[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVEs for malicious software in PYPI


Kent Landfield

On 9/20/17, 9:57 AM, "owner-cve-editorial-board-list@lists.mitre.org on 
behalf of Pascal Meunier" 
<owner-cve-editorial-board-list@lists.mitre.org on behalf of 
pmeunier@cerias.purdue.edu> wrote:

    1) Identifying vulnerabilities in malicious code would be in the 
    of the CVE but it has doubtful utility.  Identifying malicious code 
    out of scope
    2) Typo squatting whether in domain names or package names is not a
    software vulnerability, it's a namespace management issue and an 
attackvector, out of scope of the CVE.  
    On Fri, 2017-09-15 at 18:53 -0600, Kurt Seifried wrote:
    > http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html
    > TL;DR: Someone may PYPI packages that were malicious, and 
    > names
    > of legit things (e.g. acquisition / acqusition). I'd like to 
    > CVEs to
    > them so they are identified, so two thoughts:
    > 1) people uploaded code (meant to be malicious or not) to PYPI 
    > has
    > flaws, so CVE right
    > 2) the typo squatting aspect, should this get a CVE? There is 
    > intent of shenanigans, but... how do we count it?

Page Last Updated or Reviewed: September 21, 2017