CVSS scoring

Because severity terminology can vary between projects, Prisma Cloud normalizes severity ratings into a common schema.
Prisma Cloud leverages the CVSS 3.0 scoring system. The CVSS framework captures the principal characteristics of a vulnerability and produces a numerical score that reflects the severity of the vulnerability. CVSS scores range from 0.0 to 10.0. The higher the number, the higher the degree of severity.

Mappings

We only normalize vulnerability ratings for the purpose of creating rules. Console’s Monitoring section shows vendor terminology, not Prisma Cloud’s normalized scores (low, medium, high, critical).
The following table maps popular vendor terminology to Prisma Cloud normalized scores:
Vendor terminology
Prisma Cloud score
Unimportant
Low
Unassigned
Low
Negligible
Low
Not yet assigned
Low
Low
Low
Medium
Medium
Moderate
Medium
High
High
Important
High
Critical
Critical
In the absence of project-specific terminology, Prisma Cloud normalizes using the CVSS base scores defined by NIST. In addition to the numeric CVSS scores, NVD provides severity rankings of Low, Medium, High, and Critical. These qualitative grades are simply derived from the numeric CVSS scores:
CVSS base score
Prisma Cloud severity
0.0 - 3.9
Low
4.0 - 6.9
Medium
7.0 - 8.9
High
9.0 -10.0
Critical
In some cases, the OS vendor’s CVSS scoring and severity rating can differ from NVD’s rating. This is based on the vendor’s analysis of the impact of the CVE specific to their OS and distro, which is the more accurate view of the vulnerability. Prisma Cloud shows the vendor’s rating when reporting findings from workloads running the vendor’s OS, and falls back to NVD’s rating where applicable.
Example:
CVE-2021-33574 has a CVSS 3.0 score of 9.8 and it’s graded as 'critical' by NVD. The same CVE is graded as 'low' by Ubuntu and 'medium' with different CVSS score by Redhat. For workloads running Ubuntu, Prisma Cloud shows Ubuntu’s rating, rather than NVD’s rating.

Recommended For You