Nipper reports include a table that maps CVSS v3.1 Attack Vector against Attack Complexity:
This view helps prioritise vulnerabilities based on how an attack can be performed and how difficult it is to exploit. This article explains what each column and row in that table represents.
Attack Vector (Columns)
Attack Vector describes where the attacker must be located to exploit a vulnerability.
|
Attack Vector |
Meaning |
|---|---|
| Network | The vulnerability can be exploited remotely over the network, including from the internet. No prior access is required. |
| Adjacent Network | The attacker must be on the same local network (e.g. same VLAN, subnet, or Layer-2 segment). |
| Local | The attacker requires local access to the system, such as an authenticated account or shell access. |
| Physical | The attacker must have physical access to the device or hardware. |
| Not Defined | The vulnerability does not specify an attack vector. |
Attack Complexity (Rows)
Attack Complexity describes how difficult it is to successfully exploit the vulnerability.
| Attack Complexity | Meaning |
|---|---|
| Low | The attack is straightforward and does not require special conditions, timing, or advanced preparation. |
| High | The attack requires specific conditions, precise timing, or advanced knowledge to succeed. |
| Not Defined | The vulnerability does not include enough information to determine attack complexity. |
Important Notes
-
“Not Defined” does not mean low risk. It only means the CVSS metric was not specified.