Common Vulnerability Scoring System Data Representations
JSON and XML can be used to store structured data and transfer it between systems. JSON Schemas and XML Schema Definitions (XSDs) are available for CVSS v2.0, v3.0, v3.1, and v4.0 to provide a common data representation when storing and transferring CVSS information. JSON Schemas:
Note as well the Schema for CVSS v4.0 as defined by the CVE Program. There are currently differences between the CVSS v4.0 schema in use by the CVE Program due to practical requirements for numeric scoring. The CVSS SIG is evaluating updates to the schema to reconcile these differences.
XML Schema Definitions:
Explanation of Schemas
JSON Schemas and XSDs define the format and allowed elements of JSON and XML documents respectively. For CVSS, these definitions include elements such as Base Score and individual metric values. Most programming languages have the ability to validate XML data to ensure it meets a particular XSD, and many can also validate JSON data against JSON Schemas.
Currently, CVSS JSON Schemas use draft 07 of the specification that is available athttp://json-schema.org/. XSDs are well established and further information about them can be found in multiple places.
JSON
CVSS information can be represented as a JSON document with the following fields:
| Field | Mandatory? | CVSS v4.0 Notes |
|---|
| CVSS Version | Mandatory | Must be"4.0" |
| Vector String | Mandatory | Metrics in order as described in the [CVSS v4.0 Specification Document] (https://www.first.org/cvss/v4.0/specification-document#Vector-String) |
| Base Score | Mandatory | — |
| Base Severity | Mandatory | — |
| Individual metrics | Optional | If included must match their respective values specified in the Vector String |
| Supplemental Metrics | Optional | May be included as one, many, or none |
Previous Standard Versions JSON Formats
| Field | Mandatory? | CVSS v2.0 Notes | CVSS v3.0 and v3.1 Notes |
|---|
| CVSS Version | Mandatory | Must be"2.0" | Must be"3.0" or"3.1" |
| Vector String | Mandatory | — | Specified with metrics in the preferred order described in the [CVSS v3.1 Specification Document] (https://www.first.org/cvss/v3.1/specification-document#Vector-String) |
| Base Score | Mandatory | — | — |
| Base Severity | Mandatory | — | — |
| Individual metrics | Optional | If included must match their respective values specified in the Vector String | As for CVSS v2.0 |
| Temporal Score | Optional | Must be included if any Temporal Metrics are set to a non-default value | Must be included if any Temporal Metrics are set to a non-default value |
| Temporal Severity | Optional | Must be included if any Temporal Metrics are set to a non-default value | Must be included if any Temporal Metrics are set to a non-default value |
| Environmental Score | Optional | Must be included if any Environmental Metrics are set to a non-default value | Must be included if any Environmental Metrics are set to a non-default value |
| Environmental Severity | Optional | Must be included if any Environmental Metrics are set to a non-default value | Must be included if any Environmental Metrics are set to a non-default value |
JSON Examples
The following examples demonstrate CVSS data represented in JSON format for CVSS v4.0 and CVSS v3.1.
CVSS v4.0 JSON Example
The following examples for CVSS v4.0 are based on CVE-2023-22394 (Junos OS Denial of Service) in theCVSS v4.0 Examples document.
Minimal CVSS v4.0 information:
{ "version": "4.0", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L", "baseSeverity": "HIGH"}
CVSS information including optional base metrics:
{ "version": "4.0", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "LOW", "safety": "NEGLIGIBLE", "automatable": "YES", "recovery": "NOT_DEFINED", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "NOT_DEFINED", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/S:N/AU:Y/V:C/RE:M", "baseSeverity": "HIGH"}
CVSS v3.1 JSON Example
The following examples for CVSS v3.1 are based on CVE-2009-0658 (Adobe Acrobat Buffer Overflow Vulnerability) in theCVSS v3.0 Examples Document.
