What is the proper way to understand Access Complexity in CVSS

Question

I have read Access Complexity from NVD(https://nvd.nist.gov/CVSS/v2-calculator),
[Access Complexity]

This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.

Medium (M) : Some information must be gathered before a successful attack can be launched. Low (L): The attack can be performed manually and requires little skill or additional information gathering.

I have a question: if one vulnerability is hard to be discovered,and the attacker need collect certain information first, but the vulnerability is easy to be exploited. If the Access Complexity metric is "Low" in this example,is it reasonable?

Have you read the guide (https://www.first.org/cvss/v2/guide)? 2.1.2, specifically. — Deer Hunter, Mar 23 '16 at 16:19

score 1 · Answer 1 · answered Jun 13 '16 at 12:02

Access Complexity is a very overloaded and subjective metric in CVSS v2. When it's applied, it's impossible to tell if it's being used for user interaction from social engineering, from a race condition, uncommon configuration, attacker starting privileges, or anything else. (https://www.first.org/cvss)

Are you aware of CVSS version 3 that came out last year?

In CVSS version 3, it is now renamed as "Attack Complexity" and only have two metric values- Low and High.
Now, it’s much easier to choose between two possible values. It should be noted that any 'user interaction' should not be considered while rating 'Attack Complexity' parameter. CVSS has a new parameter called 'User Interaction' to incorporate this.

Low (AC) : If the attacker can exploit any time (Reflected XSS)

High (AC) : Some conditions beyond attacker's control exists. (say Poodle attack which requires MITM attack)

What is the proper way to understand Access Complexity in CVSS

1 Answers1