[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Use of CAN/CVE numbers

Not sure if anyone is checking how CAN/CVE numbers are being used in public, but FYI;

1. MS02-038 Security Bulletin from Microsoft refers, incorrectly, to several CAN/CVE numbers. First, in the placemark link to the description of the vulnerabilities they use CAN-2001-0644 and CAN-2001-0645. In fact, they should be CAN-2002-0644 and CAN-2002-0645.

2. When the above mentioned links are followed, the description shows CVE-2001-0644 and CVE-2001-0645 in bold. Of course neither of these have actually been accepted as CVEs

3. When Dave Aitel published his NASL script for his new MS SQL Server BO on Bugtraq, he included the following;

># script_cve_id("CVE-2000-0402");

which references a saved admin password during MS SQL Server installation, nothing to do with his new BO.

I only point this out because both of these documents will be artifacts now, incorrectly referencing CVE information. I would suggest that there may be a requirement to put fields into the CVE which note the fact that incorrect references to a CAN/CVE number were in public, and possibly point to the correct entries. And of course, some effort to let people who incorrect use information they need to be a tad more careful.


Page Last Updated or Reviewed: May 22, 2007