CVSS and CVE — SY0-701
Understand CVE and CVSS for the CompTIA Security+ SY0-701 exam: what they are, how scores work, and the key misconception that trips up candidates.
WHAT IT IS
CVE (Common Vulnerabilities and Exposures) is a list of entries — each containing an identification number, a description, and at least one public reference — for publicly known cybersecurity vulnerabilities. (NIST CSRC, citing CNSSI 4009-2015 / NIST SP 800-126 Rev. 2.) Each entry is keyed by a CVE ID: an identifier for a specific software flaw defined within the official CVE Dictionary that conforms to the CVE specification. (NIST CSRC, NISTIR 7511 Rev. 4.)
CVSS (Common Vulnerability Scoring System) is a system for measuring the relative severity of software flaw vulnerabilities. (NIST CSRC, CNSSI 4009-2015.) The FIRST organization's v3.1 specification describes it more fully as "an open framework for communicating the characteristics and severity of software vulnerabilities," producing numerical scores from 0.0 to 10.0.
CVE names a vulnerability. CVSS scores it. They are complementary standards, not interchangeable terms.
Mental model
Think of CVE as the registry and CVSS as the price tag.
A CVE entry says: "This flaw exists, here is its unique ID, here is a description, and here is where you can read about it." It does not tell you how severe the flaw is in your environment.
CVSS says: "Here is a numerical score, derived from the technical characteristics of this flaw, indicating how severe it is — first in the abstract (Base), then adjusted for how the threat landscape has evolved (Temporal), then adjusted for your specific environment (Environmental)."
The CVSS v3.1 specification states that "the Base and Temporal metrics are specified by vulnerability bulletin analysts, security product vendors, or application vendors because they typically possess the most accurate information about the characteristics of a vulnerability. The Environmental metrics are specified by end-user organizations because they are best able to assess the potential impact of a vulnerability within their own computing environment."
When to use it
| CVE | CVSS | |
|---|---|---|
| What it answers | "Has this flaw been publicly catalogued?" | "How severe is this flaw?" |
| Primary output | A unique identifier (CVE ID) and description | A numeric score (0.0–10.0) and severity rating |
| Who publishes it | CVE Numbering Authorities (CNAs) assign IDs | Analysts, vendors, or end-user orgs produce scores |
| Scope | Identification and cataloguing | Severity measurement across Base, Temporal, and Environmental metric groups |
| Time-sensitivity | Stable — the ID does not change | Temporal and Environmental scores can change as the threat evolves |
CVSS v3.1 severity ratings (Base Score ranges, from the FIRST specification):
| Rating | Score Range |
|---|---|
| None | 0.0 |
| Low | 0.1 – 3.9 |
| Medium | 4.0 – 6.9 |
| High | 7.0 – 8.9 |
| Critical | 9.0 – 10.0 |
COMMON MISCONCEPTION
CVSS does not measure business risk or organizational priority. The v3.1 specification explicitly states that factors such as "number of customers on a product line, monetary losses due to a breach, life or property threatened, or public sentiment on highly publicized vulnerabilities" are outside the scope of CVSS. The specification further notes that organizations "may use CVSS information as input to an organizational vulnerability management process that also considers factors that are not part of CVSS."
This means a vulnerability with a Critical Base Score (9.0–10.0) does not automatically mean it is the highest remediation priority for a given organization — environmental mitigations, asset criticality, and exposure all factor into real-world prioritization but are not captured by the Base Score alone.
A related trap: CVE and CVSS are not the same thing and are not produced by the same process. A CVE entry can exist without a CVSS score, and a CVSS score is not part of the CVE record itself — scoring is performed separately, often by the National Vulnerability Database (NVD) or vendors, using the CVE as a reference point.
How it shows up on the exam
The cognitive target here is apply — candidates are expected to use these standards appropriately in a security operations context, not just recite definitions.
Exam questions in this area tend to ask candidates to:
- Identify which standard (CVE or CVSS) a scenario is using based on what information is provided or needed.
- Determine what a CVSS score component (Base, Temporal, or Environmental) reflects, and recognize that the Base Score represents intrinsic, time-independent characteristics of the vulnerability.
- Recognize that CVSS captures technical characteristics of a vulnerability, not the business or financial impact of exploitation.
Candidates often confuse the Base Score (which is fixed and reflects the flaw's inherent qualities) with an organization's actual risk exposure. The specification is clear that the Environmental metric group exists precisely because Base Scores do not account for local mitigations or the relative value of affected assets in a specific deployment.
Signal phrases to watch for in scenario stems: "identify the vulnerability," "standardized identifier," "severity score," "prioritize patching based on severity" — these cue you to distinguish identification (CVE) from scoring (CVSS) and to recognize the scope limits of each.
Related concepts
- Vulnerability Scanning — the operational process that discovers vulnerabilities in an environment; CVE IDs and CVSS scores are commonly surfaced in vulnerability scanner output.
- Threat Intelligence — contextual information about threats; CVE and CVSS data feed into threat intelligence workflows but are distinct from threat intelligence itself.
- Penetration Testing — active exploitation testing; penetration testers reference CVE IDs to identify known vulnerabilities they may attempt to exploit.
Sources
Every claim on this page traces to the public exam blueprint and official documentation: