Home page logo

oss-sec logo oss-sec mailing list archives

Re: Strange CVE situation (at least one ID should come of this)
From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Wed, 31 Oct 2012 10:27:51 -0400 (EDT)

On Tue, 30 Oct 2012, Kurt Seifried wrote:

On 10/30/2012 11:34 AM, Steven M. Christey wrote:>

To have a CVE for "don't use this" is not consistent with
long-existing practice.  I don't recall ever intentionally
assigning a CVE for such a thing - after all, CVE is about
vulnerabilities, and "don't use this" is awfully vague.

True, but we've already gone down that road, e.g.:

CVE-2012-2400   Unspecified vulnerability in
wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown
impact and attack vectors.

That's not the same as a generic "don't use this." For this CVE-2012-2400, there is a specific advisory from a specific vendor telling customers to patch a vulnerability. It's "unspecified" all over the place due to lack of details, so risk analysis is problematic, but it's a statement of some kind of vulnerability in a specifc version by an authoritative source.

Oracle and HP publish advisories like this on a regular basis.

Deployment of risky software is effectively a configuration or
asset management issue, which is well outside the scope of CVE.
(Maybe it's more like a Common Configuration Enumeration (CCE)

If anything I think it would fit into CPE

CPE is neutral on security - it's just about identifying software packages and versions. One main use is in vulnerability management, but it's more general than that.

- Steve

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]