"A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. For example, a successful attack may require the attacker: to perform target-specific reconnaissance; to prepare the target environment to improve exploit reliability; or to inject herself into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g. a man in the middle attack)."
But you could also argue 'Attack complexity' of any exploit which has per-os/arch exploits requires reconnaissance. There, I just boxed MS08-67 (which is arch-specific, iirc) as 'Attack Complexity: High' with pretty much any theoretical crypto attack which would cost billions to exploit :)
Lets not forget CVSS doesn't assess likelihood or business impact well (or at all) either. Your org is far more likely to get rekt if you do not enforce application whitelisting, compared to an intranet-exposed drupalgeddon vulnerability.
"A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. For example, a successful attack may require the attacker: to perform target-specific reconnaissance; to prepare the target environment to improve exploit reliability; or to inject herself into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g. a man in the middle attack)."
But you could also argue 'Attack complexity' of any exploit which has per-os/arch exploits requires reconnaissance. There, I just boxed MS08-67 (which is arch-specific, iirc) as 'Attack Complexity: High' with pretty much any theoretical crypto attack which would cost billions to exploit :)
Lets not forget CVSS doesn't assess likelihood or business impact well (or at all) either. Your org is far more likely to get rekt if you do not enforce application whitelisting, compared to an intranet-exposed drupalgeddon vulnerability.