model for the EQ1 decision.

---
title: CVSS v4 Equivalence Set 1 Decision Table (cvss:DT_CVSS4_EQ1:1.0.0)
---
graph LR
n1(( ))
subgraph s1["cvss:AV:3.0.1"]
P_L0([P])
L_L0([L])
A_L0([A])
N_L0([N])
end
subgraph s2["cvss:PR:1.0.1"]
P_H_L1([H])
L_H_L1([H])
P_L_L1([L])
A_H_L1([H])
L_L_L1([L])
P_N_L1([N])
N_H_L1([H])
A_L_L1([L])
L_N_L1([N])
N_L_L1([L])
A_N_L1([N])
N_N_L1([N])
end
subgraph s3["cvss:UI:2.0.0"]
P_H_A_L2([A])
L_H_A_L2([A])
P_L_A_L2([A])
P_H_P_L2([P])
A_H_A_L2([A])
L_L_A_L2([A])
P_N_A_L2([A])
L_H_P_L2([P])
P_L_P_L2([P])
P_H_N_L2([N])
N_H_A_L2([A])
A_L_A_L2([A])
L_N_A_L2([A])
A_H_P_L2([P])
L_L_P_L2([P])
P_N_P_L2([P])
L_H_N_L2([N])
P_L_N_L2([N])
N_L_A_L2([A])
A_N_A_L2([A])
N_H_P_L2([P])
A_L_P_L2([P])
L_N_P_L2([P])
A_H_N_L2([N])
L_L_N_L2([N])
P_N_N_L2([N])
N_N_A_L2([A])
N_L_P_L2([P])
A_N_P_L2([P])
N_H_N_L2([N])
A_L_N_L2([N])
L_N_N_L2([N])
N_N_P_L2([P])
N_L_N_L2([N])
A_N_N_L2([N])
N_N_N_L2([N])
end
subgraph s4["cvss:EQ1:1.0.0"]
P_H_A_L_L3([L])
L_H_A_L_L3([L])
P_L_A_L_L3([L])
P_H_P_L_L3([L])
A_H_A_L_L3([L])
L_L_A_L_L3([L])
P_N_A_L_L3([L])
L_H_P_L_L3([L])
P_L_P_L_L3([L])
P_H_N_L_L3([L])
N_H_A_M_L3([M])
A_L_A_L_L3([L])
L_N_A_M_L3([M])
A_H_P_L_L3([L])
L_L_P_L_L3([L])
P_N_P_L_L3([L])
L_H_N_M_L3([M])
P_L_N_L_L3([L])
N_L_A_M_L3([M])
A_N_A_M_L3([M])
N_H_P_M_L3([M])
A_L_P_L_L3([L])
L_N_P_M_L3([M])
A_H_N_M_L3([M])
L_L_N_M_L3([M])
P_N_N_L_L3([L])
N_N_A_M_L3([M])
N_L_P_M_L3([M])
A_N_P_M_L3([M])
N_H_N_M_L3([M])
A_L_N_M_L3([M])
L_N_N_M_L3([M])
N_N_P_M_L3([M])
N_L_N_M_L3([M])
A_N_N_M_L3([M])
N_N_N_H_L3([H])
end
n1 --- P_L0
n1 --- L_L0
n1 --- A_L0
n1 --- N_L0
P_L0 --- P_H_L1
P_H_L1 --- P_H_A_L2
P_H_A_L2 --- P_H_A_L_L3
L_L0 --- L_H_L1
L_H_L1 --- L_H_A_L2
L_H_A_L2 --- L_H_A_L_L3
P_L0 --- P_L_L1
P_L_L1 --- P_L_A_L2
P_L_A_L2 --- P_L_A_L_L3
P_H_L1 --- P_H_P_L2
P_H_P_L2 --- P_H_P_L_L3
A_L0 --- A_H_L1
A_H_L1 --- A_H_A_L2
A_H_A_L2 --- A_H_A_L_L3
L_L0 --- L_L_L1
L_L_L1 --- L_L_A_L2
L_L_A_L2 --- L_L_A_L_L3
P_L0 --- P_N_L1
P_N_L1 --- P_N_A_L2
P_N_A_L2 --- P_N_A_L_L3
L_H_L1 --- L_H_P_L2
L_H_P_L2 --- L_H_P_L_L3
P_L_L1 --- P_L_P_L2
P_L_P_L2 --- P_L_P_L_L3
P_H_L1 --- P_H_N_L2
P_H_N_L2 --- P_H_N_L_L3
N_L0 --- N_H_L1
N_H_L1 --- N_H_A_L2
N_H_A_L2 --- N_H_A_M_L3
A_L0 --- A_L_L1
A_L_L1 --- A_L_A_L2
A_L_A_L2 --- A_L_A_L_L3
L_L0 --- L_N_L1
L_N_L1 --- L_N_A_L2
L_N_A_L2 --- L_N_A_M_L3
A_H_L1 --- A_H_P_L2
