Skip to content

CVSS v4 Equivalence Set EQ4

Here we describe an example decision model for an analyst assessing the CVSS v4 equivalence set EQ4.

Analyst Units of Work

Analyst Unit of Work

The unit of work for an Analyst is a single vulnerability report.

Analysts are usually tasked with assessing the CVSS score for an individual vulnerability report.

Analyst Decision Outcomes

The analyst's decision is to choose the appropriate level for CVSS v4 EQ4.

Equivalence Set 4 (cvss:EQ4:1.0.0)

SC/SI/SA with 3 levels specified in Table 27

Value Definition
Low (L) 2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)
Medium (M) 1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)
High (H) 0: MSI:S or MSA:S
Equivalence Set 4 (cvss:EQ4:1.0.0) JSON Example 
{
  "namespace": "cvss",
  "key": "EQ4",
  "version": "1.0.0",
  "name": "Equivalence Set 4",
  "description": "SC/SI/SA with 3 levels specified in Table 27",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "L",
      "name": "Low",
      "description": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"
    },
    {
      "key": "M",
      "name": "Medium",
      "description": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"
    },
    {
      "key": "H",
      "name": "High",
      "description": "0: MSI:S or MSA:S"
    }
  ]
}

Analyst Decision Points

Confidentiality Impact to the Subsequent System (cvss:SC:1.0.0)

This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.

Value Definition
Negligible (N) There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System.
Low (L) There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System.
High (H) There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact.
Confidentiality Impact to the Subsequent System (cvss:SC:1.0.0) JSON Example 
{
  "namespace": "cvss",
  "key": "SC",
  "version": "1.0.0",
  "name": "Confidentiality Impact to the Subsequent System",
  "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "N",
      "name": "Negligible",
      "description": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
    },
    {
      "key": "L",
      "name": "Low",
      "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
    },
    {
      "key": "H",
      "name": "High",
      "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
    }
  ]
}

Modified Integrity Impact to the Subsequent System (without Not Defined) (cvss:MSI_NoX:1.0.1)

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest. This version does not include the Not Defined (X) option.

Value Definition
Negligible (N) There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System.
Low (L) Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System.
High (H) There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System.
Safety (S) The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited.
Modified Integrity Impact to the Subsequent System (without Not Defined) (cvss:MSI_NoX:1.0.1) JSON Example 
{
  "namespace": "cvss",
  "key": "MSI_NoX",
  "version": "1.0.1",
  "name": "Modified Integrity Impact to the Subsequent System (without Not Defined)",
  "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest. This version does not include the Not Defined (X) option.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "N",
      "name": "Negligible",
      "description": "There is negligible loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
    },
    {
      "key": "L",
      "name": "Low",
      "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
    },
    {
      "key": "H",
      "name": "High",
      "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
    },
    {
      "key": "S",
      "name": "Safety",
      "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
    }
  ]
}

Modified Availability Impact to the Subsequent System (without Not Defined) (cvss:MSA_NoX:1.0.1)

This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System. This version does not include the Not Defined (X) option.

Value Definition
Negligible (N) There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System.
Low (L) Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users.
High (H) There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed).
Safety (S) The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited.
Modified Availability Impact to the Subsequent System (without Not Defined) (cvss:MSA_NoX:1.0.1) JSON Example 
{
  "namespace": "cvss",
  "key": "MSA_NoX",
  "version": "1.0.1",
  "name": "Modified Availability Impact to the Subsequent System (without Not Defined)",
  "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System. This version does not include the Not Defined (X) option.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "N",
      "name": "Negligible",
      "description": "There is negligible impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
    },
    {
      "key": "L",
      "name": "Low",
      "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
    },
    {
      "key": "H",
      "name": "High",
      "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
    },
    {
      "key": "S",
      "name": "Safety",
      "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
    }
  ]
}

Analyst Decision Model

Below we provide an example deployer prioritization policy that maps the decision points just listed to the outcomes described above.

Decision Model Visualization

The following diagram shows the decision model for the EQ4 decision.

