000014883 - RSA Security Advisories Severity Rating

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Feb 7, 2018
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000014883
Applies ToAll RSA Products

Severity Rating

A security vulnerability is classified by its severity rating, which is determined by many factors, including the level of effort required to exploit a vulnerability as well as the potential impact to data or business activities from a successful exploit. RSA currently uses the Common Vulnerability Scoring System version 3.0 (CVSS v3.0) to identify the severity level of identified vulnerabilities. The full standard, which is maintained by the Forum of Incident Response and Security Teams (FIRST), can be found at https://www.first.org/cvss.

When and where applicable, RSA Security Advisories will provide the CVSS v3.0 Base Score, corresponding CVSS v3.0 Vector and the CVSS v3.0 Severity Rating Scale for identified vulnerabilities. RSA recommends that all customers take into account both the Base Score and any Temporal and/or Environmental Scores that may be relevant to their environment to assess their overall risk.
CVSS v3 Base Score MetricsDescriptionPossible Values
Exploitability MetricsRelated exploit rangeAttackVector (AV)P = Physical access, L = Local access, A = Adjacent network, N = Network
 Attack complexityAttackComplexity (AC)L = Low, H = High
 Level of privileges requiredPrivilegesRequired(PR)N = None required, L = Low privileges required, H = High privileges required
 User interactionUserInteraction (UI)N = None, R = Required
Scope MetricScopeScope (S)U = Unchanged. No scope change, C = Changed. Scope changed
Impact MetricsConfidentiality impactConfImpact (C)N = None, L = Low, H = High
 Integrity impactIntegImpact (I)N = None, L = Low, H = High
 Availability impactAvailImpact (A)N = None, L = Low, H = High



The Severity field in an RSA Security Advisory is defined with the value of Critical, High, Medium or Low based on the highest CVSSv3 score of the CVEs associated with the advisory. The severity level is determined based on the criteria below.
Severity LevelCriteria
CriticalCVSSv3 base score is greater than or equal to 9.0
HighCVSSv3 base score is greater than or equal to 7.0 but less than 9.0
MediumCVSSv3 base score is greater than or equal to 4.0 but less than 7.0
LowCVSSv3 base score is less than or equal to 3.9
NotesFor information on the severity rating for Dell EMC products, refer to the following article: 000468307 - Dell EMC Security Alert (DSA) Severity Rating
Legacy Article IDa46604