🔍 CVE & Vulnerability Language
5 exercises — CVE IDs, CVSS scores, severity classification, responsible disclosure, and reading security advisories. Intermediate
0 / 5 completed
1 / 5
A CVE advisory reads: "CVSS Base Score: 9.8 (Critical) — CVE-2024-XXXXX: A remote, unauthenticated attacker can execute arbitrary code via a specially crafted HTTP request."
What does CVSS stand for, and what does the score of 9.8 indicate?
CVSS = Common Vulnerability Scoring System. A score of 9.8 is Critical — near the maximum of 10.0.
| CVSS Score Range | Severity | Action expected |
|---|---|---|
| 0.1 – 3.9 | Low | Patch in next planned maintenance window |
| 4.0 – 6.9 | Medium | Patch within 30–90 days |
| 7.0 – 8.9 | High | Patch within 7–30 days |
| 9.0 – 10.0 | Critical | Patch immediately — emergency change process |
Key vocabulary in this advisory:
- Remote unauthenticated attacker — no credentials or network proximity needed; exploitable from the internet
- Arbitrary code execution — attacker can run any code they choose on the target system
- Specially crafted request — a deliberately malformed or weaponised HTTP request that triggers the vulnerability