210-255 · Question #159
What are the metric values for confidentiality impact in the CVSS v3.0 framework?
The correct answer is A. high, low, none. In CVSS v3.0, the Confidentiality Impact metric uses exactly three values - High, Low, and None - to rate the degree of information disclosure resulting from a vulnerability.
Question
What are the metric values for confidentiality impact in the CVSS v3.0 framework?
Options
- Ahigh, low, none
- Bopen, closed, obsolete
- Chigh, low
- Dhigh, medium, none
How the community answered
(32 responses)- A91% (29)
- B6% (2)
- D3% (1)
Why each option
In CVSS v3.0, the Confidentiality Impact metric uses exactly three values - High, Low, and None - to rate the degree of information disclosure resulting from a vulnerability.
CVSS v3.0 defines Confidentiality Impact (C) with three discrete values: None (no confidentiality impact), Low (access to some restricted information), and High (total loss of confidentiality or all information is disclosed). These three values apply consistently across Confidentiality, Integrity, and Availability impact metrics in the CVSS v3.0 scoring system.
Open, closed, and obsolete are not valid CVSS metric values - these terms belong to other classification systems and have no meaning in the CVSS framework.
This answer omits the 'None' value, which is a valid and important metric indicating that the vulnerability has no impact on confidentiality.
CVSS v3.0 does not use a 'Medium' value for Confidentiality Impact - the scale skips from Low directly to High, unlike some other scoring frameworks.
Concept tested: CVSS v3.0 Confidentiality Impact metric values
Source: https://www.first.org/cvss/v3.0/specification-document
Topics
Community Discussion
No community discussion yet for this question.