210-255 · Question #59
Which CVSSv3 metric captures the level of access that is required for a successful attack?
The correct answer is C. privileges required. The CVSSv3 Privileges Required (PR) base metric specifically measures the level of access an attacker must possess prior to successfully exploiting a vulnerability.
Question
Which CVSSv3 metric captures the level of access that is required for a successful attack?
Options
- Aattack vector
- Battack complexity
- Cprivileges required
- Duser interaction
How the community answered
(28 responses)- A4% (1)
- B4% (1)
- C93% (26)
Why each option
The CVSSv3 Privileges Required (PR) base metric specifically measures the level of access an attacker must possess prior to successfully exploiting a vulnerability.
Attack Vector describes the context or network path by which exploitation is possible (Network, Adjacent, Local, or Physical), not the privilege or access level the attacker must hold.
Attack Complexity captures conditions beyond the attacker's direct control that must exist for exploitation to succeed, such as race conditions or specific configurations, not the required privilege level.
The Privileges Required metric in CVSSv3 describes the level of privileges an attacker must possess before successfully exploiting the vulnerability, with enumerated values of None, Low, or High. This metric directly captures required access level - for example, a vulnerability exploitable without any authentication scores None, while one requiring administrative credentials scores High.
User Interaction indicates whether a victim user must actively participate in the compromise for the attack to succeed, not the attacker's own privilege or access level.
Concept tested: CVSSv3 Privileges Required base metric
Source: https://www.first.org/cvss/v3.1/specification-document
Topics
Community Discussion
No community discussion yet for this question.