bynt commented on pull request #608: URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992895039
> > The confusion is made worse as this is a RedHat "CVE" which is not registered with cve.org. > > It was just pushed to cve.org and should be visible soon. We decided to keep the Red Hat allocated CVE to save creating yet another and rejecting theirs. The text of the entry was written by ASF. Can You comment on why "write access to the Log4j configuration" is regarded as PR:N? The advisory by @Kirill89 and the Apache mailing list entry seem to suggest otherwise. Is this rooted in the CVSS specification? > if a specific configuration is required for an attack to succeed, the vulnerable component should be scored assuming it is in that configuration. https://www.first.org/cvss/specification-document#2-1-Exploitability-Metrics Seems weird. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
