CyberSecurityBoard
Sponsor Register Login

New CVSS 4.0 vulnerability severity rating standard released

The Forum of Incident Response and Security Teams has officially released CVSS v4.0, the next generation of its Common Vulnerability Scoring System standard, eight years after CVSS v3.0, the previous major version. CVSS is a standardized framework for assessing software security vulnerabilities' severity used to assign numerical scores or qualitative representation based on exploitability, impact on confidentiality, integrity, availability, and required privileges, with higher scores denoting more severe vulnerabilities. It helps prioritize responses to security threats as it provides a consistent way to evaluate vulnerabilities' impact and compare risks across different systems and software. "The revised standard offers finer granularity in base metrics for consumers, removes downstream scoring ambiguity, simplifies threat metrics, and enhances the effectiveness of assessing environment-specific security requirements as well as compensating controls," FIRST said. Several supplemental metrics for vulnerability assessment have been added including Automatable, Recovery, Value Density, Vulnerability Response Effort and Provider Urgency." "A key enhancement to CVSS v4.0 is also the additional applicability to OT/ICS/IoT, with Safety metrics and values added to both the Supplemental and Environmental metric groups." This latest version also adds a new nomenclature, with Base, Base + Threat, Base + Environmental, and Base + Threat + Environmental severity ratings. The complete list of all changes shipping with the CVSS v4.0 standard, including finer granularity through new Base metrics/values and better impact metrics, is available here. FIRST unveiled CVSS 4.0 in June, during its 35th annual conference in Montréal, Canada, as a "Cyber sector game-changer," 18 years after the release of CVSS version 1 in February 2005. "The CVSS system has rapidly developed over the past 18 years, with each version building on our capabilities to defend from cyber criminality. I am immensely proud of the CVSS-SIG for the hard work and dedication it has taken to produce version 4.0. And it is timely as we continue to see a significant rise in threats across the world," said Chris Gibson, FIRST's CEO. "As a membership organization, our goal is to empower our members and the sector, demonstrating leadership and ensuring we are dedicated to continuously improving how we work together to defend people across the globe against cyber-attacks." Last year, FIRST also published TLP 2.0, the latest version of its Traffic Light Protocol standard used in the computer security incident response team community when sharing sensitive information.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000


Cyber News related to New CVSS 4.0 vulnerability severity rating standard released