---
title: CVSS v4 Equivalence Set 4 Decision Table (cvss:DT_CVSS4_EQ4:1.0.0)
---
graph LR
n1(( ))
subgraph s1["cvss:SC:1.0.0"]
N_L0([N])
L_L0([L])
H_L0([H])
end
subgraph s2["cvss:MSI_NoX:1.0.1"]
N_N_L1([N])
L_N_L1([N])
N_L_L1([L])
H_N_L1([N])
L_L_L1([L])
N_H_L1([H])
H_L_L1([L])
L_H_L1([H])
N_S_L1([S])
H_H_L1([H])
L_S_L1([S])
H_S_L1([S])
end
subgraph s3["cvss:MSA_NoX:1.0.1"]
N_N_N_L2([N])
L_N_N_L2([N])
N_L_N_L2([N])
N_N_L_L2([L])
H_N_N_L2([N])
L_L_N_L2([N])
N_H_N_L2([N])
L_N_L_L2([L])
N_L_L_L2([L])
N_N_H_L2([H])
H_L_N_L2([N])
L_H_N_L2([N])
N_S_N_L2([N])
H_N_L_L2([L])
L_L_L_L2([L])
N_H_L_L2([L])
L_N_H_L2([H])
N_L_H_L2([H])
N_N_S_L2([S])
H_H_N_L2([N])
L_S_N_L2([N])
H_L_L_L2([L])
L_H_L_L2([L])
N_S_L_L2([L])
H_N_H_L2([H])
L_L_H_L2([H])
N_H_H_L2([H])
L_N_S_L2([S])
N_L_S_L2([S])
H_S_N_L2([N])
H_H_L_L2([L])
L_S_L_L2([L])
H_L_H_L2([H])
L_H_H_L2([H])
N_S_H_L2([H])
H_N_S_L2([S])
L_L_S_L2([S])
N_H_S_L2([S])
H_S_L_L2([L])
H_H_H_L2([H])
L_S_H_L2([H])
H_L_S_L2([S])
L_H_S_L2([S])
N_S_S_L2([S])
H_S_H_L2([H])
H_H_S_L2([S])
L_S_S_L2([S])
H_S_S_L2([S])
end
subgraph s4["cvss:EQ4:1.0.0"]
N_N_N_L_L3([L])
L_N_N_L_L3([L])
N_L_N_L_L3([L])
N_N_L_L_L3([L])
H_N_N_M_L3([M])
L_L_N_L_L3([L])
N_H_N_M_L3([M])
L_N_L_L_L3([L])
N_L_L_L_L3([L])
N_N_H_M_L3([M])
H_L_N_M_L3([M])
L_H_N_M_L3([M])
N_S_N_H_L3([H])
H_N_L_M_L3([M])
L_L_L_L_L3([L])
N_H_L_M_L3([M])
L_N_H_M_L3([M])
N_L_H_M_L3([M])
N_N_S_H_L3([H])
H_H_N_M_L3([M])
L_S_N_H_L3([H])
H_L_L_M_L3([M])
L_H_L_M_L3([M])
N_S_L_H_L3([H])
H_N_H_M_L3([M])
L_L_H_M_L3([M])
N_H_H_M_L3([M])
L_N_S_H_L3([H])
N_L_S_H_L3([H])
H_S_N_H_L3([H])
H_H_L_M_L3([M])
L_S_L_H_L3([H])
H_L_H_M_L3([M])
L_H_H_M_L3([M])
N_S_H_H_L3([H])
H_N_S_H_L3([H])
L_L_S_H_L3([H])
N_H_S_H_L3([H])
H_S_L_H_L3([H])
H_H_H_M_L3([M])
L_S_H_H_L3([H])
H_L_S_H_L3([H])
L_H_S_H_L3([H])
N_S_S_H_L3([H])
H_S_H_H_L3([H])
H_H_S_H_L3([H])
L_S_S_H_L3([H])
H_S_S_H_L3([H])
end
n1 --- N_L0
n1 --- L_L0
n1 --- H_L0
N_L0 --- N_N_L1
N_N_L1 --- N_N_N_L2
N_N_N_L2 --- N_N_N_L_L3
L_L0 --- L_N_L1
L_N_L1 --- L_N_N_L2
L_N_N_L2 --- L_N_N_L_L3
N_L0 --- N_L_L1
N_L_L1 --- N_L_N_L2
N_L_N_L2 --- N_L_N_L_L3
N_N_L1 --- N_N_L_L2
N_N_L_L2 --- N_N_L_L_L3
H_L0 --- H_N_L1
H_N_L1 --- H_N_N_L2
H_N_N_L2 --- H_N_N_M_L3
L_L0 --- L_L_L1
L_L_L1 --- L_L_N_L2
L_L_N_L2 --- L_L_N_L_L3
N_L0 --- N_H_L1
N_H_L1 --- N_H_N_L2
N_H_N_L2 --- N_H_N_M_L3
L_N_L1 --- L_N_L_L2
L_N_L_L2 --- L_N_L_L_L3
N_L_L1 --- N_L_L_L2
N_L_L_L2 --- N_L_L_L_L3
N_N_L1 --- N_N_H_L2
N_N_H_L2 --- N_N_H_M_L3
H_L0 --- H_L_L1
H_L_L1 --- H_L_N_L2
H_L_N_L2 --- H_L_N_M_L3
L_L0 --- L_H_L1
L_H_L1 --- L_H_N_L2
L_H_N_L2 --- L_H_N_M_L3
N_L0 --- N_S_L1
N_S_L1 --- N_S_N_L2
N_S_N_L2 --- N_S_N_H_L3
H_N_L1 --- H_N_L_L2
H_N_L_L2 --- H_N_L_M_L3
L_L_L1 --- L_L_L_L2
L_L_L_L2 --- L_L_L_L_L3
N_H_L1 --- N_H_L_L2
N_H_L_L2 --- N_H_L_M_L3
L_N_L1 --- L_N_H_L2
L_N_H_L2 --- L_N_H_M_L3
N_L_L1 --- N_L_H_L2
N_L_H_L2 --- N_L_H_M_L3
N_N_L1 --- N_N_S_L2
N_N_S_L2 --- N_N_S_H_L3
H_L0 --- H_H_L1
H_H_L1 --- H_H_N_L2
H_H_N_L2 --- H_H_N_M_L3
L_L0 --- L_S_L1
L_S_L1 --- L_S_N_L2
L_S_N_L2 --- L_S_N_H_L3
H_L_L1 --- H_L_L_L2
H_L_L_L2 --- H_L_L_M_L3
L_H_L1 --- L_H_L_L2
L_H_L_L2 --- L_H_L_M_L3
N_S_L1 --- N_S_L_L2
N_S_L_L2 --- N_S_L_H_L3
H_N_L1 --- H_N_H_L2
H_N_H_L2 --- H_N_H_M_L3
L_L_L1 --- L_L_H_L2
L_L_H_L2 --- L_L_H_M_L3
N_H_L1 --- N_H_H_L2
N_H_H_L2 --- N_H_H_M_L3
L_N_L1 --- L_N_S_L2
L_N_S_L2 --- L_N_S_H_L3
N_L_L1 --- N_L_S_L2
N_L_S_L2 --- N_L_S_H_L3
H_L0 --- H_S_L1
H_S_L1 --- H_S_N_L2
H_S_N_L2 --- H_S_N_H_L3
H_H_L1 --- H_H_L_L2
H_H_L_L2 --- H_H_L_M_L3
L_S_L1 --- L_S_L_L2
L_S_L_L2 --- L_S_L_H_L3
H_L_L1 --- H_L_H_L2
H_L_H_L2 --- H_L_H_M_L3
L_H_L1 --- L_H_H_L2
L_H_H_L2 --- L_H_H_M_L3
N_S_L1 --- N_S_H_L2
N_S_H_L2 --- N_S_H_H_L3
H_N_L1 --- H_N_S_L2
H_N_S_L2 --- H_N_S_H_L3
L_L_L1 --- L_L_S_L2
L_L_S_L2 --- L_L_S_H_L3
N_H_L1 --- N_H_S_L2
N_H_S_L2 --- N_H_S_H_L3
H_S_L1 --- H_S_L_L2
H_S_L_L2 --- H_S_L_H_L3
H_H_L1 --- H_H_H_L2
H_H_H_L2 --- H_H_H_M_L3
L_S_L1 --- L_S_H_L2
L_S_H_L2 --- L_S_H_H_L3
H_L_L1 --- H_L_S_L2
H_L_S_L2 --- H_L_S_H_L3
L_H_L1 --- L_H_S_L2
L_H_S_L2 --- L_H_S_H_L3
N_S_L1 --- N_S_S_L2
N_S_S_L2 --- N_S_S_H_L3
H_S_L1 --- H_S_H_L2
H_S_H_L2 --- H_S_H_H_L3
H_H_L1 --- H_H_S_L2
H_H_S_L2 --- H_H_S_H_L3
L_S_L1 --- L_S_S_L2
L_S_S_L2 --- L_S_S_H_L3
H_S_L1 --- H_S_S_L2
H_S_S_L2 --- H_S_S_H_L3

