CVSS Metrics

0.0(0)
studied byStudied by 0 people
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/25

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

26 Terms

1
New cards

What does AV mean in CVSS

Attack Vector - How the attacker accesses the system (ex. Network, local, etc)

2
New cards

What does AC mean in CVSS

Attack Complexity - how hard is it to exploit the vulnerability

3
New cards

What does PR mean in CVSS

Privileges Required - The access level needed to exploit it

4
New cards

What does UI mean in CVSS

User Interaction - Does a user need to do something for it to work?

5
New cards

What does S mean in CVSS

Scope - Whether other systems outside the vulnerable ones are affected

6
New cards

What does C stand for in CVSS

Confidentiality

7
New cards

What does I stand for in CVSS

Integrity

8
New cards

What does A stand for in CVSS

Availability

9
New cards

What does AV:N mean?

Network-based attack (can be done remotely)

10
New cards

What does AC:L mean?

Low-complexity - its easy to exploit

11
New cards

What does PR:N mean?

No privileges needed - attacker doesn't need to be logged in

12
New cards

What does UI:N mean?

No user interaction required

13
New cards

What does S:U mean?

Scope unchanged - The attack stays within the same system boundary.

14
New cards

What does C:H mean?

High loss of confidentiality - sensitive data can be exposed

15
New cards

This CVSS value means no user interaction is needed

UI:N

16
New cards

A CVSS attack with PR:N means what?

The attacker doesn't need any privileges (not logged in)

17
New cards

Example of AV:N (Network Attack)

Remote code execution over HTTP/SMB

18
New cards

AV: N

N = Network - remote/external attacker (ex. Web Exploit)

19
New cards

AV: A

A = Adjacent - same subnet/Wi-Fi/LAN (ex. ARP spoof on the same network)

20
New cards

AV: L

L = Local - Physical or local OS access (ex. Needs shell/terminal access)

21
New cards

AV: P

P = Physical - touching the device (ex. USB-based attack)

22
New cards

AC (Attack Complexity): L or H

L = Low - Reliable, no special conditions (ex. Exploit always works.

H = High - needs timing or weird state (ex. Race condition, exact state needed)

23
New cards

PR (Privileges Required): N,L, or H

N = None - no login needed (ex. Public web server vulnerability)

L = Low - limited user access (ex. Logged-in non-admin)

H = High - admin/root needed (ex. Needs full control)

24
New cards

UI (User interaction): N,R

N = None - no user action needed (ex. Exploit runs automatically)

R = Required - user must do something (ex. Click a phishing link, open file)

25
New cards

S (Scope): U,C

U = Unchanged - same system targeted (ex. Same permissions/app scope)

C = Changed - Breaks isolation or affects other systems (ex. Breaks out of VM or container)

26
New cards

CIA (Confidentiality, Integrity, Availability): N,L, H

N = None - no data changed/exposed (ex. only crash happens, just viewing allowed, all continues to work)

L = Low - some info leaked/minor modification (ex. usernames, emails/changes logs, timestamps, slower responses)

H = High - sensitive/confidential data, serious data manipulation, total outage or DoS (Denial of Service) (ex. Passwords/PII, Changes in configs, system crash)