[VIM] Vendor dispute / researcher retraction: Agavi (CVE-2008-4920)

Steven M. Christey coley at linus.mitre.org
Thu Nov 6 15:40:53 UTC 2008

(also MILW0RM:6970)

The report covered by CVE-2008-4920 is false.  This was for a claimed
directory traversal in Agavi involving the cmplang parameter.  This
parameter does not exist in Agavi.  Further investigation by the vendor
and original researcher show that it is due to a site-specific

See: http://blog.agavi.org/post/58189391/false-agavi-vulnerability-reports

We have been notified by the original vendor as well as the original
researcher.  The researcher has retracted the claim that it is in Agavi.
Since it's site-specific, it is outside CVE's scope, so we're rejecting

- Steve

Name: CVE-2008-4920
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4920
Reference: MISC:http://blog.agavi.org/post/58189391/false-agavi-vulnerability-reports
Reference: MILW0RM:6970
Reference: URL:http://www.milw0rm.com/exploits/6970
Reference: MISC:http://blog.agavi.org/post/58189391/false-agavi-vulnerability-reports
Reference: BID:32086
Reference: URL:http://www.securityfocus.com/bid/32086

** REJECT **

DO NOT USE THIS CANDIDATE NUMBER.  ConsultIDs: None.  Reason: this
candidate was based on an incorrect claim regarding a directory issue
in Agavi.  The vendor has disputed the issue and the original
researcher has retracted the original claim, so this is not a
vulnerability.  Further investigation by the vendor and original
researcher show that the original issue was in a site-specific
modification, which is outside the scope of CVE.  Notes: CVE users
should not use this identifier.

More information about the VIM mailing list