On Wed, Dec 25, 2024 at 07:13:21PM +0100, Solar Designer wrote: > Hi, > > Thank you for bringing this in here. > > On Wed, Dec 25, 2024 at 11:52:06AM +0200, Yair Mizrahi wrote: > > libxml2, CVE-2024-40896, was published recently and given a "Critical" > > (9.1) severity by CISA. Interestingly - This vulnerability is a regression > > of an issue that was identified over a decade ago - CVE-2012-0037, which > > was given a "Medium" (6.5) severity. > > > > Is the massive increase in CVSS over the exact same issue justified? We > > believe that it's inflated. > > I think both CVSS vectors are "buggy", and CVSS is quite poor at scoring > library code vulnerabilities. > > CVE-2012-0037 NIST NVD CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N > CVE-2024-40896 CISA-ADP CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H > > The differences are whether user interaction is required or not (can't > know that for library code, so have to assume either best or worst case) > and what impact there is (again can't know it for library code, but > these two test vectors somehow assume different impacts). Given how > poor CVSS base score is for scoring library code in general, I'm afraid > this issue would more "reasonably" (per CVSS spec) be scored 10.0 as > AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, because such exposed usage of the > library is realistic, SSRF would be a change of scope (right?), and the > worst impacts of all 3 kinds are quite possible.
If SSRF is a scope change, shouldn't that mean that RCE is also a scope change? It's usable for SSRF after all. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
signature.asc
Description: PGP signature
