Hi, > On 12. Nov 2024, at 15:58, Solar Designer <so...@openwall.com> wrote: > > So a question for this list/thread may be - where/how may we dispute > CISA-ADP analysis? Maybe someone would reply with specific contact info > for them, and Joel would proceed with that.
I think the source for the CISA-ADP data is at [1]. For this specific CVE, the relevant file would be [2]. Their readme has a section at the bottom, where they encourage feedback: > We want to hear from you, the IT cybersecurity professional community, about > Vulnrichment and ADP! If you see something, please feel free to say something > in the Issues, or even better, open a Pull Request with your suggested fix. I’m aware of at last one prior case where a similar case of (IMHO) overblown CVSS scores was discussed in an issue on this particular GitHub project [3]. Somebody seems to already have opened a ticket for this CVE, too: [4] [1]: https://github.com/cisagov/vulnrichment [2]: https://github.com/cisagov/vulnrichment/blob/develop/2024/36xxx/CVE-2024-36905.json [3]: https://github.com/cisagov/vulnrichment/issues/93 [4]: https://github.com/cisagov/vulnrichment/issues/130 HTH, Clemens -- Clemens Lang RHEL Crypto Team Red Hat