A_H_P_L2 --- A_H_P_L_L3
L_L_L1 --- L_L_P_L2
L_L_P_L2 --- L_L_P_L_L3
P_N_L1 --- P_N_P_L2
P_N_P_L2 --- P_N_P_L_L3
L_H_L1 --- L_H_N_L2
L_H_N_L2 --- L_H_N_M_L3
P_L_L1 --- P_L_N_L2
P_L_N_L2 --- P_L_N_L_L3
N_L0 --- N_L_L1
N_L_L1 --- N_L_A_L2
N_L_A_L2 --- N_L_A_M_L3
A_L0 --- A_N_L1
A_N_L1 --- A_N_A_L2
A_N_A_L2 --- A_N_A_M_L3
N_H_L1 --- N_H_P_L2
N_H_P_L2 --- N_H_P_M_L3
A_L_L1 --- A_L_P_L2
A_L_P_L2 --- A_L_P_L_L3
L_N_L1 --- L_N_P_L2
L_N_P_L2 --- L_N_P_M_L3
A_H_L1 --- A_H_N_L2
A_H_N_L2 --- A_H_N_M_L3
L_L_L1 --- L_L_N_L2
L_L_N_L2 --- L_L_N_M_L3
P_N_L1 --- P_N_N_L2
P_N_N_L2 --- P_N_N_L_L3
N_L0 --- N_N_L1
N_N_L1 --- N_N_A_L2
N_N_A_L2 --- N_N_A_M_L3
N_L_L1 --- N_L_P_L2
N_L_P_L2 --- N_L_P_M_L3
A_N_L1 --- A_N_P_L2
A_N_P_L2 --- A_N_P_M_L3
N_H_L1 --- N_H_N_L2
N_H_N_L2 --- N_H_N_M_L3
A_L_L1 --- A_L_N_L2
A_L_N_L2 --- A_L_N_M_L3
L_N_L1 --- L_N_N_L2
L_N_N_L2 --- L_N_N_M_L3
N_N_L1 --- N_N_P_L2
N_N_P_L2 --- N_N_P_M_L3
N_L_L1 --- N_L_N_L2
N_L_N_L2 --- N_L_N_M_L3
A_N_L1 --- A_N_N_L2
A_N_N_L2 --- A_N_N_M_L3
N_N_L1 --- N_N_N_L2
N_N_N_L2 --- N_N_N_H_L3

Table of Values

The table below shows the values for the decision model. Each row of the table corresponds to a path through the decision model diagram above.

Row Attack Vector v3.0.1 (cvss) Privileges Required v1.0.1 (cvss) User Interaction v2.0.0 (cvss) Equivalence Set 1 v1.0.0 (cvss)
0 physical high active low
1 local high active low
2 physical low active low
3 physical high passive low
4 adjacent high active low
5 local low active low
6 physical none active low
7 local high passive low
8 physical low passive low
9 physical high none low
10 network high active medium
11 adjacent low active low
12 local none active medium
13 adjacent high passive low
14 local low passive low
15 physical none passive low
16 local high none medium
17 physical low none low
18 network low active medium
19 adjacent none active medium
20 network high passive medium
21 adjacent low passive low
22 local none passive medium
23 adjacent high none medium
24 local low none medium
25 physical none none low
26 network none active medium
27 network low passive medium
28 adjacent none passive medium
29 network high none medium
30 adjacent low none medium
31 local none none medium
32 network none passive medium
33 network low none medium
34 adjacent none none medium
35 network none none high