This preview shows page 1. Sign up to view the full content.
Unformatted text preview: acker authenticating to an operating system in
addition to providing credentials to access an application hosted on that system. Single (S) One instance of authentication is required to access and exploit the vulnerability. None (N) Authentication is not required to access and exploit the vulnerability. The metric should be applied based on the authentication the attacker requires before launching an attack.
For example, if a remote mail server is vulnerable to a command that can be issued before a user
authenticates, the metric should be scored as “None” because the attacker can launch the exploit before
credentials are required. If the vulnerable command is only available after successful authentication, then
the vulnerability should be scored as “Single” or “Multiple,” depending on how many instances of
authentication must occur before issuing the command.
2.1.4 Confidentiality Impact (C) This metric measures the impact on confidentiality of a successfully exploited vulnerability.
Confidentiality refers to limiting information access and disclosure to only authorized users, as well as
preventing access by, or disclosure to, unauthorized ones. The possible values for this metric are listed in
Table 4. Increased confidentiality impact increases the vulnerability score.
Table 4. Confidentiality Impact Scoring Evaluation
None (N) There is no impact to the confidentiality of the system. Partial (P) There is considerable informational disclosure. Access to some system files is possible, but the
attacker does not have control over what is obtained, or the scope of the loss is constrained. An
example is a vulnerability that divulges only certain tables in a database. Complete
(C) There is total information disclosure, resulting in all system files being revealed. The attacker is able
to read all of the system's data (memory, files, etc.) 2.1.5 Integrity Impact (I) This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to
the trustworthiness and guaranteed veracity of information. The possible values for this metric are listed
in Table 5. Increased integrity impact increases the vulnerability score. 7 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS Table 5. Integrity Impact Scoring Evaluation
Value Description None (N) There is no impact to the integrity of the system. Partial (P) Modification of some system files or information is possible, but the attacker does not have control
over what can be modified, or the scope of what the attacker can affect is limited. For example,
system or application files may be overwritten or modified, but either the attacker has no control over
which files are affected or the attacker can modify files within only a limited context or scope. Complete
(C) There is a total compromise of system integrity. There is a complete loss of system protection,
resulting in the entire system being compromised. The attacker is able to modif...
View Full Document
- Spring '14