NVD Retires CVSS v2 for New Analysis

[nvd-news]

NVD Retires CVSS v2 for New Analysis

As of July 13th, 2022, the NVD will no longer generate Vector Strings, Qualitative Severity Ratings, or Severity Scores for CVSS v2. Existing CVSS v2 information will remain in the database but the NVD will no longer actively populate CVSS v2 for new CVEs. This change comes as CISA policies that rely on NVD data fully transition away from CVSS v2.

NVD analysts will continue to use the reference information provided with the CVE and any publicly available information at the time of analysis to associate Reference Tags, CVSS v3.1, CWE, and CPE Applicability statements.

CVSS is the result of collaboration between dozens of security professionals, representing commercial, non-commercial and academic sectors. Version 2 has been included in the NVD since 2007; versions 3.0 and 3.1 have been included in the NVD since their release in 2015 and 2019, respectively. Led by FIRST’s CVSS-SIG team, work is already underway to develop CVSS v4. The NVD expects to begin introducing components of CVSS v4 in 2023.

This announcement is available on our website at https://nvd.nist.gov/General/News/retire-cvss-v2.

V/r,
The National Vulnerability Database Team