While calculating the CVSS score using CVSS3.1, attack vectors are classified into four.
- Network - Remote attack
- Adjacent - Should share the same Physical or Logical network of victim
- Physical - Physical access to device or component
Based on the description of the Local attack vector on the first.org page,
The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., tricking a legitimate user into opening a malicious document).
From the above description of the Local attack vector,
- What is the difference between interaction in Local attack vector and User interaction metric?
- What is the difference between local access and Privilege required metric?
- If local access to the keyboard or console is required as mentioned in the description, does it make the vector physical?
- Does the local attack vector have a role in appsec (mobile/web)?
