Attack complexity High (chance for an attacker to get anything at all is very low), Availability None (you're not crashing any service that's running in the background) and Confidentiality Low (data leaked is not in the attackers control and not likely to be interesting).
Adds up to a score of 2.9
IF you can execute code this way (which is an IF) then it's way more severe than a 2.9, and you could absolutely do anything you want with the system (you'll be root).
Complexity High isn't about what an attacker gets, it's about whether or not any specific configuration must exist for the attack to happen. For instance, if an app that talks to several services over different file transfer protocols has a vulnerability in only the FTP component, and these are not under attacker control, that's Complexity High.
