This description is a refinement of the Debian Security team severity level description.
- Remote means that the attacker is acting on a system without being authenticated
- Local means that the attacker has to be authenticated on the system and has shell access or physical access to the machine.
For libraries the reverse dependencies should be checked to get an understanding of the impact. For example if the vulnerability require user interaction or not.
Critical
- Remote root access without need of authentication and do not need to persuade a target user
- High impact denial of service
High
Security issues that should be fixed or at least a workaround being implemented.
- Remote arbitrary code execution
- Remote privilege escalation
- Significant defects in cryptographic software
- The attack vector is very wide
- Significant data loss
- Significant downtime
medium
- Arbitrary code execution after user interaction
- Privilege escalation when authenticated
- Remote privilege escalation if constrained to the application
- Cross site scripting
- Remote denial of service
- Social engineering required
low
- /tmp file races
- Local denial of service
- Physical access required
- Remote denial of service that require special actions from the potentially affected user, like uploading a file
- Insecure default configuration (that is common knowledge)
unimportant:
- Debian binaries not affected
- Exploitable if the software is setuid root (and the binary is not that in Debian)
- Exploitable if someone already have administrative privileges
- PHP safe mode bugs
- Vulnerable file in example documentation
- Exploitable with a faulty configuration