Common Vulnerability Scoring System Data Representations

JSON and XML can be used to store structured data and transfer it between systems. JSON Schemas and XML Schema Definitions (XSDs) are available for CVSS v2.0, v3.0, v3.1, and v4.0 to provide a common data representation when storing and transferring CVSS information. JSON Schemas:

• https://www.first.org/cvss/cvss-v2.0.json - JSON Schema for CVSS v2.0.
• https://www.first.org/cvss/cvss-v3.0.json - JSON Schema for CVSS v3.0.
• https://www.first.org/cvss/cvss-v3.1.json - JSON Schema for CVSS v3.1.
• https://www.first.org/cvss/cvss-v4.0.json - JSON Schema for CVSS v4.0.

Note as well the Schema for CVSS v4.0 as defined by the CVE Program. There are currently differences between the CVSS v4.0 schema in use by the CVE Program due to practical requirements for numeric scoring. The CVSS SIG is evaluating updates to the schema to reconcile these differences.

• https://github.com/CVEProject/cve-schema/blob/main/schema/imports/cvss/cvss-v4.0.json - JSON Schema for Common Vulnerability Scoring System version 4.0

XML Schema Definitions:

• https://nvd.nist.gov/schema/cvss-v2_0.2.xsd - XSD for CVSS v2.0 hosted on NIST's website. This is a de facto standard not created or supported by FIRST.
• https://www.first.org/cvss/cvss-v3.0.xsd - XSD for CVSS v3.0.
• https://www.first.org/cvss/cvss-v3.1.xsd - XSD for CVSS v3.1.
• https://www.first.org/cvss/cvss-v4.0.xsd - XSD for CVSS v4.0.

Explanation of Schemas

JSON Schemas and XSDs define the format and allowed elements of JSON and XML documents respectively. For CVSS, these definitions include elements such as Base Score and individual metric values. Most programming languages have the ability to validate XML data to ensure it meets a particular XSD, and many can also validate JSON data against JSON Schemas.

Currently, CVSS JSON Schemas use draft 07 of the specification that is available at http://json-schema.org/. XSDs are well established and further information about them can be found in multiple places.

JSON

CVSS information can be represented as a JSON document with the following fields:

Field	Mandatory?	CVSS v4.0 Notes
CVSS Version	Mandatory	Must be "4.0"
Vector String	Mandatory	Metrics in order as described in the [CVSS v4.0 Specification Document] (https://www.first.org/cvss/v4.0/specification-document#Vector-String)
Base Score	Mandatory	—
Base Severity	Mandatory	—
Individual metrics	Optional	If included must match their respective values specified in the Vector String
Base and Threat Score	Optional	Must be included if any Threat Metrics are set to a non-default value
Base and Threat Severity	Optional	Must be included if any Threat Metrics are set to a non-default value
Environmental Score	Optional	Must be included if any Environmental Metrics are set to a non-default value
Environmental Severity	Optional	Must be included if any Environmental Metrics are set to a non-default value
Supplemental Metrics	Optional	May be included as one, many, or none

Previous Standard Versions JSON Formats

Field	Mandatory?	CVSS v2.0 Notes	CVSS v3.0 and v3.1 Notes
CVSS Version	Mandatory	Must be "2.0"	Must be "3.0" or "3.1"
Vector String	Mandatory	—	Specified with metrics in the preferred order described in the [CVSS v3.1 Specification Document] (https://www.first.org/cvss/v3.1/specification-document#Vector-String)
Base Score	Mandatory	—	—
Base Severity	Mandatory	—	—
Individual metrics	Optional	If included must match their respective values specified in the Vector String	As for CVSS v2.0
Temporal Score	Optional	Must be included if any Temporal Metrics are set to a non-default value	Must be included if any Temporal Metrics are set to a non-default value
Temporal Severity	Optional	Must be included if any Temporal Metrics are set to a non-default value	Must be included if any Temporal Metrics are set to a non-default value
Environmental Score	Optional	Must be included if any Environmental Metrics are set to a non-default value	Must be included if any Environmental Metrics are set to a non-default value
Environmental Severity	Optional	Must be included if any Environmental Metrics are set to a non-default value	Must be included if any Environmental Metrics are set to a non-default value

JSON Examples

The following examples demonstrate CVSS data represented in JSON format for CVSS v4.0 and CVSS v3.1.

