Re: Re: CVEs for Drupal contributed modules - January 2015

[Pere Orga <pere () orga cat>]

On Tue, Apr 21, 2015 at 7:52 PM,  <cve-assign () mitre org> wrote:
>

[...]

> > SA-CONTRIB-2015-033 - Certify - Access bypass
> > SA-CONTRIB-2015-033 - Certify - Information disclosure
> > https://www.drupal.org/node/2415947
>
>
> It is not clear whether there should be a single CVE or multiple CVEs.
>
> Both "Access bypass" and "Information Disclosure" are mentioned in
> <font color="FF0000"><i>SA-CONTRIB-2015-033, along with the phrase "Multiple
> vulnerabilities."
> However, SA-CONTRIB-2015-033 also says that "The module does not
> sufficiently check node access when showing (and creating) the PDF
> certificates. This can lead to users seeing certificates they should
> not have access to."  This suggests a single root cause - lack of node
> access checks - which could lead to information disclosure.  If so,
> then from the CVE perspective, this would be one vulnerability and one
> ID would be assigned.

Yes, that sounds right.

Thank you for all these assignments.


Regards
Pere