Class CVSSv3 (1.16.0)

Common Vulnerability Scoring System version 3. For details, see https://www.first.org/cvss/specification-document

This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.

Values: ATTACK_COMPLEXITY_UNSPECIFIED (0): Invalid value. ATTACK_COMPLEXITY_LOW (1): Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component. ATTACK_COMPLEXITY_HIGH (2): A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected.

This metric reflects the context by which vulnerability exploitation is possible.

Values: ATTACK_VECTOR_UNSPECIFIED (0): Invalid value. ATTACK_VECTOR_NETWORK (1): The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. ATTACK_VECTOR_ADJACENT (2): The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology. ATTACK_VECTOR_LOCAL (3): The vulnerable component is not bound to the network stack and the attacker's path is via read/write/execute capabilities. ATTACK_VECTOR_PHYSICAL (4): The attack requires the attacker to physically touch or manipulate the vulnerable component.

The Impact metrics capture the effects of a successfully exploited vulnerability on the component that suffers the worst outcome that is most directly and predictably associated with the attack.

Values: IMPACT_UNSPECIFIED (0): Invalid value. IMPACT_HIGH (1): High impact. IMPACT_LOW (2): Low impact. IMPACT_NONE (3): No impact.

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

Values: PRIVILEGES_REQUIRED_UNSPECIFIED (0): Invalid value. PRIVILEGES_REQUIRED_NONE (1): The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack. PRIVILEGES_REQUIRED_LOW (2): The attacker requires privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources. PRIVILEGES_REQUIRED_HIGH (3): The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable component allowing access to component-wide settings and files.

The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.

Values: SCOPE_UNSPECIFIED (0): Invalid value. SCOPE_UNCHANGED (1): An exploited vulnerability can only affect resources managed by the same security authority. SCOPE_CHANGED (2): An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component.

This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component.

Values: USER_INTERACTION_UNSPECIFIED (0): Invalid value. USER_INTERACTION_NONE (1): The vulnerable system can be exploited without interaction from any user. USER_INTERACTION_REQUIRED (2): Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited.