[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVEs for malicious software in PYPI


TL;DR: Someone may PYPI packages that were malicious, and typo/close names of legit things (e.g. acquisition / acqusition). I'd like to assign CVEs to them so they are identified, so two thoughts:

1) people uploaded code (meant to be malicious or not) to PYPI that has flaws, so CVE right
2) the typo squatting aspect, should this get a CVE? There is obvious intent of shenanigans, but... how do we count it?

Kurt Seifried

Page Last Updated or Reviewed: September 20, 2017