Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 3 Jan 2014 12:30:50 -0500 (EST)
From: cve-assign@...re.org
To: abn@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Neo4J CSRF: Potential CVE candidate

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Last August, Dinis Cruz wrote a blog entry detailing a CSRF attack

> http://blog.diniscruz.com/2013/08/neo4j-csrf-payload-to-start-processes.html

> on a Neo4J Server resulting in an RCE. The server's documentation
> mentions the following.
> 
>   "By default, the Neo4j Server comes with some places where arbitrary
>   code code execution can happen. These are the Section 19.15,

> This could mean that the RCE itself is not CVE worthy as it is a
> documented/expected behavior. However, should the CSRF flaw be
> considered a vulnerability and assigned a CVE?

Use CVE-2013-7259 for the CSRF. There is no CVE assignment for the
documented Section 19.15 behavior.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSxvNhAAoJEKllVAevmvmscdkH/2ujYyUGrDQwoSXdENDgUCAS
fpyQfXnbL6dATF41P8y4cz7e7lCUMb/RxFJ6WBsLd/smCS/K9Q4yF0l4VAwp+2bg
Ztxcqzz4mQafgXGwAcKMtQ6ZXSk4I9r67PlBcFdO/mddhaLUDQT3MTxYBGJVfJSP
NlIuCp49QGJGpypRssK0bFkmLymHY9bMrz7n2EzgzPbk4GilVRhBrjEo3R2oJtKW
DZfRT8JO3op/3515wGXu0jeOtlKQg+YcKJbkpD3jwzmOANQsSFtfKgzNEUU9GCMt
XO7FYhLg4RyPs9/Lgy1AuFO/crqAck2SLyNTl7rd0KEKLgeANm1j8km4itnvZ+0=
=/rAS
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.