[VIM] Knowledgebases Remote Command Exucetion

security curmudgeon jericho at attrition.org
Tue Mar 21 18:38:23 EST 2006

: The question is, how many new CVEs?  Another area I've been struggling 
: with lately is how to handle when the same issue - same attack vector 
: and everything - occurs in multiple products by the same vendor.  My 
: current feeling (and that's all it is) is that if the products are 
: clearly separable and don't obviously share any common library or the 
: like, then I'll SPLIT them.

That is our criteria, but due to lack of code access is somewhat 
subjective. If OSVDB feels that the same codebase was used in multiple 
products, they get the same ID usually. If it was different code or very 
likely different, they get split.

One time we deviate is in protocol implementation. The ISAKMP (or any 
other PROTOS based disclosures) for example, got a couple entries (DoS and 
unspecified) for all products, because it seems everyone implemented it 
equally wrong.

More information about the VIM mailing list