CVSS Metrics
This is covered in the CompTIA CySA+ course.
Here are some examples of metrics used in the Common
Vulnerability Scoring System (CVSS):
Attack Vector (AV)
How an attack can be executed, with higher scores for
remote attacks:
Network (N): Remotely exploitable
Adjacent (A): Requires network adjacency for exploitation
Local (L): Not exploitable over a network
Physical (P): Requires physical interaction with the
target system
Attack Complexity (AC)
How difficult it is to execute the attack:
Low: Easier to exploit
High: More difficult to exploit
Privileges Required (PR)
The level of access needed to exploit the vulnerability:
None: Unauthenticated
User Interaction (UI)
Whether the attacker needs to involve a user in the
exploit:
Passive: The user needs to do something, like
accidentally visiting a malicious website
Active: The user needs to do something, like executing a
malicious office macro
Scope (S) indicates whether the exploit affects only the
local security context
(U) Unchanged or not (C) Changed
Confidentiality (C)
High (H), Low (L), or None (N)
Integrity (I)
High (H), Low (L), or None (N)
Availability (A)
High (H), Low (L), or None (N)
Score Categories
Score Description
| 0 | None |
| 0.1+ | Low |
| 4.0+ | Medium |
| 7.0+ | High |
| 9.0+ | Critical |
Here is a link to a CVSS calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
No comments:
Post a Comment