Skip to content

CVSS v4 Equivalence Set EQ2

Here we describe an example decision model for an analyst assessing the CVSS v4 equivalence set EQ2.

Analyst Units of Work

Analyst Unit of Work

The unit of work for an Analyst is a single vulnerability report.

Analysts are usually tasked with assessing the CVSS score for an individual vulnerability report.

Analyst Decision Outcomes

The analyst's decision is to choose the appropriate level for CVSS v4 EQ2.

Equivalence Set 2 (cvss:EQ2:1.0.0)

AC/AT with 2 levels specified in Table 25

Value Definition
Low (L) 1: not (AC:L and AT:N)
High (H) 0: AC:L and AT:N
Equivalence Set 2 (cvss:EQ2:1.0.0) JSON Example 
{
  "namespace": "cvss",
  "key": "EQ2",
  "version": "1.0.0",
  "name": "Equivalence Set 2",
  "description": "AC/AT with 2 levels specified in Table 25",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "L",
      "name": "Low",
      "description": "1: not (AC:L and AT:N)"
    },
    {
      "key": "H",
      "name": "High",
      "description": "0: AC:L and AT:N"
    }
  ]
}

Analyst Decision Points

Attack Complexity (cvss:AC:3.0.1)

This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit.

Value Definition
High (H) The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place.
Low (L) The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Attack Complexity (cvss:AC:3.0.1) JSON Example 
{
  "namespace": "cvss",
  "key": "AC",
  "version": "3.0.1",
  "name": "Attack Complexity",
  "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "H",
      "name": "High",
      "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
    },
    {
      "key": "L",
      "name": "Low",
      "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
    }
  ]
}

Attack Requirements (cvss:AT:1.0.0)

This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.

Value Definition
Present (P) The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack.
None (N) The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability.
Attack Requirements (cvss:AT:1.0.0) JSON Example 
{
  "namespace": "cvss",
  "key": "AT",
  "version": "1.0.0",
  "name": "Attack Requirements",
  "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "P",
      "name": "Present",
      "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
    },
    {
      "key": "N",
      "name": "None",
      "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
    }
  ]
}

Analyst Decision Model

Below we provide an example deployer prioritization policy that maps the decision points just listed to the outcomes described above.

Decision Model Visualization

The following diagram shows the decision model for the EQ2 decision.

---
title: CVSS v4 Equivalence Set 2 Decision Table (cvss:DT_CVSS4_EQ2:1.0.0)
---
graph LR
n1(( ))
subgraph s1["cvss:AC:3.0.1"]
H_L0([H])
L_L0([L])
end
subgraph s2["cvss:AT:1.0.0"]
H_P_L1([P])
L_P_L1([P])
H_N_L1([N])
L_N_L1([N])
end
subgraph s3["cvss:EQ2:1.0.0"]
H_P_L_L2([L])
L_P_L_L2([L])
H_N_L_L2([L])
L_N_H_L2([H])
end
n1 --- H_L0
n1 --- L_L0
H_L0 --- H_P_L1
H_P_L1 --- H_P_L_L2
L_L0 --- L_P_L1
L_P_L1 --- L_P_L_L2
H_L0 --- H_N_L1
H_N_L1 --- H_N_L_L2
L_L0 --- L_N_L1
L_N_L1 --- L_N_H_L2

Table of Values

The table below shows the values for the decision model. Each row of the table corresponds to a path through the decision model diagram above.

Row Attack Complexity v3.0.1 (cvss) Attack Requirements v1.0.0 (cvss) Equivalence Set 2 v1.0.0 (cvss)
0 high present low
1 low present low
2 high none low
3 low none high