Re: Neatgear just created http://kb.netgear.com/000036386/CVE-2016-582384

To: Kurt Seifried <kseifried@redhat.com>, cve-cna-list <cve-cna-list@lists.mitre.org>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: Neatgear just created http://kb.netgear.com/000036386/CVE-2016-582384
From: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
Date: Tue, 13 Dec 2016 16:05:29 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=mitre.org;mitre.org; dkim=none (message not signed) header.d=none;
Delivery-date: Tue Dec 13 16:10:20 2016
In-reply-to: <CANO=Ty1RyjuGo07ChdLHVQO6GEUUHdpux1C3yB_iZ1WDUP0jFw@mail.gmail.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CANO=Ty1RyjuGo07ChdLHVQO6GEUUHdpux1C3yB_iZ1WDUP0jFw@mail.gmail.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2
Thread-index: AQHSVVkuL4cBWMipvUOBWNlI4qsnVqEFtvkA
Thread-topic: Neatgear just created http://kb.netgear.com/000036386/CVE-2016-582384
User-agent: Microsoft-MacOutlook/f.1c.0.161113

Folks,

Looks like this is for Netgear VU# 582384.

If you put in "http://kb.netgear.com/000036386/", the page you linked is what loads. (In fact, it seems anything after the /000036386/ directory will load the page for VU# 582384 at the URL below.)

My guess is they are using some unfortunate templating and redirecting that allows them to update the URL without breaking anything. From where did you get that URL originally?

Thanks.

-Dan

From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of Kurt Seifried <kseifried@redhat.com>
Date: Tuesday, December 13, 2016 at 10:48
To: cve-cna-list <cve-cna-list@lists.mitre.org>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Neatgear just created http://kb.netgear.com/000036386/CVE-2016-582384

Now technically they didn't list the CVE in the actual document, but they made it the document URL name.

http://kb.netgear.com/000036386/CVE-2016-582384

I'm pretty sure this isn't kosher.

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Follow-Ups:
- Re: Neatgear just created http://kb.netgear.com/000036386/CVE-2016-582384
  - From: jericho <jericho@attrition.org>

References:
- Neatgear just created http://kb.netgear.com/000036386/CVE-2016-582384
  - From: Kurt Seifried <kseifried@redhat.com>

Prev by Date: Neatgear just created http://kb.netgear.com/000036386/CVE-2016-582384
Next by Date: RE: Nomination of Takayuki Uchiyama to the CVE Board
Previous by thread: Neatgear just created http://kb.netgear.com/000036386/CVE-2016-582384
Next by thread: Re: Neatgear just created http://kb.netgear.com/000036386/CVE-2016-582384
Index(es):
- Date
- Thread