Bird
Raised Fist0
Cybersecurityknowledge~10 mins

Vulnerability classification (CVSS) in Cybersecurity - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualPracticeChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Concept Flow - Vulnerability classification (CVSS)
Identify Vulnerability
Assign Base Metrics
Calculate Base Score
Assign Temporal Metrics
Calculate Temporal Score
Assign Environmental Metrics
Calculate Environmental Score
Classify Severity Level
Report & Prioritize
The CVSS process starts by identifying a vulnerability, then assigning metrics in three groups (Base, Temporal, Environmental), calculating scores, and finally classifying severity to help prioritize fixes.
Execution Sample
Cybersecurity
Base Metrics: AV=Network, AC=Low, PR=None, UI=None, S=Unchanged, C=High, I=High, A=High
Calculate Base Score
Temporal Metrics: E=Proof-of-Concept, RL=Official Fix, RC=Unknown
Calculate Temporal Score
Environmental Metrics: CR=Medium, IR=Low, AR=Low
Calculate Environmental Score
This example shows assigning CVSS metrics step-by-step and calculating scores to classify vulnerability severity.
Analysis Table
StepActionMetric/ValueScore CalculationResult
1Identify VulnerabilityExample: Remote Code Execution-Vulnerability identified
2Assign Base MetricsAV=Network, AC=Low, PR=None, UI=None, S=Unchanged, C=High, I=High, A=High-Base metrics set
3Calculate Base ScoreUsing formula with base metricsBase Score = 9.8Critical severity
4Assign Temporal MetricsE=Proof-of-Concept, RL=Official Fix, RC=Unknown-Temporal metrics set
5Calculate Temporal ScoreBase Score * Temporal factorsTemporal Score = 9.3Adjusted severity
6Assign Environmental MetricsCR=Medium, IR=Low, AR=Low-Environmental metrics set
7Calculate Environmental ScoreTemporal Score * Environmental factorsEnvironmental Score = 8.5Final severity score
8Classify Severity LevelScore 8.5Score range 7.0-8.9Severity = High
9Report & PrioritizeSeverity = High-Fix prioritized accordingly
10EndNo more steps-Process complete
💡 Process ends after final severity classification and reporting
State Tracker
MetricInitialAfter BaseAfter TemporalAfter EnvironmentalFinal
Base Score-9.89.89.89.8
Temporal Score--9.39.39.3
Environmental Score---8.58.5
Severity Level-CriticalCriticalHighHigh
Key Insights - 3 Insights
Why does the Base Score stay the same after Temporal and Environmental metrics are assigned?
The Base Score reflects the intrinsic properties of the vulnerability and does not change; Temporal and Environmental metrics adjust the score separately, as shown in execution_table rows 3, 5, and 7.
How is the final severity level determined from the scores?
The final severity level is based on the Environmental Score, which adjusts the Base and Temporal Scores for specific contexts, as seen in execution_table row 8.
What happens if the Environmental metrics are not assigned?
If Environmental metrics are missing, the Temporal Score is used as the final score for severity classification, shown by the absence of Environmental Score calculation in the process.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table at step 3. What is the Base Score calculated from the Base Metrics?
A9.8
B8.5
C9.3
D7.0
💡 Hint
Refer to execution_table row 3 under 'Result' column.
At which step does the Environmental Score get calculated?
AStep 3
BStep 5
CStep 7
DStep 9
💡 Hint
Check execution_table rows for 'Calculate Environmental Score' action.
If the Temporal Metrics were not assigned, which score would be used for severity classification?
AEnvironmental Score
BBase Score
CTemporal Score
DNo score
💡 Hint
Look at key_moments explanation about missing Environmental metrics and score usage.
Concept Snapshot
CVSS classifies vulnerabilities by assigning Base, Temporal, and Environmental metrics.
Base metrics describe the vulnerability itself.
Temporal metrics adjust for current exploitability.
Environmental metrics adjust for specific user environments.
Scores are calculated stepwise to classify severity from None to Critical.
This helps prioritize security fixes effectively.
Full Transcript
The CVSS process begins by identifying a vulnerability. Then, Base Metrics are assigned to describe its core characteristics. Using these, a Base Score is calculated to reflect intrinsic severity. Next, Temporal Metrics are assigned to adjust the score based on current exploit conditions, producing a Temporal Score. Environmental Metrics are then assigned to tailor the score to specific environments, resulting in the Environmental Score. Finally, the Environmental Score is used to classify the vulnerability's severity level, guiding prioritization for fixes. This step-by-step scoring ensures accurate and context-aware vulnerability classification.

Practice

(1/5)
1. What does the CVSS Base Score primarily measure in vulnerability classification?
easy
A. The inherent severity of a vulnerability without considering time or environment
B. The current exploitability of a vulnerability based on available patches
C. The impact of a vulnerability on a specific organization's environment
D. The financial cost of fixing a vulnerability

Solution

  1. Step 1: Understand CVSS score components

    CVSS scores have three parts: Base, Temporal, and Environmental. The Base Score measures the fundamental severity of a vulnerability.

