|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVE for service vulnerabilities
- To: "cve-editorial-board-list@mitre.org" <cve-editorial-board-list@mitre.org>
- Subject: CVE for service vulnerabilities
- From: Art Manion <amanion@cert.org>
- Date: Mon, 1 Oct 2018 17:51:47 +0200
- Authentication-results: spf=neutral (sender IP is 192.52.194.235) smtp.mailfrom=cert.org; imc.mitre.org; dkim=fail (signature did not verify) header.d=cert.org;imc.mitre.org; dmarc=fail action=none header.from=cert.org;
- Autocrypt: addr=amanion@cert.org; keydata= xsFNBFoV8GMBEACXd7zH23Gx/W77Gr3Hs+n+BTtEt7IP0jU26vM9i4ASGewrIFZaRIOgL964 xX7Qk1wvxLl8HvUomLNHsJIZYG4EKcNkEfREO7lTx/3nYhG3wjF0DcHYuLwUkwAS3N6p9PQ7 bvEsXZMbfG0L8ASgRy0h4dWg+XGV4xT64REsIlzSsclVaHKTvP7FAMCDG70L/2wc+w24RAzs TYhfxLp4w8TBaVj/pONm+EDGVtK5u4LPLpLS0xmlGxgKP9mYSYAF3j44msAsbsuFPfWTa8JU s9yASol4pMECH24Cp3snHlSNHMl1APfVz3Xsfw5x/mekgCAPcGCARhA9ltRHLYgVMr1JCYZW JdyUB0UEiY0xvlb5JYfCFJm4fL8E2xoW/ATmDIxkU0qguL55AD2VYEwbWEsiP725YMSKBDaC cGH9fa2iuSxnflui6wR4K+FOjXfB2nF561q+HjlRb6bahdkYzWccX4fx3dSlZ6w62qRFNKAE 5zUfe2ZHwis9Bx9iqIp7Ini/sZ3ESJgMr7qlSSkYl10Esdl5CyFyxQ5g/LgzOlywdHazju13 /ckVBPo5vz9ZPOmafiUDSz6R/kbC0+nCrJSjIBvDfBWG7Gl2gon4HqB4Ji6r3+gFEFFJl+O/ PwID6Wh0jAjTQWvD+5L/vFTZ3/875Q2OcoxL9Hh4ls5ptg+7uwARAQABzR1BcnQgTWFuaW9u IDxhbWFuaW9uQGNlcnQub3JnPsLBkQQTAQgAOwIbAwIeAQIXgAULCQgHAwUVCgkICwUWAgMB ABYhBBHNrv2hhwlGumhcAVNt4uTRu2rfBQJaFmXUAhkBAAoJEFNt4uTRu2rfY1IP/j8cjh38 B0mnEo0Lk27r/mYRQhj2Yk/ClsAuPWea56BGAswtW2Q6g6DswcinjvTxrycSqAfpj2ZQP9Rx Ib/FsfozF5bC7Ja5/W4amH1NcTr/cE+sgKX3XZcRlOIrw2d0jmS1SAtDWPWn4zTYKoR7cbDz BAAABLb8/xQn7YFgf8nKQ4ZM0yOTUOnF7wG42UU0Y0ww3b+x2/ZMys0ntpz4ZSOgVJlun2xP WgFzkHu/fEJkVTPkZQweRULIGeFJBzuJP46+FMy6PJFZ/ZudzLy/VBMVAxA/yOszLbRvsl6z 3prRMgI+fJF/11ohRVQ5DWzS4AmfnI9RP6aOlUgEi4MYMcbYKrYGwguhGOpdg5iaO6ir4mhd OMcKLeV0ZqSef0ZpXTLQiTzWuFg9ECof5OCK/Y2VQ2EXyWIi7q4OPTFFoZBl2keoF6j0k272 PCYfJZIzq/ER9mfoH1+7nmIxvZ+XXQ6EoCCPv6le8VKQyZOFVgjD5rPvCeGZgAs9CRbfqYNm bF3jqeMk4kZbJ/+GsKv66M4R0VI2DijOLNF1kGXeU6s45lUBZmcT0Fb2MQ78rNItpeUP+XYj fpB0g/woOIstbSoOqpVZf++HIjnmMHj9jJrbFcMVIPac89EDcjbab3zPTMb5LHdk6AxMsWRM QqxofqoqqzNI7RiKisaDQhINXRwAzsBNBFoV8roBCADZKC4LLl6XhVvHCZZIwa9t2e+swdln YRtxwG1TDRxM1PaV7VDzB9K1FMRDC9CQQmiwI+Vl2j0Kn3BUvkCp3zmP+S7CRgK2vfP1GBAs CURE6j6M7S47qOhQvAvJK0qlF14tCBSX16CceGFV0XzfOUnQGt6m8AnVTr7WODilYsJPWUrj xLe3cKQJs7zk3iMLH1lJ7jNXlAQUgrTurVD7sl6PbKgbmDw3tIgXwep7tMOUzpiN4vCPALA+ WYL+0VxE03TZj/FqNzNrjoKXw+X3za675QnLsXww2cgLBV0Zjg3HZVDT5/0LlQjYqPnaWh3s ZG8uRJ104Thx1JVFLN4+8aDrABEBAAHCwXwEGAEIACYWIQQRza79oYcJRrpoXAFTbeLk0btq 3wUCWhXyugIbDAUJBaOagAAKCRBTbeLk0btq3zHYD/4vvS0lul3UKWGeRsVb33Y3eJ1yv4O3 EpBtmkVgCyxdG3zj8YrI15DCzhn6LSN3FqjV+wovE3SsxIrRjn7eoBA6SH54KlFRrW7pAARc NQaHFU+nX6ST6X3pOoNYzhXPZjkxoUpxyC+ehNARx+3tlQ0LScEr0L5Ttvr8W7nopWaXeuCt VI+8tjDnsCtWLaI2bYi3TYWDJdgWzNFSGYioqIxvQHIpokFZAx6fTKtEYaAqqg2cefRDgNoU