Confidentiality Impact to the Vulnerable System
Confidentiality Impact to the Vulnerable System v3.0.0
This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.
| Value | Definition |
|---|---|
| None | There is no loss of confidentiality within the impacted component. |
| Low | There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component. |
| High | There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server. |
Confidentiality Impact to the Vulnerable System v3.0.0 JSON Example
{
"namespace": "cvss",
"version": "3.0.0",
"schemaVersion": "1-0-1",
"key": "VC",
"name": "Confidentiality Impact to the Vulnerable System",
"description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
"values": [
{
"key": "N",
"name": "None",
"description": "There is no loss of confidentiality within the impacted component."
},
{
"key": "L",
"name": "Low",
"description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
{
"key": "H",
"name": "High",
"description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
}
]
}
Previous Versions
Following are the previous versions of the decision point:
Confidentiality Impact v1.0.0
This metric measures the impact on confidentiality of a successful exploit of the vulnerability on the target system.
| Value | Definition |
|---|---|
| None | No impact on confidentiality. |
| Partial | There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained. |
| Complete | A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc). |
Confidentiality Impact v1.0.0 JSON Example
{
"namespace": "cvss",
"version": "1.0.0",
"schemaVersion": "1-0-1",
"key": "C",
"name": "Confidentiality Impact",
"description": "This metric measures the impact on confidentiality of a successful exploit of the vulnerability on the target system.",
"values": [
{
"key": "N",
"name": "None",
"description": "No impact on confidentiality."
},
{
"key": "P",
"name": "Partial",
"description": "There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained."
},
{
"key": "C",
"name": "Complete",
"description": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)."
}
]
}
Confidentiality Impact v2.0.0
This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.
| Value | Definition |
|---|---|
| None | There is no loss of confidentiality within the impacted component. |
| Low | There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component. |
| High | There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server. |
Confidentiality Impact v2.0.0 JSON Example
{
"namespace": "cvss",
"version": "2.0.0",
"schemaVersion": "1-0-1",
"key": "C",
"name": "Confidentiality Impact",
"description": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.",
"values": [
{
"key": "N",
"name": "None",
"description": "There is no loss of confidentiality within the impacted component."
},
{
"key": "L",
"name": "Low",
"description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
},
{
"key": "H",
"name": "High",
"description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
}
]
}