Links

Severity levels

A severity level is applied to a vulnerability, to indicate the risk for that vulnerability in an application.
Severity levels are key factors in vulnerability assessment, and can be:
Severity
Severity level
Description
Critical
This may allow attackers to access sensitive data and run code on your application
High
This may allow attackers to access sensitive data in your application
Medium
Under some conditions, this may allow attackers to access sensitive data on your application
Low
Application may expose some data that allows vulnerability mapping, which can be used with other vulnerabilities to attack the application
Severity levels also apply to license issues. See Licenses overview.

Determining severity levels

The Common Vulnerability Scoring System (CVSS) determines the severity level of a vulnerability.
At Snyk, we use CVSS framework version 3.1 to communicate the characteristics and severity of vulnerabilities.
Severity level
CVSS score
Low
0.0 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 10.0
The severity level and score are determined based on the CVSS Base Score calculations using the Base Metrics. The Temporal Score, which is based on the Temporal Metrics is affecting the Priority Score.
Severity levels may not always align with CVSS scores. For example, Snyk Container severity scores for Linux vulnerabilities may vary depending on NVD severity rankings; see Understanding Linux vulnerability severity for more details.

Understanding Snyk's Vulnerability Analysis

Why are there multiple CVSS Scores for the same vulnerability?
  • ​When evaluating the severity of a vulnerability, it's important to note that there is no single CVSS vector - there are multiple CVSS vectors defined by multiple vendors, with the National Vulnerability Database (NVD) being one of them.
  • The majority of vulnerabilities published by Snyk originate from proprietary research, public information sources, or through 3rd party disclosures.
  • For example, when Snyk discovered the Critical Severity Spring4Shell vulnerability, the advisory published on March 30th, 2022, with the CVSS vector analysis, before an official CVE was assigned, and before NVD conducted their analysis, which was published 9 days later, on April 8th, 2022.
  • Having some differences in CVSS vectors is normal and expected. The likelihood of certain attack vectors will raise discrepancies, and judgments will need to be made about them in a way that makes sense for the application and use cases of open-source software users.
  • A vulnerability's severity is influenced by a variety of factors, including whether it comes from a "red team" angle or a "blue team" angle. To arrive at an objective and actionable rating, Snyk analysts examine the full range of data - from vendors to reporters to attackers.
  • There are times when a vendor discovers additional information about a vulnerability that can affect its severity. Users can find all the relevant information used to determine the severity that Snyk curated in the advisory's description and references.

Severity and priority scoring

Severity levels are one factor feeding into Snyk's Priority Score for each vulnerability, along with factors such as Snyk’s Exploit Maturity and Reachable Vulnerabilities information. Together, this scoring helps developers determine which vulnerabilities should be addressed first.
See Snyk Priority Score for details of how severity levels are used in Snyk's priority scores.

Viewing severity levels in Snyk

Severity levels are displayed throughout Snyk, to show this information at all times.
For example, in the Pending tasks section of the Dashboard:
Associated with your Projects:
And for each vulnerability in a project:
© 2022 Snyk Limited