The Common Vulnerability Scoring System (CVSS) is a standard measurement system for describing characteristics and severity of software vulnerabilities. Every vulnerability is assigned a risk score of between 0.0 (no risk) and 10.0 (maximum risk).
Note: The risk rating for container image vulnerabilities is different than the risk severity for workloads because they are evaluated using different scales. For more information about Kubernetes workloads risk scores, see
Kubernetes Risk Severity Scoring.
CVSS consists of three metric groups:
- Base: characteristics of a vulnerability that are constant over time and across user environments.
- Temporal: characteristics of a vulnerability that might change over time but does not span user environments.
- Environmental: characteristics of a vulnerability that is relevant and unique to a particular user environment.
For more details, refer to the Common Vulnerability Scoring System SIG (external link).
The risk score range and severity are defined as follows.
| Rating | Score |
|---|---|
| None | 0.0 |
| Low | 0.1 to 3.9 |
| Medium | 4.0 to 6.9 |
| High | 7.0 to 8.9 |
| Critical | 9.0 to 10.0 |
Note: The vulnerabilities for which the threat vectors are not yet known are grouped under
Unknown severity. This means that the system was able to identify a given artifact as vulnerable, but there might not be CVE attached to the vulnerability. Unknown severity can range between 0-10.
