Severity levels
​
​
Severity levels indicate the assessed level of risk, as one of Critical / High / Medium / Low:
Icon | Level | Description |
|---|---|---|
​  | Critical | This may allow attackers to access sensitive data and run code on your application |
​ %20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(2).png?alt=media) | High | This may allow attackers to access sensitive data in your application |
​  | Medium | Under some conditions, this may allow attackers to access sensitive data on your application |
​  | Low | Application may expose some data that allows vulnerability mapping, which can be used with other vulnerabilities to attack the application |
Severity levels are one factor feeding into Snyk's Priority Score for each vulnerability, along with factors such as Snyk’s Exploit Maturity and Reachable Vulnerabilities information.
Severity levels are displayed throughout Snyk, to show this information at all times.
For example, in the Pending tasks section of the Dashboard:
​
​
.png?alt=media&token=0e0a9ac0-4d1a-4ebf-a9a1-ca44bf6ec30a)
Severity levels in Projects
And for each vulnerability in a project:
%20(1).png?alt=media)
Severity levels in vulnerabilities
The Common Vulnerability Scoring System (CVSS) determines the severity level of a vulnerability.
At Snyk, we use CVSS framework version 3.1 to communicate the characteristics and severity of vulnerabilities.
Level | CVSS score |
Critical | 9.0 - 10.0 |
High | 7.0 - 8.9 |
Medium | 4.0 - 6.9 |
Low | 0.0 - 3.9 |
The severity level and score are determined based on the CVSS Base Score calculations using the Base Metrics. The Temporal Score, based on the Temporal Metrics, affects the Priority Score.
Severity levels may not always align with CVSS scores. For example, Snyk Container severity scores for Linux vulnerabilities may vary depending on NVD severity rankings; see Understanding Linux vulnerability severity for more details.
- ​When evaluating the severity of a vulnerability, it's important to note that there is no single CVSS vector - there are multiple CVSS vectors defined by multiple vendors, with the National Vulnerability Database (NVD) being one of them.
- The majority of vulnerabilities published by Snyk originate from proprietary research, public information sources, or through 3rd party disclosures.
- For example, when Snyk discovered the Critical Severity Spring4Shell vulnerability, the advisory published on March 30th, 2022, with the CVSS vector analysis, before an official CVE was assigned, and before NVD conducted their analysis, which was published 9 days later, on April 8th, 2022.
- Having some differences in CVSS vectors is normal and expected. The likelihood of certain attack vectors will raise discrepancies, and judgments will need to be made about them in a way that makes sense for the application and use cases of open-source software users.
- A vulnerability's severity is influenced by a variety of factors, including whether it comes from a "red team" angle or a "blue team" angle. To arrive at an objective and actionable rating, Snyk analysts examine the full range of data - from vendors to reporters to attackers.
- There are times when a vendor discovers additional information about a vulnerability that can affect its severity. Users can find all the relevant information used to determine the severity that Snyk curated in the advisory's description and references.
Last modified 30d ago