oss-sec mailing list archives
Re: Re: CVEs for Drupal contributed modules - January 2015
From: Pere Orga <pere () orga cat>
Date: Tue, 21 Apr 2015 23:32:23 +0200
On Tue, Apr 21, 2015 at 7:52 PM, <cve-assign () mitre org> wrote:
[...]
SA-CONTRIB-2015-033 - Certify - Access bypass SA-CONTRIB-2015-033 - Certify - Information disclosure https://www.drupal.org/node/2415947It is not clear whether there should be a single CVE or multiple CVEs. Both "Access bypass" and "Information Disclosure" are mentioned in <font color="FF0000"><i>SA-CONTRIB-2015-033, along with the phrase "Multiple vulnerabilities." However, SA-CONTRIB-2015-033 also says that "The module does not sufficiently check node access when showing (and creating) the PDF certificates. This can lead to users seeing certificates they should not have access to." This suggests a single root cause - lack of node access checks - which could lead to information disclosure. If so, then from the CVE perspective, this would be one vulnerability and one ID would be assigned.
Yes, that sounds right. Thank you for all these assignments. Regards Pere
Current thread:
- Re: Re: CVEs for Drupal contributed modules - January 2015 cve-assign (Apr 21)
- Re: Re: CVEs for Drupal contributed modules - January 2015 Pere Orga (Apr 21)
- Message not available
- Re: Re: CVEs for Drupal contributed modules - January 2015 cve-assign (Apr 22)