oss-sec mailing list archives
Re: CVE-2023-31975: memory leak in yasm
From: Hanno Böck <hanno () hboeck de>
Date: Fri, 23 Jun 2023 12:14:12 +0200
On Tue, 20 Jun 2023 15:47:28 -0700 Alan Coopersmith <alan.coopersmith () oracle com> wrote:
https://nvd.nist.gov/vuln/detail/CVE-2023-31975 is freaking out scanners since it claims this bug has a CVSS of 9.8.
The problem really is that these scanners are assuming something that is not true. They assume that data from vulnerability databases is reliable. These debates are coming on a regular basis, usually either "should this thing get a CVE?" and "is this a reasonable CVSS value / criticality rating?" It's actually quite simple: There are dozends (maybe hundreds?) of CVEs issued every day. If you want them to be properly vetted, you'd need to have a massive team of security professionals doing that vetting. No such team exists, so the only plausible assumption is that CVE and CVSS data is by default unreliable. If your scanner sounds an alarm because someone added a high CVSS rating to a CVE entry, you should assume that the people creating that scanner don't know what they are doing. -- Hanno Böck https://hboeck.de/
Current thread:
- Re: CVE-2023-31975: memory leak in yasm, (continued)
- Re: CVE-2023-31975: memory leak in yasm Steve Grubb (Jun 21)
- Re: CVE-2023-31975: memory leak in yasm Jeffrey Walton (Jun 22)
- Re: CVE-2023-31975: memory leak in yasm Stuart Henderson (Jun 23)
- Re: CVE-2023-31975: memory leak in yasm Jakub Wilk (Jun 23)
- Re: CVE-2023-31975: memory leak in yasm Demi Marie Obenour (Jun 22)
- Re: CVE-2023-31975: memory leak in yasm Jeffrey Walton (Jun 21)
- Re: CVE-2023-31975: memory leak in yasm Siddhesh Poyarekar (Jun 23)
- Re: CVE-2023-31975: memory leak in yasm Marcus Meissner (Jun 23)