Skip to content

Confidentiality Impact to the Subsequent System

Confidentiality Impact to the Subsequent System v1.0.0

This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.

Value Definition
Negligible There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System.
Low There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System.
High There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact.
Confidentiality Impact to the Subsequent System v1.0.0 JSON Example 
{
  "namespace": "cvss",
  "version": "1.0.0",
  "schemaVersion": "1-0-1",
  "key": "SC",
  "name": "Confidentiality Impact to the Subsequent System",
  "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
  "values": [
    {
      "key": "N",
      "name": "Negligible",
      "description": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
    },
    {
      "key": "L",
      "name": "Low",
      "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
    },
    {
      "key": "H",
      "name": "High",
      "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
    }
  ]
}