CERTCC · ahouseholder · Mar 20, 2025 · Mar 13, 2025 · Mar 13, 2025 · Mar 13, 2025
@@ -1,10 +1,10 @@
 {
+  "name": "Automatable",
+  "description": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
   "namespace": "ssvc",
   "version": "2.0.0",
   "schemaVersion": "1-0-1",
   "key": "A",
-  "name": "Automatable",
-  "description": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
   "values": [
     {
       "key": "N",

@@ -1,10 +1,10 @@
 {
+  "name": "Access Complexity",
+  "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
   "namespace": "cvss",
   "version": "1.0.0",
   "schemaVersion": "1-0-1",
   "key": "AC",
-  "name": "Access Complexity",
-  "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
   "values": [
     {
       "key": "L",

@@ -1,10 +1,10 @@
 {
+  "name": "Access Complexity",
+  "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
   "namespace": "cvss",
   "version": "2.0.0",
   "schemaVersion": "1-0-1",
   "key": "AC",
-  "name": "Access Complexity",
-  "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
   "values": [
     {
       "key": "L",

@@ -1,10 +1,10 @@
 {
+  "name": "Access Vector",
+  "description": "This metric measures whether or not the vulnerability is exploitable locally or remotely.",
   "namespace": "cvss",
   "version": "1.0.0",
   "schemaVersion": "1-0-1",
   "key": "AV",
-  "name": "Access Vector",
-  "description": "This metric measures whether or not the vulnerability is exploitable locally or remotely.",
   "values": [
     {
       "key": "L",

@@ -1,10 +1,10 @@
 {
+  "name": "Access Vector",
+  "description": "This metric reflects the context by which vulnerability exploitation is possible.",
   "namespace": "cvss",
   "version": "2.0.0",
   "schemaVersion": "1-0-1",
   "key": "AV",
-  "name": "Access Vector",
-  "description": "This metric reflects the context by which vulnerability exploitation is possible.",
   "values": [
     {
       "key": "L",

@@ -1,10 +1,10 @@
 {
+  "name": "Attack Complexity",
+  "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.",
   "namespace": "cvss",
   "version": "3.0.0",
   "schemaVersion": "1-0-1",
   "key": "AC",
-  "name": "Attack Complexity",
-  "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.",
   "values": [
     {
       "key": "L",

@@ -1,10 +1,10 @@
 {
+  "name": "Attack Complexity",
+  "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
   "namespace": "cvss",
   "version": "3.0.1",
   "schemaVersion": "1-0-1",
   "key": "AC",
-  "name": "Attack Complexity",
-  "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
   "values": [
     {
       "key": "L",

@@ -1,10 +1,10 @@
 {
+  "name": "Attack Requirements",
+  "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
   "namespace": "cvss",
   "version": "1.0.0",
   "schemaVersion": "1-0-1",
   "key": "AT",
-  "name": "Attack Requirements",
-  "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
   "values": [
     {
       "key": "N",

@@ -1,10 +1,10 @@
 {
+  "name": "Attack Vector",
+  "description": "This metric reflects the context by which vulnerability exploitation is possible. ",
   "namespace": "cvss",
   "version": "3.0.0",
   "schemaVersion": "1-0-1",
   "key": "AV",
-  "name": "Attack Vector",
-  "description": "This metric reflects the context by which vulnerability exploitation is possible. ",
   "values": [
     {
       "key": "P",

@@ -1,10 +1,10 @@
 {
+  "name": "Attack Vector",
+  "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
   "namespace": "cvss",
   "version": "3.0.1",
   "schemaVersion": "1-0-1",
   "key": "AV",
-  "name": "Attack Vector",
-  "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
   "values": [
     {
       "key": "P",

@@ -1,10 +1,10 @@
 {
+  "name": "Authentication",
+  "description": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.",
   "namespace": "cvss",
   "version": "1.0.0",
   "schemaVersion": "1-0-1",
   "key": "Au",
-  "name": "Authentication",
-  "description": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.",
   "values": [
     {
       "key": "N",

@@ -1,10 +1,10 @@
 {
+  "name": "Authentication",
+  "description": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur.  The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.",
   "namespace": "cvss",
   "version": "2.0.0",
   "schemaVersion": "1-0-1",
   "key": "Au",
-  "name": "Authentication",
-  "description": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur.  The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.",
   "values": [
     {
       "key": "M",

@@ -1,10 +1,10 @@
 {
+  "name": "Automatable",
+  "description": "The \"Automatable\" metric captures the answer to the question \"Can an attacker automate exploitation events for this vulnerability across multiple targets?\" based on steps 1-4 of the kill chain.",
   "namespace": "cvss",
   "version": "1.0.0",
   "schemaVersion": "1-0-1",
   "key": "AU",
-  "name": "Automatable",
-  "description": "The \"Automatable\" metric captures the answer to the question \"Can an attacker automate exploitation events for this vulnerability across multiple targets?\" based on steps 1-4 of the kill chain.",
   "values": [
     {
       "key": "N",

@@ -1,10 +1,10 @@
 {
+  "name": "Availability Impact",
+  "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.",
   "namespace": "cvss",
   "version": "1.0.0",
   "schemaVersion": "1-0-1",
   "key": "A",
-  "name": "Availability Impact",
-  "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.",
   "values": [
     {
       "key": "N",

@@ -1,10 +1,10 @@
 {
+  "name": "Availability Impact",
+  "description": "This metric measures the impact to availability of a successfully exploited vulnerability.",
   "namespace": "cvss",
   "version": "2.0.0",
   "schemaVersion": "1-0-1",
   "key": "A",
-  "name": "Availability Impact",
-  "description": "This metric measures the impact to availability of a successfully exploited vulnerability.",
   "values": [
     {
       "key": "N",

