Some vulnerabilities are easier to exploit than others, and vulnerability complexity is an important factor to consider in determining the magnitude of the threat a vulnerability poses. A High severity vulnerability that can only be exploited under very specific and rare circumstances might require less immediate attention than a lower severity vulnerability that can be exploited more easily.
Security investigators take both severity and complexity into account when determining the appropriate response to a vulnerability. CVSS version 2.0 uses three complexity designations: Low, Medium, and High. The table below gives definitions for these designations.
Definitions from Peter Mell, Karen Scarfone, and Sasha Romanosky, A Complete Guide to the Common Vulnerability Scoring System Version 2.0, section 2.1.2.
Was the information in this article helpful?