CVSS v3.0 incorporated a new measure which reflects the ability for a vulnerability in one component to impact other resources and components. In this section, you will come to understand that a threat can sometimes have impacts beyond its individual capacity, and this must be captured in CVSS v3.0 under the scope metric.
The authorization scope or scope metric refers to the privileges associated with a computing authority (for example, process, application, operating system, or sandbox environment) when granting access to computing resources (for example, files, processing, RAM, permanent storage, and so on). If a vulnerability is able to gain more (or different) access to resources than the original (normal working) authority is able to assign. The base score is greater when a scope change has occurred.
A clear example of scope change is a vulnerability escaping a sandbox...