[VIM] Vendor dispute / researcher retraction: Agavi (CVE-2008-4920)

str0ke str0ke at milw0rm.com
Thu Nov 6 16:00:02 UTC 2008

Received this from the researcher which confirms the false vuln.

Hi dude ! Can you remove the exploit AGAVI <=Agavi 1.0.0 beta 5
Directory Transversal Exploit, because after discussing with the
developper of AGAVI, we saw that the vulnerability I found was only dur
to a bad server configuration and not the value cmplang from AGAVI....

Steven M. Christey wrote:
> (also MILW0RM:6970)
> The report covered by CVE-2008-4920 is false.  This was for a claimed
> directory traversal in Agavi involving the cmplang parameter.  This
> parameter does not exist in Agavi.  Further investigation by the vendor
> and original researcher show that it is due to a site-specific
> modification.
> See: http://blog.agavi.org/post/58189391/false-agavi-vulnerability-reports
> We have been notified by the original vendor as well as the original
> researcher.  The researcher has retracted the claim that it is in Agavi.
> Since it's site-specific, it is outside CVE's scope, so we're rejecting
> it.
> - Steve
> ======================================================
> Name: CVE-2008-4920
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4920
> Reference: MISC:http://blog.agavi.org/post/58189391/false-agavi-vulnerability-reports
> Reference: MILW0RM:6970
> Reference: URL:http://www.milw0rm.com/exploits/6970
> Reference: MISC:http://blog.agavi.org/post/58189391/false-agavi-vulnerability-reports
> Reference: BID:32086
> Reference: URL:http://www.securityfocus.com/bid/32086
> ** REJECT **
> DO NOT USE THIS CANDIDATE NUMBER.  ConsultIDs: None.  Reason: this
> candidate was based on an incorrect claim regarding a directory issue
> in Agavi.  The vendor has disputed the issue and the original
> researcher has retracted the original claim, so this is not a
> vulnerability.  Further investigation by the vendor and original
> researcher show that the original issue was in a site-specific
> modification, which is outside the scope of CVE.  Notes: CVE users
> should not use this identifier.

More information about the VIM mailing list