CVE-2018-0688 - Open redirect vulnerability in SEIKO EPSON printers and scanners (DS-570W firmware versions released prior to 2018 March 13, DS-780N firmware versions released prior to 2018 March 13, EP-10VA firmware versions released prior to 2017 September 4, ...
5 years ago
CVE-2018-0689 - HTTP header injection vulnerability in SEIKO EPSON printers and scanners (DS-570W firmware versions released prior to 2018 March 13, DS-780N firmware versions released prior to 2018 March 13, EP-10VA firmware versions released prior to 2017 September ...
5 years ago
Zoom Mobile & Desktop App Flaw Let Attackers Escalate Privileges - The popular video conferencing software Zoom has security issues with its desktop and mobile apps that could allow for privilege escalation. An attacker may be able to obtain elevated privileges within the application or the operating system by ...
11 months ago Cybersecuritynews.com
New CVSS 4.0 vulnerability severity rating standard released - The Forum of Incident Response and Security Teams has officially released CVSS v4.0, the next generation of its Common Vulnerability Scoring System standard, eight years after CVSS v3.0, the previous major version. CVSS is a standardized framework ...
11 months ago Bleepingcomputer.com
Vulnerability Summary for the Week of March 11, 2024 - Published 2024-03-15 CVSS Score not yet calculated Source & Patch Info CVE-2021-47111416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - Product linux - linux Description In the ...
8 months ago Cisa.gov
Vulnerability Summary for the Week of March 4, 2024 - Published 2024-03-06 CVSS Score not yet calculated Source & Patch Info CVE-2023-52584416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - ...
8 months ago Cisa.gov
Microsoft Gives Admins a Reprieve With Lighter-Than-Usual Patch Update - In what's sure to be a refreshing break for IT and security teams, Microsoft's monthly security update for December 2023 contained fewer vulnerabilities for them to address than in recent months. The update included fixes for a total of 36 ...
11 months ago Darkreading.com
FIRST Launched CVSS 4.0, Revolutionizing Cybersecurity Assessment and Risk Management - This latest release, following four years since CVSS v3.1, represents a noteworthy advancement in the standard employed for evaluating the severity of cybersecurity vulnerabilities. Before Understanding CVSS 4.0, Let's Delve Into CVSS. Before we get ...
9 months ago Cysecurity.news
Multiple QNAP Severity Flaw Let Attackers Execute Remote Code - QNAP has released multiple security advisories for addressing several high, medium, and low-severity vulnerabilities in multiple products, including QTS, QuTS hero, Netatalk, Video Station, QuMagie, and QcalAgent. QNAP has also stated all the ...
10 months ago Gbhackers.com
Vulnerability Summary for the Week of November 27, 2023 - PrimaryVendor - Product apple - multiple products Description A memory corruption vulnerability was addressed with improved locking. Published 2023-12-01 CVSS Score not yet calculated Source & Patch Info CVE-2023-48842 PrimaryVendor - Product dell - ...
11 months ago Cisa.gov
Weekly Vulnerability Recap 2/12/24: Continued Ivanti, JetBrains Issues - This week saw some repeat products from previous vulnerability recaps, such as Ivanti Policy Secure and JetBrains TeamCity servers. Make sure your security teams consistently check vendor bulletins for vulnerability announcements so your business can ...
9 months ago Esecurityplanet.com
SAP Patches Critical Vulnerability in Business Technology Platform - German enterprise software maker SAP on Tuesday announced the release of 15 new and two updated security notes as part of its December 2023 Security Patch Day. Four of the December 2023 security notes have a severity rating of 'hot news', the highest ...
11 months ago Securityweek.com
Zoom stomps critical privilege escalation bug, 6 other flaws The Register - Review and manage your consent Here's an overview of our use of cookies, similar technologies and how to manage them. Video conferencing giant Zoom today opened up about a fresh batch of security vulnerabilities affecting its products, including a ...
9 months ago Go.theregister.com
Patch management needs a revolution, part 3: Vulnerability scores and the concept of trust - Vulnerability ratings are the foundation for a good risk-based vulnerability management program, especially if they're from a trusted party. Red Hat champions the notion of risk-based vulnerability management. For every vulnerability affecting our ...
9 months ago Redhat.com
Microsoft security bypass bug said to be under exploit The Register - Patch Tuesday Microsoft fixed 149 security flaws in its own products this week, and while Redmond acknowledged one of those vulnerabilities is being actively exploited, we've been told another hole is under attack, too. The bug the IT giant said was ...
7 months ago Go.theregister.com
SAP Patches Critical Command Injection Vulnerabilities - Enterprise software maker SAP on Tuesday released 10 new and two updated security notes as part of its March 2024 Security Patch Day, calling attention to serious bugs in business-facing products. Three of the notes are marked 'hot news' - the ...
8 months ago Securityweek.com
Microsoft March 2024 Patch Tuesday fixes 60 flaws, 18 RCE bugs - Today is Microsoft's March 2024 Patch Tuesday, and security updates have been released for 60 vulnerabilities, including eighteen remote code execution flaws. This Patch Tuesday fixes only two critical vulnerabilities: Hyper-V remote code execution ...
8 months ago Bleepingcomputer.com
Exploit released for maximum severity Fortinet RCE bug, patch now - Security researchers have released a proof-of-concept exploit for a maximum-severity vulnerability in Fortinet's security information and event management solution, which was patched in February. Tracked as CVE-2024-23108, this security flaw is a ...
5 months ago Bleepingcomputer.com
Attackers Exploit Microsoft Security-Bypass Zero-Day Bugs - Microsoft's scheduled Patch Tuesday security update for February includes fixes for two zero-day security vulnerabilities under active attack, plus 71 other flaws across a wide range of its products. In all, five of the vulnerabilities for which ...
9 months ago Darkreading.com
Oracle’s First Security Update for 2023 Includes 327 New Patches - Oracle has released its first security update of 2023, delivering 327 new security fixes and patching a range of critical vulnerabilities. This update covers products spanning across Oracle’s Cloud portfolio, Fusion Middleware, Hyperion, E-Business ...
1 year ago Securityweek.com
6 Best Intrusion Detection & Prevention Systems for 2024 Reviewed - Intrusion detection systems and intrusion prevention systems - often combined as intrusion detection and prevention - play a key role in network security defenses. IDPS products often have features like log analysis, alerts, and threat remediation to ...
9 months ago Esecurityplanet.com
East Texas hospital network can't receive ambulances because of potential cybersecurity incident - GetTime();if(!(u<=a&&d<=l throw new RangeError("Invalid interval");return r.inclusive?u<=l&&d<=a:ut||isNaN(t. Step):1;if(s<1||isNaN(s throw new RangeError("`options. Step):1;if(l<1||isNaN(l throw new RangeError("`options. GetTime()<=n throw new ...
11 months ago Cnn.com
SAP's First Patches of 2024 Resolve Critical Vulnerabilities - Enterprise software maker SAP this week announced the release of 10 new and two updated security notes as part of its first Security Patch Day of 2024. Rated 'hot news', the highest rating in SAP's notebook, two of the new and one of the updated ...
10 months ago Securityweek.com
ICS Patch Tuesday: Electromagnetic Fault Injection, Critical Redis Vulnerability - Siemens and Schneider Electric have published their Patch Tuesday advisories for December 2023, addressing dozens of vulnerabilities affecting their products. Siemens has published 12 advisories that cover more than 30 vulnerabilities. The industrial ...
11 months ago Securityweek.com
Microsoft December 2023 Patch Tuesday fixes 34 flaws, 1 zero-day - Today is Microsoft's December 2023 Patch Tuesday, which includes security updates for a total of 34 flaws and one previously disclosed, unpatched vulnerability in AMD CPUs. While eight remote code execution bugs were fixed, Microsoft only rated three ...
11 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)