What is the difference between the exploitability score and the exploitability sub-score? And the difference between the impact score and the impact sub-score?
What are the relationships between the respective scores and sub-scores?
What is the difference between the exploitability score and the exploitability sub-score? And the difference between the impact score and the impact sub-score?
What are the relationships between the respective scores and sub-scores?
Impact: The impact sub-score represents metrics for confidentiality impact, integrity impact, and the availability impact of a successfully exploited vulnerability.
Exploitability: The exploitability sub-score represents metrics for Access Vector, Access Complexity, and Authentication, and measures how the vulnerability is accessed, the complexity of the attack, and the number of times an attacker must authenticate to successfully exploit a vulnerability.
Subscore is calculated after the successful exploitation of the vulnerability
This score we can drill down in detailed
Access Vector, Access Complexity
Whether the application or system is exposed to the internet? or does it require any special access such as the VPN or intranet?
After reaching the system, does it require to access any sub-endpoint or DMZ-jumping kind of activity?
Number of times an attacker must authenticate