oss-sec mailing list archives
Re: CVE Request for Drupal contributed modules
From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Wed, 27 Jun 2012 13:36:45 -0400 (EDT)
All,I have several clarifications and corrections to this latest Drupal request and CVE response, on top of the dupes already listed. The most important notes are listed first.
(Greg and Kurt, the number of duplicates and unassigned CVEs in this batch is understandable due to various factors such as amount and assignments from mutiple sources, but it's disconcerting. Maybe we should talk off-list and figure out how to minimize these problems in the future.)
CVE-2012-2709 SA-CONTRIB-2012-081 - Aberdeen - Cross Site Scripting
This is a duplicate that might look like a typo at first.Around May 21, MITRE originally published CVE-2012-2907 (NOTE THE DIFFERENT NUMBER STARTING WITH "29" INSTEAD OF "27").
CVE-2012-2907 is in more active use, so keep CVE-2012-2907. We will REJECT CVE-2012-2709.(Kurt, CVE-2012-2709 belongs to you. If you actually intended to list the already-published CVE-2012-2907 and made a typo to CVE-2012-2709, please make sure you've removed CVE-2012-2709 from your pool.)
CVE-2012-2713 SA-CONTRIB-2012-085 - BrowserID - Multiple Vulnerabilities - CSRF CVE-2012-2714 SA-CONTRIB-2012-085 - BrowserID - Multiple Vulnerabilities - BrowserID login theft
The description in SA-CONTRIB-2012-085 is not clear, but it seems that CVE-2012-2714 might be the natural consequence of exploiting the CSRF. The title "multiple vulnerabilities" does not help. Any thoughts on this one?
CVE-2012-2727 SA-CONTRIB-2012-098 - Janrain Capture - Open Redirect
SA-CONTRIB-2012-098 mentioned a second separate issue for "An additional security weakness occurs when the module creates a new local user account." CVE-2012-2727 - open redirect (new) CVE-2012-3798 - disclosure of portions of passwords
CVE-2012-2723 SA-CONTRIB-2012-094
A close reading of SA-CONTRIB-2012-094 suggests that there should be two CVEs. Part of the advisory does seem to imply that the XSS is resultant from the CSRF; but it also says "This vulnerability is mitigated by the fact that an attacker must have a role with the maestro admin permissions," which implies that users with maestro admin permissions should not be allowed to conduct XSS attacks themselves. This could probably be argued either way. CVE-2012-2723 - XSS (new) CVE-2012-3799 - CSRF
CVE-2012-2721 SA-CONTRIB-2012-092 - Organic Groups - Cross Site Scripting (XSS) and Access Bypass
This is 2 types of issues, thus needs 2 CVEs. CVE-2012-2721 - Access Bypass (new) CVE-2012-3800 - XSS
CVE-2012-2706 SA-CONTRIB-2012-079 - Post Affiliate Pro - Cross Site Scripting (XSS) and Access Bypass - Unsupported
Two vuln types, two CVEs needed. CVE-2012-2706 - XSS (new) CVE-2012-3802 - unspecified read of commisions - Steve
Current thread:
- CVE Request for Drupal contributed modules Greg Knaddison (May 02)
- Re: CVE Request for Drupal contributed modules Kurt Seifried (May 02)
- <Possible follow-ups>
- CVE Request for Drupal contributed modules Greg Knaddison (May 30)
- Re: CVE Request for Drupal contributed modules Greg Knaddison (Jun 04)
- Re: CVE Request for Drupal contributed modules Solar Designer (Jun 04)
- Re: CVE Request for Drupal contributed modules Greg Knaddison (Jun 04)
- Re: CVE Request for Drupal contributed modules Greg Knaddison (Jun 04)
- Re: CVE Request for Drupal contributed modules Kurt Seifried (Jun 13)
- Re: CVE Request for Drupal contributed modules Henri Salo (Jun 14)
- Re: CVE Request for Drupal contributed modules Kurt Seifried (Jun 15)
- Re: CVE Request for Drupal contributed modules Steven M. Christey (Jun 27)