From the course: Vulnerability Management: Assessing the Risks with CVSS, CISA KEV, EPSS, and SSVC

Unlock this course with a free trial

Join today to access over 25,300 courses taught by industry experts.

How access or privileges required affects severity

How access or privileges required affects severity

From the course: Vulnerability Management: Assessing the Risks with CVSS, CISA KEV, EPSS, and SSVC

Start my 1-month free trial Buy for my team

How access or privileges required affects severity

- [Instructor] Privileges required, PR and the vector string, describes the privileges needed before an attack begins in order for the attack to be successful. Three possible values exist for the privileges required metric. None, N. Low, L. And High, H. The highest risk is None, and the lowest is High. Which sounds a little weird that a metric value of High is lowest value. So let's dig in a little bit. None is the highest severity value, and it indicates that an attacker doesn't need any level of permissions to exploit the vulnerability. The Low value for privileges required means that the attacker needs a basic level of access to the system. An example of that would be a standard non-administrative user on a system. A privileges required value of High means that the attacker must have elevated permissions, such as local administrator rights, before the attack begins. Severity decreases as needed privileges increase, and that's because the attacker has to do more work to get the…

Contents