Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 21 Apr 2015 23:32:23 +0200
From: Pere Orga <pere@...a.cat>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: Re: CVEs for Drupal contributed modules - January 2015

On Tue, Apr 21, 2015 at 7:52 PM,  <cve-assign@...re.org> wrote:
>

[...]

>> SA-CONTRIB-2015-033 - Certify - Access bypass
>> SA-CONTRIB-2015-033 - Certify - Information disclosure
>> https://www.drupal.org/node/2415947
>
>
> It is not clear whether there should be a single CVE or multiple CVEs.
>
> Both "Access bypass" and "Information Disclosure" are mentioned in
> <font color="FF0000"><i>SA-CONTRIB-2015-033, along with the phrase "Multiple
> vulnerabilities."
> However, SA-CONTRIB-2015-033 also says that "The module does not
> sufficiently check node access when showing (and creating) the PDF
> certificates. This can lead to users seeing certificates they should
> not have access to."  This suggests a single root cause - lack of node
> access checks - which could lead to information disclosure.  If so,
> then from the CVE perspective, this would be one vulnerability and one
> ID would be assigned.
>

Yes, that sounds right.

Thank you for all these assignments.


Regards
Pere

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