Learn CVSS vocabulary: base score, temporal score, environmental score, attack vector, attack complexity, privileges required, and reading CVE severity ratings.
0 / 5 completed
1 / 5
What does 'this CVE has a CVSS base score of 9.8' indicate?
CVSS (Common Vulnerability Scoring System) base scores range from 0.0 to 10.0. Severity ratings: None (0.0), Low (0.1–3.9), Medium (4.0–6.9), High (7.0–8.9), Critical (9.0–10.0). A score of 9.8 is Critical — typically meaning Network attack vector, Low attack complexity, No privileges required, No user interaction. Example: CVE-2021-44228 (Log4Shell) received a CVSS 10.0.
2 / 5
What is the 'attack vector' metric in CVSS scoring?
Attack Vector (AV) reflects the component's exposure: Network (N) = exploitable remotely over the internet, highest impact on score. Adjacent (A) = requires being on the same network (Wi-Fi, Bluetooth). Local (L) = requires local system access (shell, RDP). Physical (P) = requires physical access to the device. Network AV vulnerabilities are most critical because they are exploitable by any attacker on the internet without physical proximity.
3 / 5
What does 'Privileges Required: None' mean in a CVSS score breakdown?
Privileges Required (PR) measures whether the attacker needs existing access: None (N) = no credentials or account needed — anonymous exploitation possible. Low (L) = needs basic authenticated access (standard user). High (H) = needs elevated or admin-level access. Combining AV:Network + PR:None produces the highest-scoring and most dangerous vulnerability class — exploitable by any unauthenticated attacker on the internet.
4 / 5
What is the 'temporal score' in CVSS, and how does it differ from the base score?
The CVSS temporal metric group modifies the base score based on: Exploit Code Maturity (is working exploit code publicly available?), Remediation Level (is a patch available?), and Report Confidence (how confirmed is the vulnerability?). A new unpatched vulnerability with a public exploit scores higher temporally than a patched one with only theoretical exploitability. Temporal scores can change daily as the threat landscape evolves.
5 / 5
What is the 'environmental score' in CVSS and when is it used?
The environmental metric group lets organisations adjust CVSS for their specific context. Example: a Network-vector vulnerability with a base score of 9.8 might have an environmental score of 5.0 for an organisation where the affected component is only accessible from their internal network (modifying the attack vector). Environmental scoring helps prioritise remediation — a Critical base score might be Medium risk for your organisation's specific deployment.