Date: Thu, 28 May 2015 07:51:53 -0400 (EDT) From: cve-assign@...re.org To: henri@...v.fi Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request, multiple WordPress plugins and themes -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > One email with all needed details for CVE request per plugin is better > way to get these assigned. The MITRE CVE team currently prefers that this request not be re-sent as a separate message for each plugin. > https://github.com/RedHatProductSecurity/CVE-HOWTO#how-to-write-a-cve-request That document is directly applicable to CVE request responses by Kurt Seifried (including the ones he sent to oss-security up until 2013). Although the document contains a large amount of useful information, it is not a document that has been reviewed by the MITRE CVE team. For the specific topic of WordPress plugins, we would typically need to know what privileges are required to conduct each attack and -- in situations with more than one security issue for a single plugin -- whether the vulnerabilities are independently exploitable. > does not have enough information for CVE request For the majority of the plugins, the amount of vulnerability detail is similar to the http://openwall.com/lists/oss-security/2015/05/22/4 case that we discussed here last week. The situation isn't identical, so we'll try to clarify. As always, MITRE does not make decisions about the policies of the oss-security list. The current status is that nobody has objected to the message pattern starting with (for example) the http://openwall.com/lists/oss-security/2015/05/18/8 post, in which version information was originally included and the vulnerability had already been fixed. The http://openwall.com/lists/oss-security/2015/05/27/6 reporting pattern is not always the same. First, version information is not directly included. Second, some of the plugins apparently do not have a changelog entry indicating that any security problem was recently fixed. Putting all of this together, the most critical difference may be that some of these plugin reports are not about "Public security issues" and would potentially fall outside the scope of this list. So, our guess is that we can send a response here (with a CVE mapping) for a subset of this message, e.g., * extended-catagories-widget [PLUGINS] + url: https://wordpress.org/plugins/extended-categories-widget/ + vuln found: :--|- post auth admin SQLi seems to map to this public issue: https://wordpress.org/plugins/extended-categories-widget/changelog/ Last Updated: 2015-5-27 Version 4.0.1 Post-Auth SQL Injection Vulnerability Only occurs for WordPress versions lower than 3.3 but we must not send a response here (with a CVE mapping) for some of the other parts. If we have misinterpreted that, you can (among other options) send e-mail directly to only cve-assign@...re.org to tell us. We will leave it at that for now. There are obviously open questions, e.g., if someone prefers to send a very large number of low-information but public WordPress plugin findings, is it still best to use oss-security. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVZwALAAoJEKllVAevmvmsNLUH/3sPYVAJdvAzrBsr5gA8I0Pi 2KDWEA+nolK70uhf+fcGLJtw0HJY+q1C/gtWVVd2VaNCojsBwA0Xz5GyWqk8bzVx UZX5WgbFbyy5gOQE1Gp49NM5V2KvoZ8YJvLw7hds9XPmpX7lH3MbjXmzDy+p2e1Y BUlg2Js4noI0VjOBJBreaXNWVoHyI6YbSSRuJWXGEiMWah8dhTvh/i+Kkjr/tO1g t6kfThgZzdEErBQBbm/hjDxvy5zNRyZiePSRUnEYoTmD3Pj12B5/B861T/d5An8N BDT+JCb2hcXe5zEXEwu0QFXW3B41z/K0nNGIoD/ZS18rZza1hhY8WBnf3KkQ8Ns= =Sw75 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.