[VIM] Knowledgebases Remote Command Exucetion

Steven M. Christey coley at linus.mitre.org
Tue Mar 21 17:34:54 EST 2006


On Wed, 1 Mar 2006, Stuart Moore wrote:

> In searching back further, it seems that Zero X reported this issue
> [CVE-2003-1131] to Bugtraq in December 2003:
> http://www.securityfocus.com/archive/1/348359
> But, Zero X's report mentions only KnowledgeBuilder and not any of the
> other products.
>
> Would this warrant a new CVE for the newly identified products?  Or a
> modification to the CVE-2003-1131 entry?

Sorry I didn't respond earlier, this one slipped by me.

This is an area where we probably haven't been consistent.  However, over
the past year or so, I've generally done a SPLIT for distinct disclosures
by different researchers.  We can't necessarily know for sure if some of
the newer products were even in existence back in 2003 (well, without some
deeper research.)

So, a new CVE will be created.

The question is, how many new CVEs?  Another area I've been struggling
with lately is how to handle when the same issue - same attack vector and
everything - occurs in multiple products by the same vendor.  My current
feeling (and that's all it is) is that if the products are clearly
separable and don't obviously share any common library or the like, then
I'll SPLIT them.

So, this particular case requires even more analysis in order to determine
the relationships between the different products.

- Steve


More information about the VIM mailing list