  2. Step 2: Identify the role of the Base Score

    The Base Score reflects the intrinsic characteristics of a vulnerability that do not change over time or across different environments.

  3. Final Answer:

    The inherent severity of a vulnerability without considering time or environment -> Option A

  4. Quick Check:

    Base Score = inherent severity [OK]
Hint: Base Score = core severity, ignore time and environment [OK]
Common Mistakes:
  • Confusing Base Score with Temporal or Environmental scores
  • Thinking Base Score changes over time
  • Assuming Base Score includes organizational impact
2. Which of the following is the correct format for a CVSS v3.1 vector string?
easy
A. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
B. CVSS-3.1-AV:N-AC:L-PR:N-UI:N-S:U-C:H-I:H-A:H
C. CVSS3.1:AV=N;AC=L;PR=N;UI=N;S=U;C=H;I=H;A=H
D. CVSSv3.1[AV:N,AC:L,PR:N,UI:N,S:U,C:H,I:H,A:H]

Solution

  1. Step 1: Recall CVSS v3.1 vector string syntax

    The official CVSS v3.1 vector string starts with "CVSS:3.1" followed by slash-separated metric abbreviations and values.

  2. Step 2: Compare options to official format

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H matches the correct format exactly, using slashes and colons as separators.

  3. Final Answer:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H -> Option A

  4. Quick Check:

    Correct CVSS v3.1 vector format = CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [OK]
Hint: Look for 'CVSS:3.1' prefix and slash separators [OK]
Common Mistakes:
  • Using dashes or semicolons instead of slashes
  • Missing the 'CVSS:3.1' prefix
  • Incorrect separator characters
3. Given a vulnerability with the following CVSS v3.1 Base metrics: Attack Vector (AV) = Network, Attack Complexity (AC) = Low, Privileges Required (PR) = None, User Interaction (UI) = None, Scope (S) = Unchanged, Confidentiality (C) = High, Integrity (I) = High, Availability (A) = High, what is the approximate Base Score?
medium
A. 5.0
B. 7.5
C. 9.8
D. 3.2

Solution

  1. Step 1: Identify metric values and their impact

    AV: Network (high impact), AC: Low (easy to exploit), PR: None (no privileges needed), UI: None (no user interaction), S: Unchanged, C/I/A: High impact on confidentiality, integrity, availability.

  2. Step 2: Use CVSS v3.1 calculator logic

    These metrics correspond to a critical vulnerability with a Base Score near 9.8, indicating very high severity.

  3. Final Answer:

    9.8 -> Option C

  4. Quick Check:

    Critical metrics with no privileges and high impact = 9.8 [OK]
Hint: High impact + no privileges + network vector = ~9.8 score [OK]
Common Mistakes:
  • Underestimating score by ignoring high impact metrics
  • Confusing Scope Unchanged with Changed
  • Mixing up privileges required levels
4. A security analyst notices a CVSS vector string: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N. What is the main error in interpreting this vector?
medium
A. Thinking privileges are required when they are not
B. Believing the attack vector is Network instead of Local
C. Ignoring that the scope is Changed, affecting impact
D. Assuming the vulnerability requires no user interaction

Solution

  1. Step 1: Analyze the UI (User Interaction) metric

    The vector shows UI:R, meaning user interaction is Required, not None.

  2. Step 2: Identify common misinterpretation

    Assuming UI:N (no user interaction) would be incorrect here; the vulnerability needs user action to exploit.

  3. Final Answer:

    Assuming the vulnerability requires no user interaction -> Option D

  4. Quick Check:

    UI:R means user interaction required, not none [OK]
Hint: Check UI metric carefully: R means user interaction required [OK]
Common Mistakes:
  • Ignoring UI:R and assuming no user action needed
  • Mixing up AV:L (Local) with Network
  • Overlooking Scope Changed impact
5. An organization wants to prioritize fixing vulnerabilities that have a high CVSS Environmental Score but a medium Base Score. Which approach best explains this prioritization?
hard
A. Fix only vulnerabilities with the highest Base Score regardless of environment
B. Focus on vulnerabilities that impact the organization's specific environment more severely, even if their general severity is medium
C. Ignore Environmental Scores and focus on Temporal Scores for patch urgency
D. Prioritize vulnerabilities with low Base Scores to reduce workload

Solution

  1. Step 1: Understand Environmental Score purpose

    The Environmental Score adjusts the Base Score to reflect how a vulnerability affects a specific organization's environment, considering factors like system importance and security controls.

  2. Step 2: Apply prioritization logic

    Prioritizing vulnerabilities with high Environmental Scores means focusing on those that pose greater risk in the organization's context, even if their Base Score is only medium.

  3. Final Answer:

    Focus on vulnerabilities that impact the organization's specific environment more severely, even if their general severity is medium -> Option B

  4. Quick Check:

    Environmental Score = org-specific risk priority [OK]
Hint: Environmental Score shows real risk to your organization [OK]
Common Mistakes:
  • Ignoring Environmental Scores in prioritization
  • Confusing Temporal Score with Environmental Score
  • Assuming Base Score alone dictates fix order