Conversation

Notices

1. Embed this notice
   Will Dormann (wdormann@infosec.exchange)'s status on Wednesday, 17-Jan-2024 03:57:07 JST Will Dormann

   in reply to

   CVE has assignment "rules" to avoid problems like these, but I get the impression that they're not really enforced anywhere by anyone.
   What do you call rules that aren't enforced? "Suggestions"?

   • Embed this notice
     Will Dormann (wdormann@infosec.exchange)'s status on Wednesday, 17-Jan-2024 03:57:08 JST Will Dormann

     in reply to

     This isn't the first time CVE abuse for libraries has happened.
     Take the recent libweb vulnerability. Apple got the report and assigned CVE-2023-41064 to "ImageIO"
     Google got the report and assigned CVE-2023-4863 to "Chrome"
     Eventually MITRE fixed the latter CVE to be libwebp.

   • Embed this notice
     Will Dormann (wdormann@infosec.exchange)'s status on Wednesday, 17-Jan-2024 03:57:09 JST Will Dormann

     CVE wonders:
     Apache created CVE-2023-49070 to capture: "Our OFBiz product has Apache XML-RPC, which is vulnerable to CVE-2019-17570".
     This seems... wrong?
     If every vendor created a new CVE to capture "Hey, we use library <foo> that already has a CVE", how can this possibly scale?