New in 2.6: Intelligent CVSS Scoring for Unknown Vulnerabilities

In Mayhem 2.6, we have released a cool feature: Intelligent CVSS scoring for unknown vulnerabilities. In this blog post, I’ll go over what CVSS is and how Mayhem leverages it to prioritize your results.

‍

‍

What is CVSS and How Does It Work?

CVSS, or the Common Vulnerability Scoring System, is a framework used to measure the severity of security vulnerabilities in computer systems. It provides a standardized way to assess and compare the impact of different vulnerabilities.

CVSS uses three main components to calculate a vulnerability's score:

1. Base Score: Represents the intrinsic qualities of the vulnerability.
2. Temporal Score: Reflects the vulnerability's characteristics over time.
3. Environmental Score: Customizes the score based on your specific environment.

‍

The Base Score consists of several metrics, including:

• Attack Vector
• Attack Complexity
• Privileges Required
• User Interaction
• Scope
• Confidentiality, Integrity, and Availability Impact

‍

The Temporal Score considers factors like:

• Exploitability
• Remediation Level
• Report Confidence

‍

Long story short, the Common Vulnerability Scoring System, or CVSS, is a vital tool for assessing and managing security vulnerabilities. 

‍

How Mayhem Uses CVSS to Help You Prioritize Results

Mayhem has integrated CVSS into the system so that you can get the most accurate information with each run.

While Mayhem has always provided automatic triage, with a rating of low, medium, or high priority for each defect, we now provide a numbered score, seen in the parenthesis beside each rating. 

‍

‍

In this instance, we have 4 medium-risk defects and one high-risk defect, and you should prioritize the Authentication Bypass defect (High 7.8) before working your way through the medium-risk defects.

The severity score seen in the Mayhem dashboard comes directly from the CWE database. As you can see, we have linked the CWEs and OWASP vulnerabilities to the database so that you can see how we came up with that score. 

Clicking on the CWE takes you directly to the information for the relevant CWE in the CWE database. Being able to click on the CWEs and other defects allows you to easily know what each vulnerability is without having to look them up, and speeds the process of fixing them, allowing you to get ahead of security threats. 

Plus, being able to fix these things before deployment allows you to ship out safer products, faster.

After you fix each defect, you can rerun Mayhem to make sure that your fix works.

All in all, having intelligent CVSS scoring at your fingertips is a game changer. 

‍

{{code-cta}}

‍