CVSS v3.1 Equations
The CVSS v3.1 equations are defined below.
Base
The Base Score is a function of the Impact and Exploitability sub score equations. Where the Base score is defined as,
If (Impact sub score <= 0) 0 else,
Scope Unchanged4 Roundup(Minimum[(Impact + Exploitability), 10])
Scope Changed Roundup(Minimum[1.08 × (Impact + Exploitability), 10])
and the Impact sub score (ISC) is defined as,
Scope Unchanged 6.42 × ISC
Base
Scope Changed 7.52 × [ISC
Base − 0.029] − 3.25 × [ISC
Base − 0.02]
15
Where,
ISC
Base = 1 − [(1 − Impact
Conf) × (1 − Impact
Integ) × (1 − Impact
Avail)]
And the Exploitability sub score is,
8.22 × AttackVector × AttackComplexity × PrivilegeRequired × UserInteraction
Temporal
The Temporal score is defined as,
Roundup(BaseScore × ExploitCodeMaturity × RemediationLevel × ReportConfidence)
Environmental
The environmental score is defined as,
If (Modified Impact Sub score <= 0) 0 else,
If Modified Scope is Unchanged Round up(Round up (Minimum [ (M.Impact + M.Exploitability) ,10]) × Exploit Code Maturity × Remediation Level × Report Confidence)
If Modified Scope is Changed Round up(Round up (Minimum [1.08 × (M.Impact + M.Exploitability) ,10]) × Exploit Code Maturity × Remediation Level × Report Confidence)
And the modified Impact sub score is defined as,
If Modified Scope is Unchanged 6.42 × [ISC
Modified]
If Modified Scope is Changed 7.52 × [ISC
Modified − 0.029]-3.25× [ISC
Modified × 0.9731 − 0.02] 13
Where,
ISC
Modified = Minimum [[1 − (1 − M. IConf × CR) × (1 − M. IInteg × IR) × (1 − M. IAvail × AR)], 0.915]
The Modified Exploitability sub score is,
8.22 × M. AttackVector × M. AttackComplexity × M. PrivilegeRequired × M. UserInteraction
4 Where “Round up” is defined as the smallest number, specified to one decimal place, that is equal to or higher than its input. For example, Round up (4.02) is 4.1; and Round up (4.00) is 4.0.