For reasons that are as convoluted as they get, I often have to score things in CVSSv2. Which raises an awful amount questions. One of those questions is always around Access Vector.
The CVSSv2 specification  states that the metric value of "Network" is:
The question that inevitably arises is if you should score a vulnerability that can be conducted remotely via user interaction as "Network". For example, a user downloads a malicious file and opens it or opens an attachment...etc. Should be an easy "No" right? The problem lies further in the specification documents. Scoring Tip #6 states:
This scoring tip directly contradicts the definition laid out by the specification. Because:
A malicious file is not bound by the network stack, it can be delivered via USB, created on the vulnerable document, etc...
Attacker requires local access and is gaining that access through the complicit user
In CVSSv3 the definition was tightened and this type of a vulnerability was clearly indicated to be "Local" but they made the issue worse for CVSSv2 by stating :
That confusion wouldn't have existed if they didn't contradict their "Network" definition in supplemental "Scoring Tips".
In CVSSv3 and now v3.1, the definition has been expanded but still uses some of the same language. The metric was actually renamed to "Attack Vector" vs "Access Vector" though these are still often mixed up in many vulnerability disclosure reports/articles. So I guess, there are three takeaways I hope one will get from this:
Don't be surprised if CVSSv2 has something as Network and v3 has the same vuln as Local. If you are converting between the two, please know the difference.
The definition of the metric should be final word, don't change the meaning of the metric in supplemental documentation.
If you are a security practitioner, developer of scanning software, or just generally rating/discussing vulnerabilities using CVSS please move to v3 or v3.1 already. And yes I know, they are both flawed in their own ways.