Changes accepted January 3rd 2006
Vote
100% acceptance
Item title
Additional access complexity granularity to base scoring
Description
Case to add additional granularity into AccessComplexity. We would change Add an additional "medium" field to help better describe the complexity needed to use a particular exploit.
Formula change
| Case AccessComplexity | Current | Would change to |
|---|---|---|
| High | 0.8 | 0.6 |
| Medium | — | 0.8 |
| Low | 1.0 | 1.0 |
Documentation change
| Current |
|---|
| High: Specialized access conditions exist; for example: the system is exploitable during specific windows of time (a race condition), the system is exploitable under specific circumstances (nondefault configurations), or the system is exploitable with victim interaction (vulnerability exploitable only if user opens e-mail) |
| Low: Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable. |
| Proposed change |
|---|
| High: in MOST configs, the attacking party must already have high privileges; or, must control or spoof additional systems besides the attacking system (e.g. DNS); or, the attack can only be opportunistic, i.e. the attacker can not directly trigger the vulnerability; depends on social engineering methods that would be easily detected by knowledgeable people; or, the affected configuration is deemed to be very rare in practice; or, the race condition window is very narrow; or, depends on the presence of other vulnerabilities. |
| Medium: the attacking party is limited to a group of systems or users at some level of authorization, possibly untrusted; there is a requirement for some information gathering before a successful attack can be launched; the affected functionality is not always used; or requires a small amount of social engineering that might occasionally fool cautious users (e.g. phishing attacks that modify the status bar to show a false link, having to be on someone's "buddy" list before sending an IM exploit). |
| Low: the affected product typically requires access to a wide range of systems and users, possibly anonymous and untrusted (e.g. Internet-facing web or mail server); the affected configuration is default or ubiquitous; the attack can be performed manually in one or two steps that require little skill or additional information gathering; the "race condition" is a lazy one, i.e. it is technically a race but easily winnable (as is the case with many symlink vulns). |
