Learn how to accurately assess the severity of a zero-day vulnerability using CVSS metrics. Explore the impact on confidentiality, integrity, and availability.
Table of Contents
Question
A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability. Which of the following CVE metrics would be most accurate for this zero-day threat?
A. CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L
B. CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
C. CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H
D. CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H
Answer
A. CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L
Explanation
The most accurate CVE metrics for the given zero-day threat would be:
A. CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L
This metric breakdown indicates:
- AV:N – Network exploit, can be exploited remotely
- AC:L – Low attack complexity, easy to exploit
- PR:N – No privileges required for exploitation
- UI:N – No user interaction needed for exploitation
- S:U – Affects only the vulnerable component
- C:H – High impact on confidentiality
- I:H – High impact on integrity
- A:L – Low impact on availability
The given scenario matches these metrics perfectly, as the zero-day vulnerability requires no user interaction or privilege escalation, can be exploited remotely, and significantly impacts confidentiality and integrity but not availability.
CompTIA CySA+ CS0-003 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the CompTIA CySA+ CS0-003 exam and earn CompTIA CySA+ CS0-003 certification.