Skip to content

CVSS v4 Equivalence Set EQ3

Here we describe an example decision model for an analyst assessing the CVSS v4 equivalence set EQ3.

Analyst Units of Work

Analyst Unit of Work

The unit of work for an Analyst is a single vulnerability report.

Analysts are usually tasked with assessing the CVSS score for an individual vulnerability report.

Analyst Decision Outcomes

The analyst's decision is to choose the appropriate level for CVSS v4 EQ3.

Equivalence Set 3 (cvss:EQ3:1.0.0)

VC/VI/VA with 3 levels specified in Table 26

Value Definition
Low (L) 2: not (VC:H or VI:H or VA:H)
Medium (M) 1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)
High (H) 0: VC:H and VI:H
Equivalence Set 3 (cvss:EQ3:1.0.0) JSON Example 
{
  "namespace": "cvss",
  "key": "EQ3",
  "version": "1.0.0",
  "name": "Equivalence Set 3",
  "description": "VC/VI/VA with 3 levels specified in Table 26",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "L",
      "name": "Low",
      "description": "2: not (VC:H or VI:H or VA:H)"
    },
    {
      "key": "M",
      "name": "Medium",
      "description": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"
    },
    {
      "key": "H",
      "name": "High",
      "description": "0: VC:H and VI:H"
    }
  ]
}

Analyst Decision Points

Confidentiality Impact to the Vulnerable System (cvss:VC:3.0.0)

This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Value Definition
None (N) There is no loss of confidentiality within the impacted component.
Low (L) There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component.
High (H) There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.
Confidentiality Impact to the Vulnerable System (cvss:VC:3.0.0) JSON Example 
{
  "namespace": "cvss",
  "key": "VC",
  "version": "3.0.0",
  "name": "Confidentiality Impact to the Vulnerable System",
  "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "N",
      "name": "None",
      "description": "There is no loss of confidentiality within the impacted component."
    },
    {
      "key": "L",
      "name": "Low",
      "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
    },
    {
      "key": "H",
      "name": "High",
      "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
    }
  ]
}

Integrity Impact to the Vulnerable System (cvss:VI:3.0.0)

This metric measures the impact to integrity of a successfully exploited vulnerability.

Value Definition
None (N) There is no loss of integrity within the Vulnerable System.
Low (L) Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System.
High (H) There is a total loss of integrity, or a complete loss of protection.
Integrity Impact to the Vulnerable System (cvss:VI:3.0.0) JSON Example 
{
  "namespace": "cvss",
  "key": "VI",
  "version": "3.0.0",
  "name": "Integrity Impact to the Vulnerable System",
  "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "N",
      "name": "None",
      "description": "There is no loss of integrity within the Vulnerable System."
    },
    {
      "key": "L",
      "name": "Low",
      "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
    },
    {
      "key": "H",
      "name": "High",
      "description": "There is a total loss of integrity, or a complete loss of protection."
    }
  ]
}

Availability Impact to the Vulnerable System (cvss:VA:3.0.0)

This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.

Value Definition
None (N) There is no impact to availability within the Vulnerable System.
Low (L) There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System.
High (H) There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed).
Availability Impact to the Vulnerable System (cvss:VA:3.0.0) JSON Example 
{
  "namespace": "cvss",
  "key": "VA",
  "version": "3.0.0",
  "name": "Availability Impact to the Vulnerable System",
  "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "N",
      "name": "None",
      "description": "There is no impact to availability within the Vulnerable System."
    },
    {
      "key": "L",
      "name": "Low",
      "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
    },
    {
      "key": "H",
      "name": "High",
      "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
    }
  ]
}

Analyst Decision Model

Below we provide an example deployer prioritization policy that maps the decision points just listed to the outcomes described above.

Decision Model Visualization

The following diagram shows the decision model for the EQ3 decision.

