From the course: Vulnerability Management: Assessing the Risks with CVSS, CISA KEV, EPSS, and SSVC

Unlock this course with a free trial

Join today to access over 25,300 courses taught by industry experts.

Security Scope in CVSS v 3.1

Security Scope in CVSS v 3.1

From the course: Vulnerability Management: Assessing the Risks with CVSS, CISA KEV, EPSS, and SSVC

Start my 1-month free trial Buy for my team

Security Scope in CVSS v 3.1

- [Narrator] The concept of scope in CVSS addresses whether a vulnerability in one component impacts other resources beyond its security scope. What is security scope then? Think about a house with several rooms likely separated by walls or other defining architectural features. Each room is a distinct security scope. Typically, the activities and features of one room only affect that room Security scope, more specifically, is an area of a computing system component, like an application or a database. Typically, computing system components don't cross outside of their security scope boundaries. Exploiting a vulnerability that only affects the vulnerable component is reflected as unchanged or you in the vector string. Unchanged scope has less impact on the overall severity calculation. If exploiting a vulnerability impacts other system components, then the scope is changed. An example of this is when an attack allows the attacker to escape from a virtual system and also impact the host…

Contents