Overview#Exploitability Metrics as defined in Common Vulnerability Scoring System (CVSS) reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.
Therefore, each of the Exploitability metrics listed below should be scored relative to the vulnerable component, and reflect the properties of the vulnerability that lead to a successful attack.
Exploitability Metrics attempts to classify the Attack Effort
Exploitability Metrics has the following classifications:
- Attack Vector (AV) - This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the Base score) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across the Internet is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater score.
- Attack Complexity (AC) - This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. Such conditions may require the collection of more information about the target, the presence of certain system configuration settings, or computational exceptions. Importantly, the assessment of this metric excludes any requirements for user interaction in order to exploit the vulnerability (such conditions are captured in the User Interaction metric). This metric value is largest for the least complex attacks
- Privileges Required (PR) - This metric describes the level of privileges an attacker MUST possess before successfully exploiting the vulnerability. This metric is greatest if no privileges are required.
- User Interaction (UI) - This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) MUST participate in some manner. This metric value is greatest when no user interaction is required