oss-sec mailing list archives
Re: Neo4J CSRF: Potential CVE candidate
From: cve-assign () mitre org
Date: Fri, 3 Jan 2014 12:30:50 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Last August, Dinis Cruz wrote a blog entry detailing a CSRF attack
http://blog.diniscruz.com/2013/08/neo4j-csrf-payload-to-start-processes.html
on a Neo4J Server resulting in an RCE. The server's documentation mentions the following. "By default, the Neo4j Server comes with some places where arbitrary code code execution can happen. These are the Section 19.15,
This could mean that the RCE itself is not CVE worthy as it is a documented/expected behavior. However, should the CSRF flaw be considered a vulnerability and assigned a CVE?
Use CVE-2013-7259 for the CSRF. There is no CVE assignment for the documented Section 19.15 behavior. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSxvNhAAoJEKllVAevmvmscdkH/2ujYyUGrDQwoSXdENDgUCAS fpyQfXnbL6dATF41P8y4cz7e7lCUMb/RxFJ6WBsLd/smCS/K9Q4yF0l4VAwp+2bg Ztxcqzz4mQafgXGwAcKMtQ6ZXSk4I9r67PlBcFdO/mddhaLUDQT3MTxYBGJVfJSP NlIuCp49QGJGpypRssK0bFkmLymHY9bMrz7n2EzgzPbk4GilVRhBrjEo3R2oJtKW DZfRT8JO3op/3515wGXu0jeOtlKQg+YcKJbkpD3jwzmOANQsSFtfKgzNEUU9GCMt XO7FYhLg4RyPs9/Lgy1AuFO/crqAck2SLyNTl7rd0KEKLgeANm1j8km4itnvZ+0= =/rAS -----END PGP SIGNATURE-----
Current thread:
- Neo4J CSRF: Potential CVE candidate Arun Babu Neelicattu (Jan 02)
- Re: Neo4J CSRF: Potential CVE candidate cve-assign (Jan 03)