CompTIA Cloud+ (CV0-004) — Question 107

An organization has been using an old version of an Apache Log4j software component in its critical software application. Which of the following should the organization use to calculate the severity of the risk from using this component?

Answer options

• A. CWE
• B. CVSS
• C. CWSS
• D. CVE

Correct answer: B

Explanation

The Common Vulnerability Scoring System (CVSS) provides a standardized way to evaluate the severity of vulnerabilities, making it the appropriate choice for assessing risk. CWE (Common Weakness Enumeration) and CVE (Common Vulnerabilities and Exposures) are related but do not provide a scoring system, while CWSS (Common Weakness Scoring System) is less commonly used than CVSS for risk assessment.