Severity levels
Use severity levels to help you with vulnerability assessment for your applications. Severity levels indicate the assessed level of risk, as Critical, High, Medium, or Low. Snyk reports the number of vulnerabilities at each level of severity in many places in the Snyk application. The display varies; a typical example follows.
Severity levels also apply to license issues. See Licenses.
The severity levels are defined in the following table.
| Icon | Level | Description |
|---|---|---|
Critical | May allow attackers to access sensitive data and run code on your application | |
High | May allow attackers to access sensitive data in your application | |
Medium | Under some conditions, may allow attackers to access sensitive data on your application | |
Low | Application may expose some data that allows vulnerability mapping, which can be used with other vulnerabilities to attack the application |
Severity levels and Priority Score
Severity levels are one factor used in determining the Snyk Priority Score for each vulnerability. Other factors include Snyk Exploit Maturity and Reachable Vulnerabilities information.
See Snyk Priority Score for details.
How to view severity levels
Severity levels are displayed throughout Snyk, to keep this information visible at all times.
For example, the severity levels appear in the Pending tasks section of the Dashboard:
Severity levels are displayed in association with your Snyk Projects:
The number of issues at each severity level is also displayed in the left sidebar of an issue card:
How Snyk determines severity levels
Severity levels and CVSS
The Common Vulnerability Scoring System (CVSS) determines the severity level of a vulnerability.
Snyk uses the CVSS framework version 3.1 to designate the characteristics and severity of vulnerabilities.
Level | CVSS score |
Critical | 9.0 - 10.0 |
High | 7.0 - 8.9 |
Medium | 4.0 - 6.9 |
Low | 0.0 - 3.9 |
The severity level and score are determined based on the CVSS Base Score calculations using the Base Metrics. The Temporal Score, based on the Temporal Metrics, affects the Priority Score.
See Scoring security vulnerabilities 101: Introducing CVSS for CVEs.
Severity levels may not always align with CVSS scores. For example, Snyk Container severity scores for Linux vulnerabilities may vary depending on NVD severity rankings; see Understanding Linux vulnerability severity for details.
Why are there multiple CVSS Scores for the same vulnerability?
There are multiple CVSS Scores for the same vulnerability for several reasons:
When evaluating the severity of a vulnerability, it is important to note that there is no single CVSS vector. There are multiple CVSS vectors defined by multiple vendors; the National Vulnerability Database (NVD) is one.
The majority of vulnerabilities published by Snyk originate from proprietary research, public information sources, or through third-party disclosures. For example, when Snyk discovered the Critical Severity Spring4Shell vulnerability, the advisory was published on March 30, 2022, with the CVSS vector analysis. This was before an official CVE was assigned and before NVD conducted its analysis, which was published nine days later on April 8, 2022.
Having some differences in CVSS vectors is normal and expected. The likelihood of certain attack vectors will involve discrepancies and judgments made about them that make sense for the application and use cases of open source software users.
The severity of a vulnerability is influenced by a variety of factors, including whether it comes from a "red team" angle or a "blue team" angle. To arrive at an objective and actionable rating, Snyk analysts examine the full range of data, from vendors to reporters to attackers.
There are times when a vendor discovers additional information about a vulnerability that can affect its severity. Users can find all the relevant information used to determine the severity that Snyk curated in the description and references of the advisory.
Severity levels and CCSS
The Common Configuration Scoring System (CCSS), developed by the National Institute of Standards and Technology (NIST) and derived from CVSS, measures the severity of software security configuration issues.
Snyk uses the CCSS to designate the characteristics and severity of IaC+ vulnerabilities and misconfigurations.
Level | CCSS score |
Critical | 9.0 - 10.0 |
High | 7.0 - 8.9 |
Medium | 4.0 - 6.9 |
Low | 0.0 - 3.9 |
The severity level and score are determined based on the CCSS Base Score calculations using the Base Metrics.
Last updated
