Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 May 2015 07:51:53 -0400 (EDT)
Subject: Re: CVE Request, multiple WordPress plugins and themes

Hash: SHA1

> One email with all needed details for CVE request per plugin is better
> way to get these assigned.

The MITRE CVE team currently prefers that this request not be re-sent
as a separate message for each plugin.


That document is directly applicable to CVE request responses by Kurt
Seifried (including the ones he sent to oss-security up until 2013).
Although the document contains a large amount of useful information,
it is not a document that has been reviewed by the MITRE CVE team. For
the specific topic of WordPress plugins, we would typically need to
know what privileges are required to conduct each attack and -- in
situations with more than one security issue for a single plugin --
whether the vulnerabilities are independently exploitable.

> does not have enough information for CVE request

For the majority of the plugins, the amount of vulnerability detail is
similar to the
case that we discussed here last week. The situation isn't identical,
so we'll try to clarify. As always, MITRE does not make decisions
about the policies of the oss-security list. The current status is
that nobody has objected to the message pattern starting with (for
example) the post,
in which version information was originally included and the
vulnerability had already been fixed. The reporting pattern
is not always the same. First, version information is not directly
included. Second, some of the plugins apparently do not have a
changelog entry indicating that any security problem was recently
fixed. Putting all of this together, the most critical difference may
be that some of these plugin reports are not about "Public security
issues" and would potentially fall outside the scope of this list. So,
our guess is that we can send a response here (with a CVE mapping) for
a subset of this message, e.g.,

    * extended-catagories-widget [PLUGINS] + url: +
    vuln found: :--|- post auth admin SQLi

seems to map to this public issue:
       Last Updated: 2015-5-27
       Version 4.0.1
       Post-Auth SQL Injection Vulnerability
       Only occurs for WordPress versions lower than 3.3

but we must not send a response here (with a CVE mapping) for some of
the other parts. If we have misinterpreted that, you can (among other
options) send e-mail directly to only to tell us.
We will leave it at that for now. There are obviously open questions,
e.g., if someone prefers to send a very large number of
low-information but public WordPress plugin findings, is it still best
to use oss-security.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.