Bird
Raised Fist0
Cybersecurityknowledge~5 mins

Vulnerability classification (CVSS) in Cybersecurity - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualPracticeChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What does CVSS stand for in cybersecurity?
CVSS stands for Common Vulnerability Scoring System. It is a standardized way to measure the severity of security vulnerabilities.
Click to reveal answer
intermediate
Name the three metric groups used in CVSS to score vulnerabilities.
The three metric groups are:
1. Base Metrics - intrinsic qualities of a vulnerability.
2. Temporal Metrics - characteristics that change over time.
3. Environmental Metrics - specific to a user’s environment.
Click to reveal answer
beginner
What does the Base Score in CVSS represent?
The Base Score represents the fundamental severity of a vulnerability. It is calculated from metrics that do not change over time or across environments.
Click to reveal answer
intermediate
Why are Temporal Metrics important in CVSS?
Temporal Metrics adjust the Base Score based on factors like exploit code maturity, remediation level, and report confidence, reflecting how the risk changes over time.
Click to reveal answer
intermediate
How do Environmental Metrics affect the CVSS score?
Environmental Metrics customize the CVSS score to reflect the impact of a vulnerability in a specific environment, considering factors like security controls and importance of affected systems.
Click to reveal answer
What is the primary purpose of CVSS?
ATo measure the severity of security vulnerabilities
BTo create software patches
CTo encrypt data
DTo monitor network traffic
Which CVSS metric group includes factors like exploit code maturity?
AEnvironmental Metrics
BBase Metrics
CTemporal Metrics
DNetwork Metrics
Which CVSS metric group is specific to the user’s environment?
ATemporal Metrics
BEnvironmental Metrics
CBase Metrics
DPhysical Metrics
What does a higher CVSS Base Score indicate?
AHigher severity
BLower severity
CMore network traffic
DBetter system performance
Which of the following is NOT a CVSS metric group?
ABase Metrics
BTemporal Metrics
CEnvironmental Metrics
DOperational Metrics
Explain the three main metric groups of CVSS and their roles in vulnerability scoring.
Think about what stays the same, what changes over time, and what depends on your environment.
You got /3 concepts.
    Describe why CVSS is useful for organizations managing cybersecurity risks.
    Consider how knowing severity helps in fixing problems.
    You got /3 concepts.

      Practice

      (1/5)
      1. What does the CVSS Base Score primarily measure in vulnerability classification?
      easy
      A. The inherent severity of a vulnerability without considering time or environment
      B. The current exploitability of a vulnerability based on available patches
      C. The impact of a vulnerability on a specific organization's environment
      D. The financial cost of fixing a vulnerability

      Solution

      1. Step 1: Understand CVSS score components

        CVSS scores have three parts: Base, Temporal, and Environmental. The Base Score measures the fundamental severity of a vulnerability.

      2. Step 2: Identify the role of the Base Score

        The Base Score reflects the intrinsic characteristics of a vulnerability that do not change over time or across different environments.

      3. Final Answer:

        The inherent severity of a vulnerability without considering time or environment -> Option A

      4. Quick Check:

        Base Score = inherent severity [OK]
      Hint: Base Score = core severity, ignore time and environment [OK]
      Common Mistakes:
      • Confusing Base Score with Temporal or Environmental scores
      • Thinking Base Score changes over time
      • Assuming Base Score includes organizational impact
      2. Which of the following is the correct format for a CVSS v3.1 vector string?
      easy
      A. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
      B. CVSS-3.1-AV:N-AC:L-PR:N-UI:N-S:U-C:H-I:H-A:H
      C. CVSS3.1:AV=N;AC=L;PR=N;UI=N;S=U;C=H;I=H;A=H
      D. CVSSv3.1[AV:N,AC:L,PR:N,UI:N,S:U,C:H,I:H,A:H]

      Solution

      1. Step 1: Recall CVSS v3.1 vector string syntax

        The official CVSS v3.1 vector string starts with "CVSS:3.1" followed by slash-separated metric abbreviations and values.

