[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

clarification / statement on recent CVE abstraction policy changes and more



MITRE,

Could you please give the board an update about recent changes in CVE entries? Three things jumped out on the latest batch:

1. The lack of a proper product name (e.g. CVE-2017-6478, CVE-2017-6479,
   CVE-2017-6480)
2. The use of arbitrary date-based "versions" that are not in line with
   the vendor versions. We usually see this with low-end researchers
   trying to pass off site-specific issues as products and using a date 
as
   the version (e.g. CVE-2017-6479)
3. An apparent change in abstraction rule where five IDs were assigned
   for XSS issues that previously would have received one ID (e.g.
   CVE-2017-6487, CVE-2017-6488, CVE-2017-6489, CVE-2017-6490, and
   CVE-2017-6491). It appears the only reason you abstracted is that
   different bug tracker tickets were opened, despite the same version
   being impacted, same researcher, same date, etc.

The first issue is just odd, and seems like someone was in a hurry, but this is problematic to sites using CVE data to generate stats, as the product names potentially don't match prior entries. I also noticed that whoever made these recent entries didn't include the obvious fixing commits that were referenced in the bug tickets. Basically, just sloppy work.

The second one is very concerning, because yeah. I shouldn't have to elaborate on that one.

The third one just seems to break a long-standing abstraction policy. I have a feeling the "different tickets" will be the justification as mentioned above, but also fairly certain that multiple mail list posts (e.g. Bugtraq or Full-Disclosure) from the same person on the same date affecting the same version of the same product didn't warrant splits before.

Any clarity on policy changes regarding these issues would be 
appreciated.

.b


Page Last Updated or Reviewed: March 06, 2017