CVSS v4.0 JSON Example

The following examples for CVSS v4.0 are based on CVE-2023-22394 (Junos OS Denial of Service) in the CVSS v4.0 Examples document.

Minimal CVSS v4.0 information:

{
    "version": "4.0",
    "baseScore": 8.7,
    "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
    "baseSeverity": "HIGH"
}

CVSS information including optional base metrics:

{
    "version": "4.0",
    "attackVector": "NETWORK",
    "attackComplexity": "LOW",
    "attackRequirements": "NONE",
    "privilegesRequired": "NONE",
    "userInteraction": "NONE",
    "vulnConfidentialityImpact": "NONE",
    "subConfidentialityImpact": "NONE",
    "vulnIntegrityImpact": "NONE",
    "subIntegrityImpact": "NONE",
    "vulnAvailabilityImpact": "HIGH",
    "subAvailabilityImpact": "LOW",
    "safety": "NEGLIGIBLE",
    "automatable": "YES",
    "recovery": "NOT_DEFINED",
    "valueDensity": "CONCENTRATED",
    "vulnerabilityResponseEffort": "MODERATE",
    "providerUrgency": "NOT_DEFINED",
    "baseScore": 8.7,
    "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/S:N/AU:Y/V:C/RE:M",
    "baseSeverity": "HIGH"
}

CVSS v3.1 JSON Example

The following examples for CVSS v3.1 are based on CVE-2009-0658 (Adobe Acrobat Buffer Overflow Vulnerability) in the CVSS v3.0 Examples Document.

Minimal CVSS v3.1 information:

{
    "version": "3.1",
    "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "baseScore": 7.8,
    "baseSeverity": "HIGH"
}

CVSS information including optional metrics:

{
    "version": "3.1",
    "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "attackVector": "LOCAL",
    "attackComplexity": "LOW",
    "privilegesRequired": "NONE",
    "userInteraction": "REQUIRED",
    "scope": "UNCHANGED",
    "confidentialityImpact": "HIGH",
    "integrityImpact": "HIGH",
    "availabilityImpact": "HIGH",
    "baseScore": 7.8,
    "baseSeverity": "HIGH"
}

XML

CVSS information can be represented as an XML document with the following fields:

Field	Mandatory?	CVSS v4.0 Notes
CVSS Version	Mandatory	Must be "4.0"
Vector String	Mandatory	Metrics in order as described in the [CVSS v4.0 Specification Document] (https://www.first.org/cvss/v4.0/specification-document#Vector-String)
Base Score	Mandatory	—
Base Severity	Mandatory	—
Individual metrics	Optional	If included must match their respective values specified in the Vector String
Base and Threat Score	Optional	Must be included if any Threat Metrics are set to a non-default value
Base and Threat Severity	Optional	Must be included if any Threat Metrics are set to a non-default value
Environmental Score	Optional	Must be included if any Environmental Metrics are set to a non-default value
Environmental Severity	Optional	Must should be included if any Environmental Metrics are set to a non-default value
Supplemental Metrics	Optional	May be included as one, many, or none

