210-255 · Question #124
Which CVSS metric describes the conditions that are beyond the attackers control so that an attack can be successful?
The correct answer is C. attack complexity. The CVSS Attack Complexity metric captures the conditions outside the attacker's direct control that must be present for a vulnerability to be successfully exploited.
Question
Which CVSS metric describes the conditions that are beyond the attackers control so that an attack can be successful?
Options
- AUser interaction
- BAttack vector
- Cattack complexity
- Dprivileges required
How the community answered
(34 responses)- A3% (1)
- B3% (1)
- C94% (32)
Why each option
The CVSS Attack Complexity metric captures the conditions outside the attacker's direct control that must be present for a vulnerability to be successfully exploited.
User Interaction describes whether a human user must take an action to trigger the exploit, which is a separate and controllable prerequisite distinct from environmental conditions.
Attack Vector describes the network path or context (Network, Adjacent, Local, Physical) through which exploitation is possible, not preconditions beyond the attacker's control.
Attack Complexity (AC) in CVSS v3.0 is specifically defined as the conditions beyond the attacker's control that must exist - such as a specific system configuration, race condition, or environmental prerequisite - before the attack can succeed. A value of Low means no special conditions are required, while High means specific conditions outside the attacker's control must be met. No other base metric captures this concept of prerequisite environmental or configuration conditions.
Privileges Required describes the level of authentication or access the attacker must already possess before exploitation, not environmental conditions outside their control.
Concept tested: CVSS v3.0 Attack Complexity base metric
Source: https://www.first.org/cvss/v3.0/specification-document
Topics
Community Discussion
No community discussion yet for this question.