
An unknown vulnerability is discovered after conducting a vulnerability scanning against your company’s official web site. You are analyzing it and calculating its score based on CVSS v3.1. Which of the following is not a mandatory metric?
A. Attack Vector (AV)
B. Exploit Code Maturity (E)
C. User Interaction (UI)
D. Privileges Required (PR)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Exploit Code Maturity (E).
The following summary and explanation come from FIRST.
The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. It is owned and managed by Forum of Incident Response and Security Teams, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world.
Metric Groups
CVSS consists of three metric groups: Base, Temporal, and Environmental.
- Base group: the intrinsic qualities of a vulnerability that are constant over time and across user environments. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics.
- Temporal group: the characteristics of a vulnerability that change over time.
- Environmental group: the characteristics of a vulnerability that are unique to a user’s environment.
Vector String
A CVSS score is also represented as a vector string like the following example shows:
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
CVSS Metric Groups

CVSS Metrics and Equations

Reference
- Zero-day (computing)
- Zero-day vulnerability: What it is, and how it works
- Common Weakness Enumeration
- CVE List Home
- What’s the difference between CVE and CWE?
- Common Vulnerability Scoring System SIG
- Common Vulnerability Scoring System version 3.1: Specification Document
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
對您公司的官方網站進行漏洞掃瞄後,發現了一個未知漏洞。 您正在分析它並基於CVSS計算其分數。 以下哪項不是強制性指標?
A. 攻擊向量 (Attack Vector)
B. 利用代碼成熟度 (Exploit Code Maturity)
C. 用戶交互 (User Interaction)
D. 所需特權 (Privileges Required)