210-255 · Question #168
Which CVSS metric describes the conditions that are beyond the attacker's control that must be exist to exploit the vulnerability?
The correct answer is C. privileges required. The CVSS v3 Privileges Required metric quantifies the level of access an attacker must possess before a vulnerability can be exploited, representing a prerequisite condition that exists outside the attacker's direct control and must be satisfied for exploitation to succeed.
Question
Which CVSS metric describes the conditions that are beyond the attacker's control that must be exist to exploit the vulnerability?
Options
- Aattack vector
- Battack complexity
- Cprivileges required
- Duser interaction
How the community answered
(25 responses)- B4% (1)
- C88% (22)
- D8% (2)
Why each option
The CVSS v3 Privileges Required metric quantifies the level of access an attacker must possess before a vulnerability can be exploited, representing a prerequisite condition that exists outside the attacker's direct control and must be satisfied for exploitation to succeed.
Attack Vector describes the network context or physical proximity required to reach the vulnerable component - such as network, adjacent, local, or physical - not the privilege conditions required before exploitation.
Attack Complexity describes the technical prerequisites and environmental conditions that complicate the attack itself, such as race conditions or specific configurations, focusing on exploitation difficulty rather than required access levels.
Privileges Required (PR) is a CVSS v3 Base Score metric that captures what access level - None, Low, or High - must already be present on the target system before the attacker can exploit the vulnerability. Because the attacker cannot self-grant these privileges, whether the required access conditions exist is beyond their direct control and depends entirely on the target environment's configuration. This makes PR the metric describing mandatory pre-existing conditions external to the attacker that must be in place for exploitation to be possible.
User Interaction indicates whether a separate human user must take an action - such as opening a file or clicking a link - for exploitation to succeed, which is a different form of external dependency from required attacker privilege level.
Concept tested: CVSS v3 Privileges Required base score metric
Source: https://www.first.org/cvss/v3.1/specification-document
Topics
Community Discussion
No community discussion yet for this question.