|
Message-ID: <Z2yPhPjJ0MEBl6Uh@itl-email>
Date: Wed, 25 Dec 2024 18:04:22 -0500
From: Demi Marie Obenour <demi@...isiblethingslab.com>
To: oss-security@...ts.openwall.com, Yair Mizrahi <yairm@...og.com>
Subject: Re: CVE-2024-40896 Analysis: libxml2 XXE due to type
confusion
On Wed, Dec 25, 2024 at 07:13:21PM +0100, Solar Designer wrote:
> Hi,
>
> Thank you for bringing this in here.
>
> On Wed, Dec 25, 2024 at 11:52:06AM +0200, Yair Mizrahi wrote:
> > libxml2, CVE-2024-40896, was published recently and given a "Critical"
> > (9.1) severity by CISA. Interestingly - This vulnerability is a regression
> > of an issue that was identified over a decade ago - CVE-2012-0037, which
> > was given a "Medium" (6.5) severity.
> >
> > Is the massive increase in CVSS over the exact same issue justified? We
> > believe that it's inflated.
>
> I think both CVSS vectors are "buggy", and CVSS is quite poor at scoring
> library code vulnerabilities.
>
> CVE-2012-0037 NIST NVD CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
> CVE-2024-40896 CISA-ADP CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
>
> The differences are whether user interaction is required or not (can't
> know that for library code, so have to assume either best or worst case)
> and what impact there is (again can't know it for library code, but
> these two test vectors somehow assume different impacts). Given how
> poor CVSS base score is for scoring library code in general, I'm afraid
> this issue would more "reasonably" (per CVSS spec) be scored 10.0 as
> AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, because such exposed usage of the
> library is realistic, SSRF would be a change of scope (right?), and the
> worst impacts of all 3 kinds are quite possible.
If SSRF is a scope change, shouldn't that mean that RCE is also a scope
change? It's usable for SSRF after all.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.