Date: Tue, 21 Apr 2015 23:32:23 +0200 From: Pere Orga <pere@...a.cat> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com Subject: Re: Re: CVEs for Drupal contributed modules - January 2015 On Tue, Apr 21, 2015 at 7:52 PM, <cve-assign@...re.org> wrote: > [...] >> SA-CONTRIB-2015-033 - Certify - Access bypass >> SA-CONTRIB-2015-033 - Certify - Information disclosure >> https://www.drupal.org/node/2415947 > > > It is not clear whether there should be a single CVE or multiple CVEs. > > Both "Access bypass" and "Information Disclosure" are mentioned in > <font color="FF0000"><i>SA-CONTRIB-2015-033, along with the phrase "Multiple > vulnerabilities." > However, SA-CONTRIB-2015-033 also says that "The module does not > sufficiently check node access when showing (and creating) the PDF > certificates. This can lead to users seeing certificates they should > not have access to." This suggests a single root cause - lack of node > access checks - which could lead to information disclosure. If so, > then from the CVE perspective, this would be one vulnerability and one > ID would be assigned. > Yes, that sounds right. Thank you for all these assignments. Regards Pere
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