[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PROPOSAL: Cluster 29 - PRIVACY (9 candidates)



The following candidates deal with privacy, i.e. unintentional release
of personal information.  These don't necessarily conform with most
definitions of "vulnerability" because the private information
(usually) doesn't allow an attacker to break into a system or do
damage.  Should they be CVE vulnerabilities?

Technically, most of these don't satisfy the current CVE vulnerability
definition, because there aren't necessarily any *specified*
restrictions on the data.  But certainly there are some *implied*
restrictions, e.g. in the shopping cart programs.

The basic question is: when does the loss of privacy constitute a
security problem?  If these should be treated as vulnerabilities, are
they High Cardinality, and if so, are they Easily Enumerable?  Or
should we just merge them all into a single CVE entry that may be at a
level of abstraction that appears to be higher than most other CVE
entries?

Another issue is, should we treat these types of candidate
vulnerabilities the same as we do with other vulnerabilities that deal
with weak encryption?

- Steve




Summary of votes to use (in ascending order of "severity"):

ACCEPT - member accepts the candidate as proposed
NOOP - member has no opinion on the candidate
MODIFY - member wants to change some minor detail (e.g. reference/description)
REVIEWING - member is reviewing/researching the candidate
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

Please write your vote on the line that starts with "VOTE: ".  If you
want to add comments or details, add them to lines after the VOTE: line.


=================================
Candidate: CAN-1999-0031
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990728
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.20.javascript

JavaScript allows remote attackers to monitor a user's web
activities.

VOTE:

=================================
Candidate: CAN-1999-0469
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990728
Assigned: 19990607
Category: SF
Reference: XF:ie-window-spoof
Reference: BUGTRAQ:Apr9,1999

Internet Explorer 5.0 allows window spoofing, allowing a remote
attacker to spoof a legitimate web site and capture information from
the client.

VOTE:

=================================
Candidate: CAN-1999-0604
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:Apr20,1999

An incorrect configuration of the WebStore 1.0 shopping cart
CGI program "web_store.cgi" could disclose private information.

VOTE:

=================================
Candidate: CAN-1999-0605
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:Apr20,1999

An incorrect configuration of the Order Form 1.0 shopping cart
CGI program could disclose private information.

VOTE:

=================================
Candidate: CAN-1999-0606
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:Apr20,1999

An incorrect configuration of the EZMall 2000 shopping cart
CGI program "mall2000.cgi" could disclose private information.

VOTE:

=================================
Candidate: CAN-1999-0607
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:Apr20,1999

An incorrect configuration of the QuikStore shopping cart
CGI program "quikstore.cgi" could disclose private information.

VOTE:

=================================
Candidate: CAN-1999-0608
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:Apr20,1999

An incorrect configuration of the PDG Shopping Cart CGI program
"shopper.cgi" could disclose private information.

VOTE:

=================================
Candidate: CAN-1999-0609
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:Apr20,1999

An incorrect configuration of the SoftCart CGI program
"SoftCart.exe" could disclose private information.

VOTE:

=================================
Candidate: CAN-1999-0610
Published:
Final-Decision:
Interim-Decision:
Modified:
Announced: 19990728
Assigned: 19990607
Category: CF
Reference: BUGTRAQ:Apr23,1999

An incorrect configuration of the Webcart CGI program
could disclose private information.

VOTE:

 
Page Last Updated: May 22, 2007