oss-sec mailing list archives

Re: Re: CVEs for Drupal contributed modules - January 2015

From: cve-assign () mitre org
Date: Wed, 22 Apr 2015 17:25:08 -0400 (EDT)


On Tue, 21 Apr 2015, Pere Orga wrote:

On Tue, Apr 21, 2015 at 7:52 PM,  <cve-assign () mitre org> wrote:


[...]

SA-CONTRIB-2015-033 - Certify - Access bypass
SA-CONTRIB-2015-033 - Certify - Information disclosure
https://www.drupal.org/node/2415947



It is not clear whether there should be a single CVE or multiple CVEs.

Both "Access bypass" and "Information Disclosure" are mentioned in
<font color="FF0000"><i>SA-CONTRIB-2015-033, along with the phrase "Multiple
vulnerabilities."
However, SA-CONTRIB-2015-033 also says that "The module does not
sufficiently check node access when showing (and creating) the PDF
certificates. This can lead to users seeing certificates they should
not have access to."  This suggests a single root cause - lack of node
access checks - which could lead to information disclosure.  If so,
then from the CVE perspective, this would be one vulnerability and one
ID would be assigned.


Yes, that sounds right.


Use CVE-2015-3404.

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

Current thread:

Re: Re: CVEs for Drupal contributed modules - January 2015 cve-assign (Apr 21)
- Re: Re: CVEs for Drupal contributed modules - January 2015 Pere Orga (Apr 21)
- Message not available
  - Re: Re: CVEs for Drupal contributed modules - January 2015 cve-assign (Apr 22)