CVSS v3.1 — Score a Real CVE
Easy Vulnerability Management · 15 min
CVSS v3.1 — Score a Real CVE
Scenario
CVE-2024-XXXXX (fictional but realistic): An unauthenticated remote attacker can send a crafted HTTP POST to /api/v1/admin/export of a public-facing web app, triggering a path-traversal that reads any file the web service can read. Filesystem privileges = root. No user interaction required.
Build the CVSS v3.1 Base vector and compute the score.
CVSS v3.1 metrics to set
| Metric | Possible values | |---|---| | Attack Vector (AV) | N (Network) / A (Adjacent) / L (Local) / P (Physical) | | Attack Complexity (AC) | L (Low) / H (High) | | Privileges Required (PR) | N (None) / L (Low) / H (High) | | User Interaction (UI) | N (None) / R (Required) | | Scope (S) | U (Unchanged) / C (Changed) | | Confidentiality (C) | H (High) / L (Low) / N (None) | | Integrity (I) | H / L / N | | Availability (A) | H / L / N |
Answer format
Submit the vector string + score, separated by a colon. Vector first, then base score to 1 decimal:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N:7.5(Example shape — not the answer.)
Hints
Hint 1 (−10 pts)
Walk each metric: 'Remote attacker' = AV:N. 'Crafted HTTP POST' = AC:L. 'Unauthenticated' = PR:N. 'No user interaction' = UI:N. Scope unchanged (just file read). Files only read → C:H, I:N, A:N.
Hint 2 (−10 pts)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. Use the official calculator (or cvss.techclick.in) to compute the base score.
Hint 3 (−10 pts)
Answer: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N:7.5
Lab environment · sandboxed iframe · auto-resets every 60 min