---
title: CVSS v4 Equivalence Set 3 Decision Table (cvss:DT_CVSS4_EQ3:1.0.0)
---
graph LR
n1(( ))
subgraph s1["cvss:VC:3.0.0"]
N_L0([N])
L_L0([L])
H_L0([H])
end
subgraph s2["cvss:VI:3.0.0"]
N_N_L1([N])
L_N_L1([N])
N_L_L1([L])
H_N_L1([N])
L_L_L1([L])
N_H_L1([H])
H_L_L1([L])
L_H_L1([H])
H_H_L1([H])
end
subgraph s3["cvss:VA:3.0.0"]
N_N_N_L2([N])
L_N_N_L2([N])
N_L_N_L2([N])
N_N_L_L2([L])
H_N_N_L2([N])
L_L_N_L2([N])
N_H_N_L2([N])
L_N_L_L2([L])
N_L_L_L2([L])
N_N_H_L2([H])
H_L_N_L2([N])
L_H_N_L2([N])
H_N_L_L2([L])
L_L_L_L2([L])
N_H_L_L2([L])
L_N_H_L2([H])
N_L_H_L2([H])
H_H_N_L2([N])
H_L_L_L2([L])
L_H_L_L2([L])
H_N_H_L2([H])
L_L_H_L2([H])
N_H_H_L2([H])
H_H_L_L2([L])
H_L_H_L2([H])
L_H_H_L2([H])
H_H_H_L2([H])
end
subgraph s4["cvss:EQ3:1.0.0"]
N_N_N_L_L3([L])
L_N_N_L_L3([L])
N_L_N_L_L3([L])
N_N_L_L_L3([L])
H_N_N_M_L3([M])
L_L_N_L_L3([L])
N_H_N_M_L3([M])
L_N_L_L_L3([L])
N_L_L_L_L3([L])
N_N_H_M_L3([M])
H_L_N_M_L3([M])
L_H_N_M_L3([M])
H_N_L_M_L3([M])
L_L_L_L_L3([L])
N_H_L_M_L3([M])
L_N_H_M_L3([M])
N_L_H_M_L3([M])
H_H_N_H_L3([H])
H_L_L_M_L3([M])
L_H_L_M_L3([M])
H_N_H_M_L3([M])
L_L_H_M_L3([M])
N_H_H_M_L3([M])
H_H_L_H_L3([H])
H_L_H_M_L3([M])
L_H_H_M_L3([M])
H_H_H_H_L3([H])
end
n1 --- N_L0
n1 --- L_L0
n1 --- H_L0
N_L0 --- N_N_L1
N_N_L1 --- N_N_N_L2
N_N_N_L2 --- N_N_N_L_L3
L_L0 --- L_N_L1
L_N_L1 --- L_N_N_L2
L_N_N_L2 --- L_N_N_L_L3
N_L0 --- N_L_L1
N_L_L1 --- N_L_N_L2
N_L_N_L2 --- N_L_N_L_L3
N_N_L1 --- N_N_L_L2
N_N_L_L2 --- N_N_L_L_L3
H_L0 --- H_N_L1
H_N_L1 --- H_N_N_L2
H_N_N_L2 --- H_N_N_M_L3
L_L0 --- L_L_L1
L_L_L1 --- L_L_N_L2
L_L_N_L2 --- L_L_N_L_L3
N_L0 --- N_H_L1
N_H_L1 --- N_H_N_L2
N_H_N_L2 --- N_H_N_M_L3
L_N_L1 --- L_N_L_L2
L_N_L_L2 --- L_N_L_L_L3
N_L_L1 --- N_L_L_L2
N_L_L_L2 --- N_L_L_L_L3
N_N_L1 --- N_N_H_L2
N_N_H_L2 --- N_N_H_M_L3
H_L0 --- H_L_L1
H_L_L1 --- H_L_N_L2
H_L_N_L2 --- H_L_N_M_L3
L_L0 --- L_H_L1
L_H_L1 --- L_H_N_L2
L_H_N_L2 --- L_H_N_M_L3
H_N_L1 --- H_N_L_L2
H_N_L_L2 --- H_N_L_M_L3
L_L_L1 --- L_L_L_L2
L_L_L_L2 --- L_L_L_L_L3
N_H_L1 --- N_H_L_L2
N_H_L_L2 --- N_H_L_M_L3
L_N_L1 --- L_N_H_L2
L_N_H_L2 --- L_N_H_M_L3
N_L_L1 --- N_L_H_L2
N_L_H_L2 --- N_L_H_M_L3
H_L0 --- H_H_L1
H_H_L1 --- H_H_N_L2
H_H_N_L2 --- H_H_N_H_L3
H_L_L1 --- H_L_L_L2
H_L_L_L2 --- H_L_L_M_L3
L_H_L1 --- L_H_L_L2
L_H_L_L2 --- L_H_L_M_L3
H_N_L1 --- H_N_H_L2
H_N_H_L2 --- H_N_H_M_L3
L_L_L1 --- L_L_H_L2
L_L_H_L2 --- L_L_H_M_L3
N_H_L1 --- N_H_H_L2
N_H_H_L2 --- N_H_H_M_L3
H_H_L1 --- H_H_L_L2
H_H_L_L2 --- H_H_L_H_L3
H_L_L1 --- H_L_H_L2
H_L_H_L2 --- H_L_H_M_L3
L_H_L1 --- L_H_H_L2
L_H_H_L2 --- L_H_H_M_L3
H_H_L1 --- H_H_H_L2
H_H_H_L2 --- H_H_H_H_L3

Table of Values

The table below shows the values for the decision model. Each row of the table corresponds to a path through the decision model diagram above.

Row Confidentiality Impact to the Vulnerable System v3.0.0 (cvss) Integrity Impact to the Vulnerable System v3.0.0 (cvss) Availability Impact to the Vulnerable System v3.0.0 (cvss) Equivalence Set 3 v1.0.0 (cvss)
0 none none none low
1 low none none low
2 none low none low
3 none none low low
4 high none none medium
5 low low none low
6 none high none medium
7 low none low low
8 none low low low
9 none none high medium
10 high low none medium
11 low high none medium
12 high none low medium
13 low low low low
14 none high low medium
15 low none high medium
16 none low high medium
17 high high none high
18 high low low medium
19 low high low medium
20 high none high medium
21 low low high medium
22 none high high medium
23 high high low high
24 high low high medium
25 low high high medium
26 high high high high