bMcHmNtVMAXThLdNAx23F/sv2gV9a612ktCwl6hjKu1vuK4KGnhQu1T/oRk5EUA8jy5yBB6/ S5jwYbZR01EriZXSTXwT/gJcThBIXH8i9/4lUwdhV8+iBP/Pomhs8D7dPU7q1fUYlvVxn8iN K7IFoWdptGv+bhdNsf/qWGxVxOHwTAipr73Fl3eC5RovVM2aAK2Bx6xQFXlh4uPcI/S0gIPG tytClYZxtbXKM3qVhUTZgg1Ge6MgtgJkKWttzRciW0N9t5pZ/IbH7ax0NUv2hjHovGBXhuQb cVAEgmx90iyx9iRizCpgr3JyDNtKX+bc26aGI+mFOdiawp2HihhSazqiEpuNrxlQVWgMgmXa RduAg8L9z2CshZ6Zkcmwea79r8yDsBbwfJEZ71T0WWyfm1UcRVflPFAYb9xE8Ulgh8BQzw// z7Y5Lw==
- Delivery-date: Mon Oct 1 12:00:55 2018
- Dkim-filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu w91FppqU010877
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1538409111; bh=KuYYBc4tRG5XjxHaeLmFEoHnLZq/YxGP9OcK3MvCkyI=; h=To:From:Subject:Date:From; b=Yp4RKN7k919AVyNiMvV9zhRm07kdmSmyOPY4dKf2KGqOagyM5huI7FGeRHjj9vuGD 8CZ5hVS2OFgxdqeb9XRefxA3buHP6pLvqdD6gdr+1L4RG8ypPrV/jzXIcUp6CLcUn/ 2csKuJ9zEkVXfer48IhOwGjL6/mPaXE3wvyU5Qqs=
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.org; h=to:from:subject:message-id:date:mime-version:content-type:content-transfer-encoding; s=selector1; bh=b6E+FseXoGoTs5uGY8B/TXgVhlmH4u3BO/ynnIC9/Aw=; b=y89FdBxnypzSEzKprjyYr80RyM8/VcGIZ7HLiMk6hyqP5V6Pf/Z2Hzv7dayqzul8Q56pyInlYWtB9/gGXDL0DyBy/OGoBl9nO/2BfThE+sKDR12Kk7wUrcCmC4qVQ9iw3QiAKrK9JukV/0G82ElEMFRkDImyWGQ/ommxxdAuIlM=
- Openpgp: preference=signencrypt
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
- User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
I'll claim this as an argument in favor of CVE IDs for service/single-instance sofware vulnerabilities: https://arstechnica.com/information-technology/2018/09/50-million-facebook-accounts-breached-by-an-access-token-harvesting-attack/ > "This was the result of three distinct bugs," said Guy Rosen, > Facebook’s vice president of product management. "The first bug was > that when using the 'view as' function, the video uploader shouldn't > have showed up at all." But for certain types of posts on users' > timelines, such as prompts to post happy birthday greetings, the > video uploader function was shown as active. The second bug was that > when activated, the video uploader was generating a single sign-on > token—a behavior that Rosen said was incorrect. And the third bug was > that in the creation of that token, it was using the identity of the > person the user was viewing the page as—not the user's. There's a need for lots of people to talk about this, and it will probably end up as "those FB SSO token bugs from 2018." Cataloging/naming/enumerating/identification is an end all by itself. - Art
- Prev by Date: Re: A note from GitHub about your repository
- Next by Date: Re: A note from GitHub about your repository
- Previous by thread: Re: A note from GitHub about your repository
- Next by thread: CVE Board Meeting Summary - 19 September 2018
- Index(es):