The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files.
Quote from the CVSS specification
Vulnerabilities with this tag were given a CVSS rating as part of the requirement to be included into the National Vulnerability Database. You can learn more about what the individual scores mean in the CVSS specification document.
The Vulnerability History Project