CompTIA CySA+ (CS0-003) — Question 48

A vulnerability analyst received a list of system vulnerabilities and needs to evaluate the relevant impact of the exploits on the business. Given the constraints of the current sprint, only three can be remediated. Which of the following represents the least impactful risk, given the CVSS3.1 base scores?

Answer options

• A. AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L - Base Score 6.0
• B. AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L - Base Score 7.2
• C. AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H - Base Score 6.4
• D. AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L - Base Score 6.5

Correct answer: D

Explanation

Option D represents the least impactful risk as it has the lowest base score of 6.5, indicating a lower severity of vulnerability. In contrast, options A (6.0), B (7.2), and C (6.4) have higher or equal scores, suggesting they pose a greater risk to the business and should be prioritized for remediation.