Severity levels
Use severity levels to help you with vulnerability assessment for your applications.
Introduction to Snyk severity levels
Severity levels indicate the assessed level of risk, as one of Critical / High / Medium / Low:
Critical
This may allow attackers to access sensitive data and run code on your application
High
This may allow attackers to access sensitive data in your application
Medium
Under some conditions, this may allow attackers to access sensitive data on your application
Low
Application may expose some data that allows vulnerability mapping, which can be used with other vulnerabilities to attack the application
Severity levels and Priority Scores
Severity levels are one factor feeding into Snyk's Priority Score for each vulnerability, along with factors such as Snyk’s Exploit Maturity and Reachable Vulnerabilities information.
See Snyk Priority Score for details.
Viewing severity levels
Severity levels are displayed throughout Snyk, to show this information at all times.
For example, in the Pending tasks section of the Dashboard:
Associated with your Snyk Projects:
And for each vulnerability in a project:
Determining severity levels
Severity levels and CVSS
The Common Vulnerability Scoring System (CVSS) determines the severity level of a vulnerability.
At Snyk, we use CVSS framework version 3.1 to communicate the characteristics and severity of vulnerabilities.
Level
CVSS score
Critical
9.0 - 10.0
High
7.0 - 8.9
Medium
4.0 - 6.9
Low
0.0 - 3.9
The severity level and score are determined based on the CVSS Base Score calculations using the Base Metrics. The Temporal Score, based on the Temporal Metrics, affects the Priority Score.
See Scoring security vulnerabilities 101: Introducing CVSS for CVEs.
Why are there multiple CVSS Scores for the same vulnerability?
When evaluating the severity of a vulnerability, it's important to note that there is no single CVSS vector - there are multiple CVSS vectors defined by multiple vendors, with the National Vulnerability Database (NVD) being one of them.
The majority of vulnerabilities published by Snyk originate from proprietary research, public information sources, or through 3rd party disclosures.
For example, when Snyk discovered the Critical Severity Spring4Shell vulnerability, the advisory published on March 30th, 2022, with the CVSS vector analysis, before an official CVE was assigned, and before NVD conducted their analysis, which was published 9 days later, on April 8th, 2022.
Having some differences in CVSS vectors is normal and expected. The likelihood of certain attack vectors will raise discrepancies, and judgments will need to be made about them in a way that makes sense for the application and use cases of open-source software users.
A vulnerability's severity is influenced by a variety of factors, including whether it comes from a "red team" angle or a "blue team" angle. To arrive at an objective and actionable rating, Snyk analysts examine the full range of data - from vendors to reporters to attackers.
There are times when a vendor discovers additional information about a vulnerability that can affect its severity. Users can find all the relevant information used to determine the severity that Snyk curated in the advisory's description and references.
Last updated
Was this helpful?