Last updated 21 August 2016. Created on 18 August 2009.
Edited by drumm, NuWans, greggles, dsnopek. Log in to edit this page.

The following information explains how the criticality levels as a general guideline for determining security risk levels.

This page is split into 2 sections. The first section is the guideline for all advisories published after August 6th, 2014. The second section describes how criticality levels were determined prior to that date.

Risk Calculator

The current security advisory risk level system is based on the NIST Common Misuse Scoring System (NISTIR 7864). Each vulnerability is scored using this system and a number is assigned between 0 and 25. The total points are used to give a text description to make the numbers easier to understand:

  • scores between 0 and 4 are considered Not Critical
  • 5 to 9 is considered Less Critical
  • 10 to 14 is considered Moderately Critical
  • 15 to 19 is considered Critical
  • 20 to 25 is considered Highly Critical

The risk level is assigned by the Risk Calculator which takes 6 different metrics, each which can have 3 different values. This is encoded in a terse format and included on every Security Advisory in the "Security risk" field. The below table provides longer descriptions and point scores for each category.

Risk metrics used
Code Metric Description
AC Access complexity

How difficult is it for the attacker to leverage the vulnerability?

  • AC:None = None (user visits page) +4 points
  • AC:Basic = Basic or routine (user must follow specific path) +2 points
  • AC:Complex = Complex or highly specific (multi-step, unintuitive process with high number of dependencies) +1 point
A Authentication

What privilege level is required for an exploit to be successful?

  • A:None = None (all/anonymous users) +4 points
  • A:User = User-level access (basic/commonly assigned permissions) +2 points
  • A:Admin = Administrator (broad permissions required where 'restrict access' is set to false) +1 point
CI Confidentiality impact

Does this vulnerability cause non-public data to be accessible?

  • CI:All = All non-public data is accessible +5 points
  • CI:Some = Certain non-public data is released +3 points
  • CI:None = No confidentiality impact +0 points
II Integrity impact

Can this exploit allow system data (or data handled by the system) to be compromised?

  • II:All = All data can be modified or deleted +5 points
  • II:Some = Some data can be modified +3 points
  • II:None = Data integrity remains intact +0 points
E Exploit (Zero-day impact)

Does a known exploit exist?

  • E:Exploit = Exploit exists (documented or deployed exploit code already in the wild) +3 points
  • E:Proof = Proof of concept exists (documented methods for developing exploit exist in the wild) +2 points
  • E:Theoretical = Theoretical or white-hat (no public exploit code or documentation on development exists) +1 point
TD Target distribution

What percentage of users are affected?

  • TD:All = All module configurations are exploitable +3 points
  • TD:Default = Default or common module configurations are exploitable, but a config change can disable the exploit +2 points
  • TD:Uncommon = Only uncommon module configurations are exploitable +1 points

External resources

Risk levels for advisories prior to Summer 2014

Risk Level Description
Highly Critical Remotely exploitable vulnerabilities that can compromise the system. Interaction is not normally required for this exploit to be successful. Exploits have occurred to systems.

Previous examples include: Local file inclusion on Windows, Impersonation, privilege escalation

Critical Remotely exploitable Denial of Service (DOS) vulnerabilities that can compromise the system but do require user interaction. Vulnerabilities that may allow anonymous users (i.e. users not registered at the site) to log in as a site user or take administrative actions. Interaction (such as an administrator viewing a particular page) may be required for this exploit to be successful, or in cases where interaction is not required (such as CSRF) the exploit causes only minor damage.

Previous examples include: OpenID impersonation, SQL injection

Moderately Critical Remotely exploitable vulnerabilities that can compromise the system. Interaction (such as an administrator viewing a particular page) is required for this exploit to be successful. Exploits have not yet occurred on systems when vulnerability was disclosed. The exploit requires the user to be registered at the site and have some non-default permission, such as creating content.

Previous examples include: Cross Site Scripting, Access bypass

Less Critical Used for cross-site request forgery vulnerabilities as well as privilege escalation vulnerabilities which require complex chains of events.
This rating also includes vulnerabilities which might expose sensitive data to local users.

Previous examples include: Session fixation, Cross site request forgery

Not Critical Rating is used for limited privilege escalation vulnerabilities and local Denial of Service (DOS) vulnerabilities.

Previous examples include: Access bypass, Failure to encrypt data

Looking for support? Visit the forums, or join #drupal-support in IRC.