The access conditions are somewhat specialized; the following are examples:
- The attacking party is limited to a group of systems or users at some level
of authorization, possibly untrusted.
- Some information must be gathered before a successful attack can be
launched.
- The affected configuration is non-default, and is not commonly configured
(e.g., a vulnerability present when a server performs user account
authentication via a specific scheme, but not present for another
authentication scheme).
- The attack requires a small amount of social engineering that might
occasionally fool cautious users (e.g., phishing attacks that modify a web
browsers status bar to show a false link, having to be on someones buddy
list before sending an IM exploit).
Quote from the CVSS specification.
Vulnerabilities with this tag were given a CVSS rating as part of the requirement to be included into the National Vulnerability Database. You can learn more about what the individual scores mean in the CVSS specification document.