v3.1 vs v4.0: Side-by-Side Comparison
2. v3.1 vs v4.0: Side-by-Side with Real CVEs
Understanding the practical differences requires seeing the same vulnerability scored under both versions.
Example A: Log4Shell (CVE-2021-44228)
CVSS v3.1 vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Score: 10.0 Critical
CVSS v4.0 equivalent:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Score: 10.0 Critical
What changed: The "Scope:Changed" in v3.1 is now explicit as SC:H/SI:H/SA:H.
In v4.0, you can see exactly what the downstream impact is, not just that scope
"changed". Both scores are 10.0 — the difference is expressiveness.
Example B: PrintNightmare (CVE-2021-34527) — Where Scoring Complexity Matters
CVSS v3.1:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Score: 8.8 High
CVSS v4.0:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Score: 9.8 Critical
Key difference: v4.0 scores the DOMAIN CONTROLLER scenario higher because
SC:H/SI:H/SA:H explicitly captures that compromising a domain-joined system
enables domain-level compromise (subsequent system impact).
In v3.1, Scope:Unchanged kept it at 8.8. In v4.0, if the subsequent system
(Active Directory) has high CIA impact, the score correctly reflects that
a low-privilege exploit can ultimately lead to domain domination.
Example C: A Local Privilege Escalation — Where v4.0 Scores Lower
Vulnerability: Local service running as SYSTEM, exploitable by authenticated user
No network access, no subsequent system impact.
CVSS v3.1:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Score: 7.8 High
CVSS v4.0:
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Score: 7.3 High
v4.0 is more accurate: SC:N/SI:N/SA:N explicitly states that no downstream
systems are affected. This is a pure local privilege escalation with no
lateral movement potential.
Key Scoring Differences Summary
| Scenario | v3.1 Score | v4.0 Score | Why |
|---|---|---|---|
| Remote unauthenticated RCE with lateral movement | 10.0 | 10.0 | Identical worst-case |
| RCE on domain-joined host (domain compromise possible) | 8.8 | 9.8 | v4.0 captures AD cascade via SC/SI/SA |
| Local privesc, isolated system | 7.8 | 7.3 | v4.0 explicitly zeros SC/SI/SA |
| OT vulnerability, local physical access | 6.8 | 6.9 | Minor numeric difference, AT precision |
| Auth bypass → read-only data | 7.5 | 6.4 | v4.0 separates VS/SS impact more precisely |
Practical Exercise: Translate a v3.1 Vector to v4.0
Take any CVE with a CVSS v3.1 vector from NVD and apply this mapping:
v3.1 → v4.0 field mapping:
AV → AV (unchanged)
AC → AC (unchanged, but split: AC captures bypass effort)
PR → PR (unchanged)
UI → UI (N unchanged; R → P "Passive"; no A equivalent in v3.1)
S → (dropped) Replace Scope:Changed with SC/SI/SA values
C → VC (Vulnerable System Confidentiality)
I → VI (Vulnerable System Integrity)
A → VA (Vulnerable System Availability)
If S:Changed, also populate SC/SI/SA:
Scope:Changed + C:H → SC:H
Scope:Changed + I:H → SI:H
Scope:Changed + A:H → SA:H
(Use the same C/I/A values for subsequent system if Scope:Changed)
If S:Unchanged:
SC:N / SI:N / SA:N (no downstream impact documented)
New in v4.0 (no v3.1 equivalent):
AT: N (default unless non-default config required for exploitability)
Try it: CVE-2022-26134 (Confluence OGNL injection) v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical).
Step 1: Copy base exploitability — AV:N / AC:L / PR:N / UI:N
Step 2: Add AT:N (no special deployment config needed for Confluence default install)
Step 3: Scope:Unchanged → VC:H / VI:H / VA:H (same as C/I/A)
Step 4: Scope:Unchanged → SC:N / SI:N / SA:N
Result:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Score: 9.3 Critical (slightly lower — v4.0 recognizes Scope:Unchanged more precisely)
Verify at: FIRST.org CVSS v4.0 Calculator
Related Chapters
| Chapter | What you'll find |
|---|---|
| Introduction | Why Base scores are wrong 95% of the time |
| Vector String Anatomy | Full metric reference with decision rules |
| Scoring Lifecycle | How to move from CVSS-B to CVSS-BTE |
| Worked Examples | Side-by-side comparisons on real CVEs |