Table of Values

The table below shows the values for the decision model. Each row of the table corresponds to a path through the decision model diagram above.

Row Confidentiality Impact to the Subsequent System v1.0.0 (cvss) Modified Integrity Impact to the Subsequent System (without Not Defined) v1.0.1 (cvss) Modified Availability Impact to the Subsequent System (without Not Defined) v1.0.1 (cvss) Equivalence Set 4 v1.0.0 (cvss)
0 negligible negligible negligible low
1 low negligible negligible low
2 negligible low negligible low
3 negligible negligible low low
4 high negligible negligible medium
5 low low negligible low
6 negligible high negligible medium
7 low negligible low low
8 negligible low low low
9 negligible negligible high medium
10 high low negligible medium
11 low high negligible medium
12 negligible safety negligible high
13 high negligible low medium
14 low low low low
15 negligible high low medium
16 low negligible high medium
17 negligible low high medium
18 negligible negligible safety high
19 high high negligible medium
20 low safety negligible high
21 high low low medium
22 low high low medium
23 negligible safety low high
24 high negligible high medium
25 low low high medium
26 negligible high high medium
27 low negligible safety high
28 negligible low safety high
29 high safety negligible high
30 high high low medium
31 low safety low high
32 high low high medium
33 low high high medium
34 negligible safety high high
35 high negligible safety high
36 low low safety high
37 negligible high safety high
38 high safety low high
39 high high high medium
40 low safety high high
41 high low safety high
42 low high safety high
43 negligible safety safety high
44 high safety high high
45 high high safety high
46 low safety safety high
47 high safety safety high