@@ -1,10 +1,10 @@
 {
+  "name": "Availability Impact to the Subsequent System",
+  "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
   "namespace": "cvss",
   "version": "1.0.0",
   "schemaVersion": "1-0-1",
   "key": "SA",
-  "name": "Availability Impact to the Subsequent System",
-  "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
   "values": [
     {
       "key": "N",

@@ -1,10 +1,10 @@
 {
+  "name": "Availability Impact to the Vulnerable System",
+  "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
   "namespace": "cvss",
   "version": "3.0.0",
   "schemaVersion": "1-0-1",
   "key": "VA",
-  "name": "Availability Impact to the Vulnerable System",
-  "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
   "values": [
     {
       "key": "N",

@@ -1,10 +1,10 @@
 {
+  "name": "Availability Requirement",
+  "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.",
   "namespace": "cvss",
   "version": "1.0.0",
   "schemaVersion": "1-0-1",
   "key": "AR",
-  "name": "Availability Requirement",
-  "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.",
   "values": [
     {
       "key": "L",

@@ -1,10 +1,10 @@
 {
+  "name": "Availability Requirement",
+  "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.",
   "namespace": "cvss",
   "version": "1.1.0",
   "schemaVersion": "1-0-1",
   "key": "AR",
-  "name": "Availability Requirement",
-  "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.",
   "values": [
     {
       "key": "L",

@@ -1,10 +1,10 @@
 {
+  "name": "Availability Requirement",
+  "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability.",
   "namespace": "cvss",
   "version": "1.1.1",
   "schemaVersion": "1-0-1",
   "key": "AR",
-  "name": "Availability Requirement",
-  "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability.",
   "values": [
     {
       "key": "L",

@@ -1,10 +1,10 @@
 {
+  "name": "Collateral Damage Potential",
+  "description": "This metric measures the potential for a loss in physical equipment, property damage or loss of life or limb.",
   "namespace": "cvss",
   "version": "1.0.0",
   "schemaVersion": "1-0-1",
   "key": "CDP",
-  "name": "Collateral Damage Potential",
-  "description": "This metric measures the potential for a loss in physical equipment, property damage or loss of life or limb.",
   "values": [
     {
       "key": "N",

@@ -1,10 +1,10 @@
 {
+  "name": "Collateral Damage Potential",
+  "description": "This metric measures the potential for loss of life or physical assets.",
   "namespace": "cvss",
   "version": "2.0.0",
   "schemaVersion": "1-0-1",
   "key": "CDP",
-  "name": "Collateral Damage Potential",
-  "description": "This metric measures the potential for loss of life or physical assets.",
   "values": [
     {
       "key": "N",

@@ -1,10 +1,10 @@
 {
+  "name": "Confidentiality Impact",
+  "description": "This metric measures the impact on confidentiality of a successful exploit of the vulnerability on the target system.",
   "namespace": "cvss",
   "version": "1.0.0",
   "schemaVersion": "1-0-1",
   "key": "C",
-  "name": "Confidentiality Impact",
-  "description": "This metric measures the impact on confidentiality of a successful exploit of the vulnerability on the target system.",
   "values": [
     {
       "key": "N",

@@ -1,10 +1,10 @@
 {
+  "name": "Confidentiality Impact",
+  "description": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.",
   "namespace": "cvss",
   "version": "2.0.0",
   "schemaVersion": "1-0-1",
   "key": "C",
-  "name": "Confidentiality Impact",
-  "description": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.",
   "values": [
     {
       "key": "N",

@@ -1,10 +1,10 @@
 {
+  "name": "Confidentiality Impact to the Subsequent System",
+  "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
   "namespace": "cvss",
   "version": "1.0.0",
   "schemaVersion": "1-0-1",
   "key": "SC",
-  "name": "Confidentiality Impact to the Subsequent System",
-  "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
   "values": [
     {
       "key": "N",

@@ -1,10 +1,10 @@
 {
+  "name": "Confidentiality Impact to the Vulnerable System",
+  "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
   "namespace": "cvss",
   "version": "3.0.0",
   "schemaVersion": "1-0-1",
   "key": "VC",
-  "name": "Confidentiality Impact to the Vulnerable System",
-  "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
   "values": [
     {
       "key": "N",

@@ -1,10 +1,10 @@
 {
+  "name": "Confidentiality Requirement",
+  "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.",
   "namespace": "cvss",
   "version": "1.0.0",
   "schemaVersion": "1-0-1",
   "key": "CR",
-  "name": "Confidentiality Requirement",
-  "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.",
   "values": [
     {
       "key": "L",

@@ -1,10 +1,10 @@
 {
+  "name": "Confidentiality Requirement",
+  "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.",
   "namespace": "cvss",
   "version": "1.1.0",
   "schemaVersion": "1-0-1",
   "key": "CR",
-  "name": "Confidentiality Requirement",
-  "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.",
   "values": [
     {
       "key": "L",

@@ -1,10 +1,10 @@
 {
+  "name": "Confidentiality Requirement",
+  "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.",
   "namespace": "cvss",
   "version": "1.1.1",
   "schemaVersion": "1-0-1",
   "key": "CR",
-  "name": "Confidentiality Requirement",
-  "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.",
   "values": [
     {
       "key": "L",

@@ -1,10 +1,10 @@
 {
+  "name": "Equivalence Set 1",
+  "description": "AV/PR/UI with 3 levels specified in Table 24",
   "namespace": "cvss",
   "version": "1.0.0",
   "schemaVersion": "1-0-1",
   "key": "EQ1",
-  "name": "Equivalence Set 1",
-  "description": "AV/PR/UI with 3 levels specified in Table 24",
   "values": [
     {
       "key": "L",