Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 May 2015 07:51:53 -0400 (EDT)
From: cve-assign@...re.org
To: henri@...v.fi
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request, multiple WordPress plugins and themes

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> One email with all needed details for CVE request per plugin is better
> way to get these assigned.

The MITRE CVE team currently prefers that this request not be re-sent
as a separate message for each plugin.

> https://github.com/RedHatProductSecurity/CVE-HOWTO#how-to-write-a-cve-request

That document is directly applicable to CVE request responses by Kurt
Seifried (including the ones he sent to oss-security up until 2013).
Although the document contains a large amount of useful information,
it is not a document that has been reviewed by the MITRE CVE team. For
the specific topic of WordPress plugins, we would typically need to
know what privileges are required to conduct each attack and -- in
situations with more than one security issue for a single plugin --
whether the vulnerabilities are independently exploitable.

> does not have enough information for CVE request

For the majority of the plugins, the amount of vulnerability detail is
similar to the http://openwall.com/lists/oss-security/2015/05/22/4
case that we discussed here last week. The situation isn't identical,
so we'll try to clarify. As always, MITRE does not make decisions
about the policies of the oss-security list. The current status is
that nobody has objected to the message pattern starting with (for
example) the http://openwall.com/lists/oss-security/2015/05/18/8 post,
in which version information was originally included and the
vulnerability had already been fixed. The
http://openwall.com/lists/oss-security/2015/05/27/6 reporting pattern
is not always the same. First, version information is not directly
included. Second, some of the plugins apparently do not have a
changelog entry indicating that any security problem was recently
fixed. Putting all of this together, the most critical difference may
be that some of these plugin reports are not about "Public security
issues" and would potentially fall outside the scope of this list. So,
our guess is that we can send a response here (with a CVE mapping) for
a subset of this message, e.g.,

    * extended-catagories-widget [PLUGINS] + url:
    https://wordpress.org/plugins/extended-categories-widget/ +
    vuln found: :--|- post auth admin SQLi

seems to map to this public issue:

    https://wordpress.org/plugins/extended-categories-widget/changelog/
       Last Updated: 2015-5-27
       Version 4.0.1
       Post-Auth SQL Injection Vulnerability
       Only occurs for WordPress versions lower than 3.3

but we must not send a response here (with a CVE mapping) for some of
the other parts. If we have misinterpreted that, you can (among other
options) send e-mail directly to only cve-assign@...re.org to tell us.
We will leave it at that for now. There are obviously open questions,
e.g., if someone prefers to send a very large number of
low-information but public WordPress plugin findings, is it still best
to use oss-security.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVZwALAAoJEKllVAevmvmsNLUH/3sPYVAJdvAzrBsr5gA8I0Pi
2KDWEA+nolK70uhf+fcGLJtw0HJY+q1C/gtWVVd2VaNCojsBwA0Xz5GyWqk8bzVx
UZX5WgbFbyy5gOQE1Gp49NM5V2KvoZ8YJvLw7hds9XPmpX7lH3MbjXmzDy+p2e1Y
BUlg2Js4noI0VjOBJBreaXNWVoHyI6YbSSRuJWXGEiMWah8dhTvh/i+Kkjr/tO1g
t6kfThgZzdEErBQBbm/hjDxvy5zNRyZiePSRUnEYoTmD3Pj12B5/B861T/d5An8N
BDT+JCb2hcXe5zEXEwu0QFXW3B41z/K0nNGIoD/ZS18rZza1hhY8WBnf3KkQ8Ns=
=Sw75
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