Previous Standard Versions XML Formats

Field	Mandatory?	CVSS v2.0 Notes	CVSS v3.0 and v3.1 Notes
Individual Base Metrics	Mandatory	—	—
Base Score	Optional	—	—
Base Severity	Optional	—	—
Individual Temporal Metrics	Optional	—	—
Temporal Score	Optional	Must be included if any Temporal Metrics are set to a non-default value	Must be included if any Temporal Metrics are set to a non-default value
Temporal Severity	Optional	Must be included if any Temporal Metrics are set to a non-default value	Must be included if any Temporal Metrics are set to a non-default value
Individual Environmental Metrics	Optional	—	—
Environmental Score	Optional	Must be included if any Environmental Metrics are set to a non-default value	Must be included if any Environmental Metrics are set to a non-default value
Environmental Severity	Optional	Must be included if any Environmental Metrics are set to a non-default value	Must be included if any Environmental Metrics are set to a non-default value

XML Examples

The following sections include examples of CVSS v4.0 and CVSS v3.1 information in XML format.

CVSS v4.0 XML Example

Minimal CVSS v4.0 information in XML format:

<cvssv4.0>
    <baseGroup>
        <attack-vector>NETWORK</attack-vector>
        <attack-complexity>LOW</attack-complexity>
        <attack-requirements>NONE</attack-requirements>
        <privileges-required>NONE</privileges-required>
        <user-interaction>NONE</user-interaction>
        <confidentiality-of-vulnerable-system>NONE</confidentiality-of-vulnerable-system>
        <integrity-of-vulnerable-system>NONE</integrity-of-vulnerable-system>
        <availability-of-vulnerable-system>HIGH</availability-of-vulnerable-system>
        <confidentiality-of-subsequent-system>NONE</confidentiality-of-subsequent-system>
        <integrity-of-subsequent-system>NONE</integrity-of-subsequent-system>
        <availability-of-subsequent-system>LOW</availability-of-subsequent-system>
    </baseGroup>
</cvssv4.0>

Minimal CVSS v4.0 information with optional Base Score and Base Severity:

<cvssv4.0>
    <baseGroup>
        <attack-vector>NETWORK</attack-vector>
        <attack-complexity>LOW</attack-complexity>
        <attack-requirements>NONE</attack-requirements>
        <privileges-required>NONE</privileges-required>
        <user-interaction>NONE</user-interaction>
        <confidentiality-of-vulnerable-system>NONE</confidentiality-of-vulnerable-system>
        <integrity-of-vulnerable-system>NONE</integrity-of-vulnerable-system>
        <availability-of-vulnerable-system>HIGH</availability-of-vulnerable-system>
        <confidentiality-of-subsequent-system>NONE</confidentiality-of-subsequent-system>
        <integrity-of-subsequent-system>NONE</integrity-of-subsequent-system>
        <availability-of-subsequent-system>LOW</availability-of-subsequent-system>
        <base-score>8.7</base-score>
        <base-severity>HIGH</base-severity>
    </baseGroup>
</cvssv4.0>

CVSS v3.1 XML Example

Minimal CVSS v3.1 information in XML format:

<cvssv3.1>
    <base_metrics>
        <attack-vector>LOCAL</attack-vector>
        <attack-complexity>LOW</attack-complexity>
        <privileges-required>NONE</privileges-required>
        <user-interaction>REQUIRED</user-interaction>
        <scope>UNCHANGED</scope>
        <confidentiality-impact>HIGH</confidentiality-impact>
        <integrity-impact>HIGH</integrity-impact>
        <availability-impact>HIGH</availability-impact>
    </base_metrics>
</cvssv3.1>

Minimal CVSS v3.1 information with optional Base Score and Base Severity:

<cvssv3.1>
    <base_metrics>
        <attack-vector>LOCAL</attack-vector>
        <attack-complexity>LOW</attack-complexity>
        <privileges-required>NONE</privileges-required>
        <user-interaction>REQUIRED</user-interaction>
        <scope>UNCHANGED</scope>
        <confidentiality-impact>HIGH</confidentiality-impact>
        <integrity-impact>HIGH</integrity-impact>
        <availability-impact>HIGH</availability-impact>
        <base-score>7.8</base-score>
        <base-severity>HIGH</base-severity>
    </base_metrics>
</cvssv3.1>