nerdexam
Cisco

210-255 · Question #124

Which CVSS metric describes the conditions that are beyond the attackers control so that an attack can be successful?

The correct answer is C. attack complexity. The CVSS Attack Complexity metric captures the conditions outside the attacker's direct control that must be present for a vulnerability to be successfully exploited.

Security Monitoring

Question

Which CVSS metric describes the conditions that are beyond the attackers control so that an attack can be successful?

Options

  • AUser interaction
  • BAttack vector
  • Cattack complexity
  • Dprivileges required

How the community answered

(34 responses)
  • A
    3% (1)
  • B
    3% (1)
  • C
    94% (32)

Why each option

The CVSS Attack Complexity metric captures the conditions outside the attacker's direct control that must be present for a vulnerability to be successfully exploited.

AUser interaction

User Interaction describes whether a human user must take an action to trigger the exploit, which is a separate and controllable prerequisite distinct from environmental conditions.

BAttack vector

Attack Vector describes the network path or context (Network, Adjacent, Local, Physical) through which exploitation is possible, not preconditions beyond the attacker's control.

Cattack complexityCorrect

Attack Complexity (AC) in CVSS v3.0 is specifically defined as the conditions beyond the attacker's control that must exist - such as a specific system configuration, race condition, or environmental prerequisite - before the attack can succeed. A value of Low means no special conditions are required, while High means specific conditions outside the attacker's control must be met. No other base metric captures this concept of prerequisite environmental or configuration conditions.

Dprivileges required

Privileges Required describes the level of authentication or access the attacker must already possess before exploitation, not environmental conditions outside their control.

Concept tested: CVSS v3.0 Attack Complexity base metric

Source: https://www.first.org/cvss/v3.0/specification-document

Topics

#CVSS#attack complexity#vulnerability metrics#exploitability

Community Discussion

No community discussion yet for this question.

Full 210-255 Practice