What are the three items in the CVSS Impact metrics?

• A. Confidentiality; Integrity; Availability
• B. Access Vector; Access Complexity; Authentication
• C. Exploitation; Remediation Level; Report Confidence
• D. All of the above

Answer: (D)

The part of CVSS that’s being tested here is how the Impact metrics describe what happens to the system when a vulnerability is exploited. The three items in the Impact metrics are the ways the vulnerability can affect the system in terms of the CIA triad: Confidentiality, Integrity, and Availability. These show what information could be exposed, altered, or made unavailable and thus quantify the potential harm to the system’s confidentiality, data integrity, and operational availability. The other items listed come from different metric groups—some describe how easy or hard it is to exploit the vulnerability, while others describe how the rating changes over time or with environmental factors—so they don’t belong to the Impact metrics.