Minimal CVSS v3.1 information:
{ "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}
CVSS information including optional metrics:
{ "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}
XML
CVSS information can be represented as an XML document with the following fields:
| Field | Mandatory? | CVSS v4.0 Notes |
|---|
| CVSS Version | Mandatory | Must be"4.0" |
| Vector String | Mandatory | Metrics in order as described in the [CVSS v4.0 Specification Document] (https://www.first.org/cvss/v4.0/specification-document#Vector-String) |
| Base Score | Mandatory | — |
| Base Severity | Mandatory | — |
| Individual metrics | Optional | If included must match their respective values specified in the Vector String |
| Base and Threat Score | Optional | Must be included if any Threat Metrics are set to a non-default value |
| Base and Threat Severity | Optional | Must be included if any Threat Metrics are set to a non-default value |
| Environmental Score | Optional | Must be included if any Environmental Metrics are set to a non-default value |
| Environmental Severity | Optional | Must should be included if any Environmental Metrics are set to a non-default value |
| Supplemental Metrics | Optional | May be included as one, many, or none |
Previous Standard Versions XML Formats
| Field | Mandatory? | CVSS v2.0 Notes | CVSS v3.0 and v3.1 Notes |
|---|
| Individual Base Metrics | Mandatory | — | — |
| Base Score | Optional | — | — |
| Base Severity | Optional | — | — |
| Individual Temporal Metrics | Optional | — | — |
| Temporal Score | Optional | Must be included if any Temporal Metrics are set to a non-default value | Must be included if any Temporal Metrics are set to a non-default value |
| Temporal Severity | Optional | Must be included if any Temporal Metrics are set to a non-default value | Must be included if any Temporal Metrics are set to a non-default value |
| Individual Environmental Metrics | Optional | — | — |
| Environmental Score | Optional | Must be included if any Environmental Metrics are set to a non-default value | Must be included if any Environmental Metrics are set to a non-default value |
| Environmental Severity | Optional | Must be included if any Environmental Metrics are set to a non-default value | Must be included if any Environmental Metrics are set to a non-default value |
XML Examples
The following sections include examples of CVSS v4.0 and CVSS v3.1 information in XML format.
CVSS v4.0 XML Example
Minimal CVSS v4.0 information in XML format:
<cvssv4.0> <baseGroup> <attack-vector>NETWORK</attack-vector> <attack-complexity>LOW</attack-complexity> <attack-requirements>NONE</attack-requirements> <privileges-required>NONE</privileges-required> <user-interaction>NONE</user-interaction> <confidentiality-of-vulnerable-system>NONE</confidentiality-of-vulnerable-system> <integrity-of-vulnerable-system>NONE</integrity-of-vulnerable-system> <availability-of-vulnerable-system>HIGH</availability-of-vulnerable-system> <confidentiality-of-subsequent-system>NONE</confidentiality-of-subsequent-system> <integrity-of-subsequent-system>NONE</integrity-of-subsequent-system> <availability-of-subsequent-system>LOW</availability-of-subsequent-system> </baseGroup></cvssv4.0>
Minimal CVSS v4.0 information with optional Base Score and Base Severity:
<cvssv4.0> <baseGroup> <attack-vector>NETWORK</attack-vector> <attack-complexity>LOW</attack-complexity> <attack-requirements>NONE</attack-requirements> <privileges-required>NONE</privileges-required> <user-interaction>NONE</user-interaction> <confidentiality-of-vulnerable-system>NONE</confidentiality-of-vulnerable-system> <integrity-of-vulnerable-system>NONE</integrity-of-vulnerable-system> <availability-of-vulnerable-system>HIGH</availability-of-vulnerable-system> <confidentiality-of-subsequent-system>NONE</confidentiality-of-subsequent-system> <integrity-of-subsequent-system>NONE</integrity-of-subsequent-system> <availability-of-subsequent-system>LOW</availability-of-subsequent-system> <base-score>8.7</base-score> <base-severity>HIGH</base-severity> </baseGroup></cvssv4.0>
CVSS v3.1 XML Example
Minimal CVSS v3.1 information in XML format:
<cvssv3.1> <base_metrics> <attack-vector>LOCAL</attack-vector> <attack-complexity>LOW</attack-complexity> <privileges-required>NONE</privileges-required> <user-interaction>REQUIRED</user-interaction> <scope>UNCHANGED</scope> <confidentiality-impact>HIGH</confidentiality-impact> <integrity-impact>HIGH</integrity-impact> <availability-impact>HIGH</availability-impact> </base_metrics></cvssv3.1>
Minimal CVSS v3.1 information with optional Base Score and Base Severity:
<cvssv3.1> <base_metrics> <attack-vector>LOCAL</attack-vector> <attack-complexity>LOW</attack-complexity> <privileges-required>NONE</privileges-required> <user-interaction>REQUIRED</user-interaction> <scope>UNCHANGED</scope> <confidentiality-impact>HIGH</confidentiality-impact> <integrity-impact>HIGH</integrity-impact> <availability-impact>HIGH</availability-impact> <base-score>7.8</base-score> <base-severity>HIGH</base-severity> </base_metrics></cvssv3.1>
