This metric reflects the context by which vulnerability exploitation is possible.
Same metric
AC
Attack Complexity
This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability
Same metric, but rank reduced (3 2).
PR
Privileges Required
This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.
Expanded from Au (Authentication), and rank reduced (3 2).
UI
User Interaction
This metric captures the requirements for a user, other than the attacker, to participate in a successful compromise of the vulnerable component.
New metric. Whether a user (other than attacker)’s interaction is necessary for successful exploitation.
S
Scope
refers to the collection of privileges defined by a computing authority (e.g., an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g., files, central processing unit (CPU), memory, etc.).
New metric. Whether the vulnerability spreads to other resources beyond the exploited component.
Im-C
Confidentiality Impact
This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.
Same metric, only renamed from EF-C.
Im-I
Integrity Impact
This metric measures the impact to integrity of a successfully exploited vulnerability
Same metric, only renamed from EF-I.
Im-A
Availability Impact
This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability