Sam is working as a system administrator in an organization . He captured the principle characteristics of a vulnerability and produced a numerical score to reflect its severity using CVSS v3.0 to properly assess and prioritize the organization’s vulnerability management processes. The base score that Sam obtained after performing CVSS rating was 4.0 What is CVSS severity level of the vulnerability discovered by Sam in the above scenario?

Option 1 : Critical

Option 2 : High

Option 3 : Medium

Option 4 : Low

1. Critical

Software, hardware and firmware vulnerabilities pose a critical risk to any organization operating a network , and may be difficult to categorize and mitigate. The Common Vulnerability rating system (CVSS) provides how to capture the principal characteristics of a vulnerability, and produce a numerical score reflecting its severity, also as a textual representation of that score. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to assist organizations properly assess and prioritize their vulnerability management processes.

2. High

The full effect on the environmental score is decided by the corresponding Modified Base Impact metrics. That is, these metrics modify the environmental score by reweighting the Modified Confidentiality, Integrity, and Availability impact metrics. for instance , the Modified Confidentiality impact (MC) metric has increased weight if the Confidentiality Requirement (CR) is High. Likewise, the Modified Confidentiality impact metric has decreased weight if the Confidentiality Requirement is Low. The Modified Confidentiality impact metric weighting is neutral if the Confidentiality Requirement is Medium. This same process is applied to the Integrity and Availability requirements.

Note that the Confidentiality Requirement won’t affect the Environmental score if the (Modified Base) confidentiality impact is about to None. Also, increasing the Confidentiality Requirement from Medium to High won’t change the Environmental score when the (Modified Base) impact metrics are set to High. this is often because the modified impact sub score (part of the Modified Base score that calculates impact) is already at a maximum value of 10.

3. Medium

For some purposes it’s useful to possess a textual representation of the numeric Base, Temporal and Environmental scores. All scores are often mapped to the qualitative ratings defined .

As an example, a CVSS Base score of 4.0 has an associated severity rating of Medium. the utilization of those qualitative severity ratings is optional, and there’s no requirement to incorporate them when publishing CVSS scores. they’re intended to assist organizations properly assess and prioritize their vulnerability management processes.

4. Low

The attacker is permitted with (i.e. requires) privileges that provide basic user capabilities that would normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the power to cause an impression only to non-sensitive resources.

There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker doesn’t have control over what information is obtained, or the quantity or quite loss is constrained. the knowledge disclosure doesn’t cause an immediate , serious loss to the impacted component.

CVSS severity level