The following information explains how the criticality levels as a general guideline for determining security risk levels.
This page is split into 2 sections. The first section is the guideline for all advisories published after August 6th, 2014. The second section describes how criticality levels were determined prior to that date.
The current security advisory risk level system is based on the NIST Common Misuse Scoring System (NISTIR 7864). Each vulnerability is scored using this system and a number is assigned between 0 and 25. The total points are used to give a text description to make the numbers easier to understand:
- scores between 0 and 4 are considered Not Critical
- 5 to 9 is considered Less Critical
- 10 to 14 is considered Moderately Critical
- 15 to 19 is considered Critical
- 20 to 25 is considered Highly Critical
The risk level is assigned by the Risk Calculator which takes 6 different metrics, each which can have 3 different values. This is encoded in a terse format and included on every Security Advisory in the "Security risk" field. The below table provides longer descriptions and point scores for each category.
How difficult is it for the attacker to leverage the vulnerability?
What privilege level is required for an exploit to be successful?
Does this vulnerability cause non-public data to be accessible?
Can this exploit allow system data (or data handled by the system) to be compromised?
|E||Exploit (Zero-day impact)||
Does a known exploit exist?
What percentage of users are affected?
- Understanding Drupal Security Advisories: The Risk Calculator: an article by David Snopek (a member of the Drupal Security Team)
Risk levels for advisories prior to Summer 2014
|Highly Critical||Remotely exploitable vulnerabilities that can compromise the system. Interaction is not normally required for this exploit to be successful. Exploits have occurred to systems.
Previous examples include: Local file inclusion on Windows, Impersonation, privilege escalation
|Critical||Remotely exploitable Denial of Service (DOS) vulnerabilities that can compromise the system but do require user interaction. Vulnerabilities that may allow anonymous users (i.e. users not registered at the site) to log in as a site user or take administrative actions. Interaction (such as an administrator viewing a particular page) may be required for this exploit to be successful, or in cases where interaction is not required (such as CSRF) the exploit causes only minor damage.
Previous examples include: OpenID impersonation, SQL injection
|Moderately Critical||Remotely exploitable vulnerabilities that can compromise the system. Interaction (such as an administrator viewing a particular page) is required for this exploit to be successful. Exploits have not yet occurred on systems when vulnerability was disclosed. The exploit requires the user to be registered at the site and have some non-default permission, such as creating content.
Previous examples include: Cross Site Scripting, Access bypass
|Less Critical||Used for cross-site request forgery vulnerabilities as well as privilege escalation vulnerabilities which require complex chains of events.
This rating also includes vulnerabilities which might expose sensitive data to local users.
Previous examples include: Session fixation, Cross site request forgery
|Not Critical||Rating is used for limited privilege escalation vulnerabilities and local Denial of Service (DOS) vulnerabilities.
Previous examples include: Access bypass, Failure to encrypt data