Date: Fri, 3 Jan 2014 12:30:50 -0500 (EST) From: cve-assign@...re.org To: abn@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: Neo4J CSRF: Potential CVE candidate -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Last August, Dinis Cruz wrote a blog entry detailing a CSRF attack > http://blog.diniscruz.com/2013/08/neo4j-csrf-payload-to-start-processes.html > on a Neo4J Server resulting in an RCE. The server's documentation > mentions the following. > > "By default, the Neo4j Server comes with some places where arbitrary > code code execution can happen. These are the Section 19.15, > This could mean that the RCE itself is not CVE worthy as it is a > documented/expected behavior. However, should the CSRF flaw be > considered a vulnerability and assigned a CVE? Use CVE-2013-7259 for the CSRF. There is no CVE assignment for the documented Section 19.15 behavior. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSxvNhAAoJEKllVAevmvmscdkH/2ujYyUGrDQwoSXdENDgUCAS fpyQfXnbL6dATF41P8y4cz7e7lCUMb/RxFJ6WBsLd/smCS/K9Q4yF0l4VAwp+2bg Ztxcqzz4mQafgXGwAcKMtQ6ZXSk4I9r67PlBcFdO/mddhaLUDQT3MTxYBGJVfJSP NlIuCp49QGJGpypRssK0bFkmLymHY9bMrz7n2EzgzPbk4GilVRhBrjEo3R2oJtKW DZfRT8JO3op/3515wGXu0jeOtlKQg+YcKJbkpD3jwzmOANQsSFtfKgzNEUU9GCMt XO7FYhLg4RyPs9/Lgy1AuFO/crqAck2SLyNTl7rd0KEKLgeANm1j8km4itnvZ+0= =/rAS -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.