Search
Items tagged with: CVE
The number of CNAs over time (#CVE Numbering Authorities). At 385 right now. Over 20,000 CVEs published in the first half of 2024.
From the "CVE Program and CNA Quarterly Report"
✅ Achievement unlocked - Got a minor credit in a CVE.
mcphail wrote:
"I recently found a bug in Snap, a package manager for Ubuntu and other Linux distributions, which allows the snap to escape the sandbox and run arbitrary code (as the user) if the home permission is set. This exploit could be run on a vanilla install of Ubuntu and was patched in commit aa191f9 on 13th March 2024."
gld.mcphail.uk/posts/explainin…
cve.mitre.org/cgi-bin/cvename.…
CVE - CVE-2024-1724
The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.cve.mitre.org
Interesting 🤔 how #CVE are leveraged as resume items, putting #programmers #developers & project leads under pressure by #bogus CVE reports or unnecessary high CVE ratings.
Popular and obscure programs are affected in the #OpenSource #POSIX world e.g #Linux #freeBSD #netBSD #openBSD
#Curl ➰ by #Daniel #Stenberg and #IP by #Fedor #Indutny are popular programs hit by this #phenomena which can lead to unwarranted #panic in the users space
Two years ago I chased a ghost #curl #CVE that Apple invented: daniel.haxx.se/blog/2022/03/23…
Fun times.
OK #vulnerability nerds
With the current state of #NVD, there is a need to fill the gap right now. It's expected that anything new happening is going to take months or years, which is longer than the world can wait
Anchore has an open source project we're currently calling "NVD Data Overrides" (naming things is hard)
github.com/anchore/nvd-data-ov…
We're working on adding the same type of thing NVD used to do to the #CVE data. The data is licensed CC0, anyone can use it for anything.
The data repo currently has over 500 enriched IDs (there's a lot more to do, but this is how it starts).
If you're interested in this sort of thing please come help. The vulnerability world is now so big we need to cooperate the same way open source works, nobody can do this alone anymore
GitHub - anchore/nvd-data-overrides
Contribute to anchore/nvd-data-overrides development by creating an account on GitHub.GitHub
curl is now a CVE Numbering Authority (CNA) assigning CVE IDs for all for all products made and managed by the curl project. This includes curl, libcurl, and trurl.
cve.org/Media/News/item/news/2…
#CVE #CNA #VulnerabilityManagement #Vulnerability #Cybersecurity
100% agreed that the CVSS scoring system and "assume the worst" guidance makes for scores that do not accurately reflect importance. Especially for very broad-use things.
My take on this is that. like it or not, more open source projects of note need to become "CNA" (certificate numbering authorities) of their own which I understand can given them some control over the content of CVEs filed against their project. cve.org/ProgramOrganization/CN…