|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: CVE for services - already done? CVE-2017-10128
- To: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>, Kurt Seifried <kurt@seifried.org>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>, "Andy Balinsky (balinsky)" <balinsky@cisco.com>
- Subject: RE: CVE for services - already done? CVE-2017-10128
- From: "Coffin, Chris" <ccoffin@mitre.org>
- Date: Thu, 19 Oct 2017 13:11:14 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=mitre.org;
- Delivery-date: Thu Oct 19 13:44:32 2017
- In-reply-to: <7748E4BAEC3B964387F3535351DCBA1F01153F4719@D2ASEPREA010>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CABqVa3-k3+6U4RdCSBVvAagE5Jiw9xXnbZqj0BcS3XUN_BECcQ@mail.gmail.com> <7748E4BAEC3B964387F3535351DCBA1F01153F4719@D2ASEPREA010>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
- Spamdiagnosticoutput: 1:2
- Thread-index: AQHTSFKv2nY2X0iCR02Wg0KkcbF9y6LqKh4AgAD6u6A=
- Thread-topic: CVE for services - already done? CVE-2017-10128
|
Agreed. However, based on the discussion we had on the Board call yesterday regarding CVEs for services, we should first reach out to our contact at Oracle and see what their thoughts are on this. It would appear that they also see value in assigning
for services or at least in what they consider to be edge cases. Chris From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org]
On Behalf Of Millar, Thomas It reads to me like there is an app that resides on systems in the hotel offices, and that’s where the vulnerability is, so an action by the local admin is needed to address.
From:
owner-cve-editorial-board-list@lists.mitre.org on behalf of Kurt Seifried Vulnerability in the Hospitality WebSuite8 Cloud Service component of Oracle Hospitality Applications (subcomponent: General). Supported versions that are affected are 8.9.6 and
8.10.x. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Hospitality WebSuite8 Cloud Service. Successful attacks require human interaction from a person other than the attacker and while the vulnerability
is in Hospitality WebSuite8 Cloud Service, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Hospitality WebSuite8 Cloud Service accessible data
as well as unauthorized read access to a subset of Hospitality WebSuite8 Cloud Service accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Oracle Hospitality WebSuite8 is cloud-based hotel software designed for small hotels and guest and boarding houses. The solution enables efficient guest and room
management while increasing online revenue through an integrated booking engine and channel manager solution. This product is available in the EMEA and JAPAC regions only. So I guess we're doing cloud services now =) or should this be rejected, or? -- Kurt Seifried |
- References:
- CVE for services - already done? CVE-2017-10128
- From: Kurt Seifried <kurt@seifried.org>
- RE: CVE for services - already done? CVE-2017-10128
- From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
- CVE for services - already done? CVE-2017-10128
- Prev by Date: RE: CVE for services - already done? CVE-2017-10128
- Next by Date: article on NVD and CNNVD
- Previous by thread: RE: CVE for services - already done? CVE-2017-10128
- Next by thread: article on NVD and CNNVD
- Index(es):