Authentication
Authentication v2.0.0
This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.
| Value | Definition |
|---|---|
| Multiple | Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time. |
| Single | The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface). |
| None | Authentication is not required to exploit the vulnerability. |
Authentication v2.0.0 JSON Example
{
"namespace": "cvss",
"version": "2.0.0",
"schemaVersion": "1-0-1",
"key": "Au",
"name": "Authentication",
"description": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.",
"values": [
{
"key": "M",
"name": "Multiple",
"description": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time."
},
{
"key": "S",
"name": "Single",
"description": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)."
},
{
"key": "N",
"name": "None",
"description": "Authentication is not required to exploit the vulnerability."
}
]
}
Previous Versions
Following are the previous versions of the decision point:
Authentication v1.0.0
This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.
| Value | Definition |
|---|---|
| Not Required | Authentication is not required to access or exploit the vulnerability. |
| Required | Authentication is required to access and exploit the vulnerability. |
Authentication v1.0.0 JSON Example
{
"namespace": "cvss",
"version": "1.0.0",
"schemaVersion": "1-0-1",
"key": "Au",
"name": "Authentication",
"description": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.",
"values": [
{
"key": "N",
"name": "Not Required",
"description": "Authentication is not required to access or exploit the vulnerability."
},
{
"key": "R",
"name": "Required",
"description": "Authentication is required to access and exploit the vulnerability."
}
]
}