      2. Step 2: Compare options to official format

        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H matches the correct format exactly, using slashes and colons as separators.

      3. Final Answer:

        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H -> Option A

      4. Quick Check:

        Correct CVSS v3.1 vector format = CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [OK]
      Hint: Look for 'CVSS:3.1' prefix and slash separators [OK]
      Common Mistakes:
      • Using dashes or semicolons instead of slashes
      • Missing the 'CVSS:3.1' prefix
      • Incorrect separator characters
      3. Given a vulnerability with the following CVSS v3.1 Base metrics: Attack Vector (AV) = Network, Attack Complexity (AC) = Low, Privileges Required (PR) = None, User Interaction (UI) = None, Scope (S) = Unchanged, Confidentiality (C) = High, Integrity (I) = High, Availability (A) = High, what is the approximate Base Score?
      medium
      A. 5.0
      B. 7.5
      C. 9.8
      D. 3.2

      Solution

      1. Step 1: Identify metric values and their impact

        AV: Network (high impact), AC: Low (easy to exploit), PR: None (no privileges needed), UI: None (no user interaction), S: Unchanged, C/I/A: High impact on confidentiality, integrity, availability.

      2. Step 2: Use CVSS v3.1 calculator logic

        These metrics correspond to a critical vulnerability with a Base Score near 9.8, indicating very high severity.

      3. Final Answer:

        9.8 -> Option C

      4. Quick Check:

        Critical metrics with no privileges and high impact = 9.8 [OK]
      Hint: High impact + no privileges + network vector = ~9.8 score [OK]
      Common Mistakes:
      • Underestimating score by ignoring high impact metrics
      • Confusing Scope Unchanged with Changed
      • Mixing up privileges required levels
      4. A security analyst notices a CVSS vector string: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N. What is the main error in interpreting this vector?
      medium
      A. Thinking privileges are required when they are not
      B. Believing the attack vector is Network instead of Local
      C. Ignoring that the scope is Changed, affecting impact
      D. Assuming the vulnerability requires no user interaction

      Solution

      1. Step 1: Analyze the UI (User Interaction) metric

        The vector shows UI:R, meaning user interaction is Required, not None.

      2. Step 2: Identify common misinterpretation

        Assuming UI:N (no user interaction) would be incorrect here; the vulnerability needs user action to exploit.

      3. Final Answer:

        Assuming the vulnerability requires no user interaction -> Option D

      4. Quick Check:

        UI:R means user interaction required, not none [OK]
      Hint: Check UI metric carefully: R means user interaction required [OK]
      Common Mistakes:
      • Ignoring UI:R and assuming no user action needed
      • Mixing up AV:L (Local) with Network
      • Overlooking Scope Changed impact
      5. An organization wants to prioritize fixing vulnerabilities that have a high CVSS Environmental Score but a medium Base Score. Which approach best explains this prioritization?
      hard
      A. Fix only vulnerabilities with the highest Base Score regardless of environment
      B. Focus on vulnerabilities that impact the organization's specific environment more severely, even if their general severity is medium
      C. Ignore Environmental Scores and focus on Temporal Scores for patch urgency
      D. Prioritize vulnerabilities with low Base Scores to reduce workload

      Solution

      1. Step 1: Understand Environmental Score purpose

        The Environmental Score adjusts the Base Score to reflect how a vulnerability affects a specific organization's environment, considering factors like system importance and security controls.

      2. Step 2: Apply prioritization logic

        Prioritizing vulnerabilities with high Environmental Scores means focusing on those that pose greater risk in the organization's context, even if their Base Score is only medium.

      3. Final Answer:

        Focus on vulnerabilities that impact the organization's specific environment more severely, even if their general severity is medium -> Option B

      4. Quick Check:

        Environmental Score = org-specific risk priority [OK]
      Hint: Environmental Score shows real risk to your organization [OK]
      Common Mistakes:
      • Ignoring Environmental Scores in prioritization
      • Confusing Temporal Score with Environmental Score
      • Assuming Base Score alone dictates fix order