Why may a vulnerability have multiple CVSS scores?

Updated: 2024-11-21 MAIA

The CVSS (Common Vulnerability Scoring System) sets a score to a vulnerability, rating the severity (0-10). The overall CVSS score is composed of three sub groups of metrics (Base, Temporal, Environmental), of which each group has several subcomponents.

The value of the overall CVSS Score may depends on the context, i.e. if the score is of general type or if it is related to a specific software.

1. General type -- the CVSS score may be composed of:
   • Base metrics and Temporal metrics.
   • If a vulnerability Analysis, with modified Environmental metrics, is saved without a Tag, then the decision affects all "un-tagged" variants of the vulnerable software and environments. Here is Environmental metrics a part of the overall CVSS score.
2. Build type -- i.e. related to a specific software (or Build/SBOM): the CVSS score may be composed of:
   • If a vulnerability Analysis, with modified Environmental metrics, is saved with a collection of Tags: All Builds/SBOMs labeled with one of the Tags will have the related Environmental metrics as part of the overall CVSS score.

Summary: A vulnerability may have multiple CVSS scores depending on current context. One value may be valid for a set of software, and another value for another set, depending on separate analyses.