Common Vulnerability Scoring System (CVSS) interpretation

2.3 Given a scenario, analyze data to prioritize vulnerabilities.

📘CompTIA CySA+ (CS0-003)

The CVSS is a standardized system used to rate the severity of vulnerabilities in software, hardware, or network systems. It gives each vulnerability a score from 0 to 10, with 10 being the most severe. Understanding this helps cybersecurity analysts prioritize which vulnerabilities to fix first.

CVSS is broken into metrics that describe how a vulnerability works and what its impact is. These metrics are split into Base, Temporal, and Environmental, but for CySA+, the Base metrics are the most important.

CVSS Base Metrics

These metrics show the fundamental characteristics of a vulnerability, focusing on how it can be exploited and what damage it can do.

1. Attack Vector (AV)

This tells you how the attacker can reach the vulnerability. The closer the attacker can be, the easier it is to exploit.

  • Network (N): Can be exploited remotely over a network (e.g., a vulnerability in a web server that anyone on the internet can target).
  • Adjacent (A): Requires access to the same local network (e.g., a Wi-Fi network or internal LAN).
  • Local (L): Requires physical or local access to the system (e.g., logging into the server to exploit it).
  • Physical (P): Requires physical contact with the device (e.g., plugging in a USB to exploit a vulnerability).

Key idea: The more remote the attacker can be, the higher the CVSS score.

2. Attack Complexity (AC)

This measures how hard it is to exploit the vulnerability.

  • Low (L): Easy to exploit; no special conditions needed.
  • High (H): Hard to exploit; requires special conditions, timing, or additional steps.

Example in IT terms: A web server with default credentials is low complexity, while a vulnerability that needs chaining multiple exploits is high complexity.

3. Privileges Required (PR)

This tells you what level of access the attacker must already have to exploit the vulnerability.

  • None (N): The attacker does not need any login or permissions.
  • Low (L): The attacker needs a standard user account.
  • High (H): The attacker needs administrative or root access.

Key idea: The fewer privileges needed, the more severe the vulnerability.

4. User Interaction (UI)

This measures whether the attacker needs someone else to do something (like click a link) to exploit the vulnerability.

  • None (N): The attack does not need any action from the user.
  • Required (R): A user must take an action, like opening a malicious email or file.

Key idea: Vulnerabilities that don’t need user interaction are easier to exploit.

5. Scope (S)

Scope measures whether the vulnerability affects only the vulnerable component or if it can impact other connected components.

  • Unchanged (U): Exploit affects only the vulnerable system/component.
  • Changed (C): Exploit can affect other systems or components (e.g., a server vulnerability that can give access to other servers in the network).

Key idea: If scope is changed, the CVSS score is higher because the impact spreads.

CVSS Impact Metrics

Impact metrics describe what damage the vulnerability causes to the system. They are divided into Confidentiality, Integrity, and Availability (CIA).

1. Confidentiality (C)

  • Measures if sensitive information can be accessed.
  • High (H): All sensitive data can be read.
  • Low (L): Some data may be exposed.
  • None (N): No data exposure.

Example: An SQL injection vulnerability could let an attacker read the user database, impacting confidentiality.

2. Integrity (I)

  • Measures if data can be modified, destroyed, or tampered with.
  • High (H): Full control over data modification.
  • Low (L): Partial or minor modification.
  • None (N): No effect on data integrity.

Example: A vulnerability in a configuration management system could allow unauthorized changes to server configurations.

3. Availability (A)

  • Measures if the system can be disrupted or made unavailable.
  • High (H): System goes offline completely.
  • Low (L): Partial loss of functionality.
  • None (N): No impact on availability.

Example: A denial-of-service vulnerability in a web application could prevent users from accessing services.

How CVSS Scores Help Prioritize Vulnerabilities

By combining attack metrics and impact metrics, CVSS calculates a score (0.0–10.0). Analysts can then prioritize remediation:

CVSS ScoreSeverityAction
0.0–3.9LowMonitor or fix later
4.0–6.9MediumPlan to fix soon
7.0–8.9HighFix as a priority
9.0–10.0CriticalImmediate remediation

Example scenario in IT:
A remote code execution vulnerability in a public-facing web server (Network, Low complexity, No privileges, No user interaction, Scope changed, High CIA impact) would likely be critical, requiring immediate patching.

Exam Tips for CySA+

  1. Memorize all CVSS base metrics and what each level means.
  2. Remember: Remote, easy, no privileges, no user interaction = higher severity.
  3. Always consider CIA impact to evaluate the business risk.
  4. Know the CVSS score ranges for prioritization (low, medium, high, critical).
  5. Be ready to analyze scenarios and rank vulnerabilities based on the CVSS factors.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by