@Kirill At Snyk we are currently investigating the validity of these kinds of issues as a CVE. I would advise not to issue those at the moment. Speaking personally it doesn’t seems like a vulnerability because malicious actor has to have write access to configuration to exploit it. This is the same case of CVE-2021-4104, and a CVE has been assigned to it. Moreover, if an attacker should have write access to the configuration file that doesn't mean he should be able to execute code, at least if this is not documented. So IMO, if executing code by editing a configuration file is not something documented it is worth to get a CVE, in that case we can set Privileges Required to High in the CVSS 3.1 score. |