User Interaction
User Interaction v2.0.0
This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.
| Value | Definition |
|---|---|
| Active | Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability. |
| Passive | Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system. |
| None | The vulnerable system can be exploited without interaction from any human user, other than the attacker. |
User Interaction v2.0.0 JSON Example
{
"namespace": "cvss",
"version": "2.0.0",
"schemaVersion": "1-0-1",
"key": "UI",
"name": "User Interaction",
"description": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.",
"values": [
{
"key": "A",
"name": "Active",
"description": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
},
{
"key": "P",
"name": "Passive",
"description": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
},
{
"key": "N",
"name": "None",
"description": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
}
]
}
Previous Versions
Following are the previous versions of the decision point:
User Interaction v1.0.0
This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.
| Value | Definition |
|---|---|
| Required | Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. |
| None | The vulnerable system can be exploited without interaction from any user. |
User Interaction v1.0.0 JSON Example
{
"namespace": "cvss",
"version": "1.0.0",
"schemaVersion": "1-0-1",
"key": "UI",
"name": "User Interaction",
"description": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.",
"values": [
{
"key": "R",
"name": "Required",
"description": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
},
{
"key": "N",
"name": "None",
"description": "The vulnerable system can be exploited without interaction from any user."
}
]
}