Privileges Required
Privileges Required v1.0.1
This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.
| Value | Definition |
|---|---|
| High | The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files. |
| Low | The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources. |
| None | The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack. |
Privileges Required v1.0.1 JSON Example
{
"namespace": "cvss",
"version": "1.0.1",
"schemaVersion": "1-0-1",
"key": "PR",
"name": "Privileges Required",
"description": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.",
"values": [
{
"key": "H",
"name": "High",
"description": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
},
{
"key": "L",
"name": "Low",
"description": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
},
{
"key": "N",
"name": "None",
"description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
}
]
}
Previous Versions
Following are the previous versions of the decision point:
Privileges Required v1.0.0
This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.
| Value | Definition |
|---|---|
| High | The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files. |
| Low | The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources. |
| None | The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack. |
Privileges Required v1.0.0 JSON Example
{
"namespace": "cvss",
"version": "1.0.0",
"schemaVersion": "1-0-1",
"key": "PR",
"name": "Privileges Required",
"description": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.",
"values": [
{
"key": "H",
"name": "High",
"description": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
},
{
"key": "L",
"name": "Low",
"description": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
},
{
"key": "N",
"name": "None",
"description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
}
]
}