DokuWiki

Oh fantastic. Someone assigned a CVE to an invalid bug report. Of course it's rated "critical".

Now I have to file for a rejection again, while thousands of "vulnerability report sites" copy each others bad summary of the CVE text making it worse with every copy.

The whole CVE system and the "security research industry" at large is a steaming pile of πŸ’©

#rant

May 1, 2024 at 5:07amWeb
Show threadZeki Γ‡atav πŸ€” β˜• πŸ•―οΈπŸŽΆMay 1, 2024
@dokuwiki Motto: β€œflood the zone with shit.”
Show threadDJGummikuhMay 1, 2024

@dokuwiki recently had to assess the impact of two CVEs in bouncy castle on our Software. All I could find description wise was "denial of service"
Not kidding.
Score was 7.5

What are customers expecting me to say? "Yeah, we ship the affected version, no we're not sure what this means, if you can't take that risk, find a competitor that doesn't use the most widely used security library in the world" 🀷

Show threadAlanna πŸ³οΈβ€πŸŒˆπŸ³οΈβ€βš§οΈMay 1, 2024

@DJGummikuh @dokuwiki oh, those bouncy castle ones are interesting if you actually research them. It's basically "This might happen if very specific circumstances occur and you're using a specific JVM."

IIRC Mitigation was "We don't touch this part of the BC library and don't use that version of Java."

Show threadAlanna πŸ³οΈβ€πŸŒˆπŸ³οΈβ€βš§οΈMay 1, 2024
@DJGummikuh @dokuwiki Jackson is another that gets flagged as "severe" all the time.
Show threadDJGummikuhMay 1, 2024
@kelpana @dokuwiki yeah, its always great having customers that proclaim they will not accept software with any vulnerabilities in it because their insurance demands it and you're like "bro, wake up, u need help?" 🀬
Show threadAlanna πŸ³οΈβ€πŸŒˆπŸ³οΈβ€βš§οΈMay 1, 2024
@DJGummikuh @dokuwiki software without *any* vulnerabilities is impossible.
Show threadDJGummikuhMay 1, 2024
@kelpana @dokuwiki well, you don't say 🀣 tell that to our lazy customers
Show threadAlanna πŸ³οΈβ€πŸŒˆπŸ³οΈβ€βš§οΈMay 1, 2024
@DJGummikuh @dokuwiki πŸ’―
Show threadAatchMay 1, 2024
@dokuwiki I'm not sure if that's better or worse than the CVE filed against curl for a bug that had already been patched.
Show threadAndreasMay 1, 2024

@aatch

How about a "critical" SQLi vulnerability in something that was deprecated in 2014? Reported by the same user... πŸ€¦β€β™‚οΈ

https://github.com/Hebing123/cve/issues/16#issuecomment-1893148729
https://github.com/advisories/GHSA-jqqj-j2ch-3qv8

@dokuwiki

SQL Injection Vulnerability in Atmail 6.6.0 Β· Issue #16 Β· Hebing123/cve

Summary On January 12, we discovered that atmail 6.6.0 and atmail 6.3.0 weretested for SQL injection vulnerabilities that could be larger than 6.6.0. The username parameter during admin login is at...

GitHub
Show threadJeremy ListMay 1, 2024
@aatch @dokuwiki or the CVE filed against curl because an LLM misidentified how some of the code worked.
Show thread⬑-49016 (moved to catgirl.cloud!)May 1, 2024
@dokuwiki CVEs are also funny sometimes as a researcher; finding out that you have a CVE credited to you via a twitter thread of someone listing new CVEs sure is an experience