Attack Complexity
Attack Complexity v3.0.1
This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit.
| Value | Definition |
|---|---|
| Low | The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. |
| High | The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place. |
Attack Complexity v3.0.1 JSON Example
{
"namespace": "cvss",
"version": "3.0.1",
"schemaVersion": "1-0-1",
"key": "AC",
"name": "Attack Complexity",
"description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
"values": [
{
"key": "L",
"name": "Low",
"description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
},
{
"key": "H",
"name": "High",
"description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
}
]
}
Previous Versions
Following are the previous versions of the decision point:
Access Complexity v1.0.0
This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.
| Value | Definition |
|---|---|
| Low | Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable. |
| High | Specialized access conditions exist; for example: the system is exploitable during specific windows of time (a race condition), the system is exploitable under specific circumstances (nondefault configurations), or the system is exploitable with victim interaction (vulnerability exploitable only if user opens e-mail) |
Access Complexity v1.0.0 JSON Example
{
"namespace": "cvss",
"version": "1.0.0",
"schemaVersion": "1-0-1",
"key": "AC",
"name": "Access Complexity",
"description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
"values": [
{
"key": "L",
"name": "Low",
"description": "Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable."
},
{
"key": "H",
"name": "High",
"description": "Specialized access conditions exist; for example: the system is exploitable during specific windows of time (a race condition), the system is exploitable under specific circumstances (nondefault configurations), or the system is exploitable with victim interaction (vulnerability exploitable only if user opens e-mail)"
}
]
}
Access Complexity v2.0.0
This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.
| Value | Definition |
|---|---|
| Low | Specialized access conditions or extenuating circumstances do not exist. |
| Medium | The access conditions are somewhat specialized. |
| High | Specialized access conditions exist. |
Access Complexity v2.0.0 JSON Example
{
"namespace": "cvss",
"version": "2.0.0",
"schemaVersion": "1-0-1",
"key": "AC",
"name": "Access Complexity",
"description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
"values": [
{
"key": "L",
"name": "Low",
"description": "Specialized access conditions or extenuating circumstances do not exist."
},
{
"key": "M",
"name": "Medium",
"description": "The access conditions are somewhat specialized."
},
{
"key": "H",
"name": "High",
"description": "Specialized access conditions exist."
}
]
}
Attack Complexity v3.0.0
This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.
| Value | Definition |
|---|---|
| Low | Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component. |
| High | A successful attack depends on conditions beyond the attacker's control. |
Attack Complexity v3.0.0 JSON Example
{
"namespace": "cvss",
"version": "3.0.0",
"schemaVersion": "1-0-1",
"key": "AC",
"name": "Attack Complexity",
"description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.",
"values": [
{
"key": "L",
"name": "Low",
"description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
},
{
"key": "H",
"name": "High",
"description": "A successful attack depends on conditions beyond the attacker's control."
}
]
}