oss-sec mailing list archives
Re: CVE requests for Review Board
From: cve-assign () mitre org
Date: Tue, 22 Jul 2014 17:40:24 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
https://www.reviewboard.org/news/2014/07/22/review-board-1-7-27-and-2-0-3-security-releases/ July 22, 2014 - 2:07 AM Review Board 1.7.27 and 2.0.3 security releases
One of the security vulnerabilities allowed an attacker to construct a URL that would inject custom JavaScript into the page, which could then be passed to a user, allowing the custom code to run in their session.
Use CVE-2014-5027.
The other vulnerability allowed users without access to a private review request to construct a URL for accessing original or patched files from the repository, if they knew the right series of database IDs.
Use CVE-2014-5028. (Incidentally, we're not sure whether the original request sent July 21 was within the oss-security list charter. MITRE does not control the list charter, but http://oss-security.openwall.org/wiki/mailing-lists/oss-security says "List Content Guidelines ... Public security issues only please" whereas the original request said "two security vulnerabilities ... Neither are publicly disclosed." If you want a CVE ID for an undisclosed vulnerability in the future -- for example, because you want to include the CVE ID number when the https://www.reviewboard.org/news/ entry first becomes public -- there are other options, such as sending the CVE request directly to cve-assign () mitre org instead.) - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTztl7AAoJEKllVAevmvmsFjEH/i3c93xE5j9OKoAH9pgUkAkV 9VOoEgRoGaHXR2YDxPkEfapYhV7RZhjTcoQlW5oftH7QXE0FsyY7VhXbetn4GMv7 bEhpzmkfz2kZN0YlBRHZr9FtuOsX8zqe77fHK3lsZsy/nBEh+W8onxZWCvThZvnA pucywbiGjkSAIgjKzLBF2YRRs0Xv660td8zZWHz9PunJPH5yWGLi6WywUmtkCidC pF22tWpvwJmGorN1kQFYjwavXSeE9jXRFt9kacFmWibA/z2srtMnx8EGgbbV9IrT ENjapy6bzUo7oTO0UoALRBnGj2IbO4CvQlKMK0kwudDsplFpb7i/nrTO77uFjQw= =STIj -----END PGP SIGNATURE-----
Current thread:
- CVE requests for Review Board Christian Hammond (Jul 21)
- Re: CVE requests for Review Board cve-assign (Jul 22)
- Re: CVE requests for Review Board Christian Hammond (Jul 22)
- Re: CVE requests for Review Board cve-assign (Jul 22)