[talk] Vulnerability Classification and New Concepts
twunde at gmail.com
Mon Jun 17 11:52:53 EDT 2019
A CVE number just indicates that the vulnerability was registered as a
vulnerability to the Standard for Information Security Vulnerability Names
maintained by MITRE. It's basically an id that points to a description of
the vulnerability. These vulnerabilities aren't generic XSS, etc but are
specific to systems so for example XSS in Jenkins or an XSS in mandoc.
Descriptions or risks can be edited after the vulnerability is filed. The
main point is that there's a common id across security systems so that if
you get an advisory from red hat and an advisory from Canonical you can see
that they're talking about the same vulnerability even if their fixes are
As an example, the CVE page for meltdown is
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753. The National
Vulnerability Database tends to have a bit more information for each CVE:
On Sat, Jun 15, 2019 at 2:31 AM Sujit K M <kmsujit at gmail.com> wrote:
> Hi All,
> I am new to security hacking. But I find that Companies, like hardware,
> vulnerabilities their products have. I see them as CVE be it UNIX/Linux or
> Windows. Are vulnerabilities classification so robust that they are a
> set, say memory read or xss.
> I interestingly tried to hack on FreeBSD where we have wheel groups and
> say someone in a production system gets a user in wheel group. Now as per
> the person should be able to run basic applications, also if cloud is
> where it is deployed. one can trick any user to authenticate to
> malicious programs.
> What is the opinion on this?
> Sujit K M
> talk mailing list
> talk at lists.nycbug.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the talk