[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE for hosted services

To: Kurt Seifried <kurt@seifried.org>
Subject: Re: CVE for hosted services
From: Pascal Meunier <pmeunier@cerias.purdue.edu>
Date: Tue, 28 Feb 2017 11:36:11 -0500
Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cerias.purdue.edu;
Cc: Art Manion <amanion@cert.org>, jericho <jericho@attrition.org>, cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-date: Tue Feb 28 12:42:38 2017
In-reply-to: <CABqVa3-+6WYhp1T0hq=-1S0=DijN_5uk09mByT5WDr6gATUwEg@mail.gmail.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <A4305A50-AD19-4025-842E-D89337B8269C@cisco.com> <379DDB8A-F1D2-4E4B-9307-CFBFDB0521F5@intel.com> <8942442A-17E2-4EEB-9943-648F27125AA6@cisco.com> <079d4575-d5ef-be7c-bdfb-f817e625b02e@cert.org> <CANO=Ty052fUY+BUC2zziFeiJ=cBPQWUbQozm-9ymKDkBuxo2Xg@mail.gmail.com> <ad8435b9-ba08-a5ee-25ef-cf314c75e0e5@cert.org> <1487797534.7382.18.camel@cerias.purdue.edu> <alpine.LNX.2.00.1702221518090.19881@forced.attrition.org> <d78f00cb-280e-a674-9264-edf9ed3b4507@cert.org> <CY4PR09MB1255385CC89FEF05C100E83BE6530@CY4PR09MB1255.namprd09.prod.outlook.com> <alpine.LNX.2.00.1702231801000.19881@forced.attrition.org> <4689d956-c638-b3cc-94cb-1e877c5dc64d@cert.org> <MWHPR09MB14858DAA97929742041D5606A1520@MWHPR09MB1485.namprd09.prod.outlook.com> <alpine.LNX.2.00.1702241614480.19881@forced.attrition.org> <6a9a57eb-bad0-bea7-a71b-88b059a82969@cert.org> <alpine.LNX.2.00.1702262338220.19881@forced.attrition.org> <cb66ab45-e727-98c2-23ff-d9992f096205@cert.org> <CABqVa3-+6WYhp1T0hq=-1S0=DijN_5uk09mByT5WDr6gATUwEg@mail.gmail.com>
Reply-to: <pmeunier@cerias.purdue.edu>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2

This is a one-off piece of **** consumer product, not software that is
installed, offered as a service or used anywhere else.  Give it an
incident or advisory ID, or describe it as an anti-pattern because
developers of similar products make similar mistakes.  However, I fail
to see the relevance to the CVE.  If all these products from different
manufacturers were vulnerable due to a software-as-a-service offering,
common to many, I would be interested.

Please don't make the CVE into an incident or advisory database just
because an ID would be handy.

Pascal

On Tue, 2017-02-28 at 09:02 -0700, Kurt Seifried wrote:
> Another shining example of failure that could use an identifier:
> 
> https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/
> https://news.ycombinator.com/item?id=13748028
> 
> This is a great example on so many levels. Simple operational/security
> failure from the sounds of it (default MongoDB setup, so no auth), 
> that
> would tend to indicate that they also have other problems (if they 
> can't do
> simple things right...).
>

References:
- CVE for hosted services
  - From: "Andy Balinsky (balinsky)" <balinsky@cisco.com>
- Re: CVE for hosted services
  - From: "Landfield, Kent B" <kent.b.landfield@intel.com>
- Re: CVE for hosted services
  - From: "Andy Balinsky (balinsky)" <balinsky@cisco.com>
- Re: CVE for hosted services
  - From: Art Manion <amanion@cert.org>
- Re: CVE for hosted services
  - From: Kurt Seifried <kseifried@redhat.com>
- Re: CVE for hosted services
  - From: Art Manion <amanion@cert.org>
- Re: CVE for hosted services
  - From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Re: CVE for hosted services
  - From: jericho <jericho@attrition.org>
- Re: CVE for hosted services
  - From: Art Manion <amanion@cert.org>
- RE: CVE for hosted services
  - From: "Booth, Harold (Fed)" <harold.booth@nist.gov>
- RE: CVE for hosted services
  - From: jericho <jericho@attrition.org>
- Re: CVE for hosted services
  - From: Art Manion <amanion@cert.org>
- RE: CVE for hosted services
  - From: "Coffin, Chris" <ccoffin@mitre.org>
- RE: CVE for hosted services
  - From: jericho <jericho@attrition.org>
- Re: CVE for hosted services
  - From: Art Manion <amanion@cert.org>
- Re: CVE for hosted services
  - From: jericho <jericho@attrition.org>
- Re: CVE for hosted services
  - From: Art Manion <amanion@cert.org>
- Re: CVE for hosted services
  - From: Kurt Seifried <kurt@seifried.org>

Prev by Date: Re: CVE for hosted services
Previous by thread: Re: CVE for hosted services
Next by thread: RE: CVE for hosted services
Index(es):
- Date
- Thread