Recent searches

No recent searches

Search options

Not available on lingo.lol.
lingo.lol is one of the many independent Mastodon servers you can use to participate in the fediverse.
A place for linguists, philologists, and other lovers of languages.

Administered by:

Server stats:

62
active users

lingo.lol: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.5.0

#cvss

0 posts0 participants0 posts today
mauvehed (KØMVH)

I wrote a Discord bot to monitor for CVEs being mentioned in chat, and then it will fetch the details and post it back to chat.

It also has a feature to monitor for new KEV notifications and send them to a dedicated channel

Collab with me. Use it. Abuse it. What ever ya want!

github.com/mauvehed/kevvy

GitHubGitHub - mauvehed/kevvy: A Discord bot for searching the Common Vulnerabilities and Exposures (CVE) list and providing KEV updates.A Discord bot for searching the Common Vulnerabilities and Exposures (CVE) list and providing KEV updates. - mauvehed/kevvy
#CVSS#CVE#KEV
*
Harry Sintonen

Apparently has rated as v3 Base Score 9.1 "critical". This is wrong, and will lead to automation triggering unnecessary warnings and blocking use of perfectly fine systems until an update is installed (which can take months). nvd.nist.gov/vuln/detail/CVE-2

Edit: In case you wonder my credentials for judging this: I found this vulnerability.

Edit2: This appears to be originating from CISA: cve.org/Media/News/item/blog/2

Edit3: The score has now been fixed. Commit: github.com/cisagov/vulnrichmen

nvd.nist.govNVD - CVE-2024-11053
Adam Shostack :donor: :rebelverified:

New blog post

The National Vulnerability Database (the NVD) appears to be in some sort of hiatus, no longer assigning CVSS information to CVEs. They’ve posted a note:

NIST is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods. You will temporarily see delays in analysis efforts during this transition. We apologize for the inconvenience and ask for your patience as we work to improve the NVD program.

If you want to understand what’s happening, hackread says @joshbressers first drew attention to it, and Josh has a podcast on the episode. Me, I wonder if this has to do with the 12% budget reductions at NIST. Beyond the why, many people are quite concerned, because they’ve been using CVSS scores to reduce the amount of patching work they do, generally under a label like “risk management.” (I prefer to think of it as workload management when you’re letting someone else make “risk” decisions for you. And that’s fine. We do this outsourcing in all parts of life, work and personal.)

Full post:
shostack.org/blog/the-nvd-cris


shostack.orgShostack + Friends Blog > The NVD CrisisThe NVD is in crisis, and so is patch management. It’s time to modernize.
*
Schenkl |

Kann eins irgendwo im Internet eine täglich aktuelle Liste aller mit deren Werten bekommen?

Das bietet eine Liste aller CVEs an, aber die enthält keine CVS Scores.
Ich brauche beides.

Dann gibt es so Systeme wie oder , die diese Daten aggregieren, aber die haben keine APIs um an die Daten ranzukommen (oder ich bin zu blöd die zu finden)

Jemensch eine Idee?

Edit: Werde OpenCVE wohl selber hosten und davon dann die API angraben.

Xavier «X» Santolaria :verified_paw: :donor:

Latest issue of my curated and list of resources for week #44/2023 is out! It includes the following and much more:

hit by another , this one stealing employee data from 3rd-party vendor
breach linked to theft of $4.4 million in crypto
's Biggest Data Leak So Far? Covid-19 Test Info of 81.5Cr Citizens With ICMR Up for Sale
ransomware group claims to have hacked
Dutch hacker jailed for extortion, selling stolen data on RaidForums
Russian Reshipping Service ‘SWAT USA Drop’ Exposed
Iranian Cyber Spies Use ‘’ Malware in Latest Attacks
Security researchers observed ‘deliberate’ takedown of notorious
Apple warns Indian opposition leaders of state-sponsored attacks
Four dozen countries declare they won’t pay ransoms
How , an Automated Social Media Accounts Creation Service, Can Facilitate
EU digital ID reforms should be ‘actively resisted’, say experts
arrests Russian hackers working for Ukrainian cyber forces
FTC orders non-bank financial firms to report breaches in 30 days
Bans and Apps On Government Devices
Charges and Its With Fraud and Cybersecurity Failures
Wants to Move Fast on AI Safeguards and Will Sign an Executive Order to Address His Concerns
confirms it tagged Google app as on Android phones
North Korean Hackers Targeting Crypto Experts with Malware
EleKtra-Leak Attacks Exploit IAM Credentials Exposed on
Trojanized Software Version Delivered via Search Ads
adds security audit badges for Android apps
Microsoft pledges to bolster security as part of ‘Secure Future’ initiative
FIRST Releases 4.0 Vuln Scoring Standard
Releases ATT&CK v14 With Improvements to Detections, ICS, Mobile
Galaxy gets new Auto Blocker anti-malware feature
Improves Security With Contact Key Verification
Researchers Find 34 Drivers Vulnerable to Full Device Takeover
3,000 servers vulnerable to RCE attacks exposed online
CISO Urges Quick Action to Protect Instances From Critical
“This vulnerability is now under mass exploitation.” bug bites hard
HackerOne paid ethical hackers over $300 million in

This week's recommended reading is: "Permanent Record" by Edward Snowden

Subscribe to the newsletter to have it piping hot in your inbox every week-end

infosec-mashup.santolaria.net/

X’s Infosec Newsletter · InfoSec MASHUP - Week 44/2023By Xavier «X» Santolaria
HTTP 425: Too early for this

Enterprise is one big Milgram experiment:

- is the man with the heart condition
- Product management is the authority figure
- App devs are the subjects
- shocks are increasing levels of insecure code / higher scores in unpatched dependencies

AppSec: "Ah! No! I can't take it anymore! I have a heart condition!"

Dev: *looks at product*

Product: "No no, he's fine. I'll accept responsibility. Risk: accepted."

Dev: *adds a poorly implemented graphql endpoint that essentially evals customer-provided code on the database infrastructure*

AppSec: "..."

Dev: "... I think he's dead."

Product: "No no, he's fine. Just keep going. See this CVSS score of 9.9? Neither do I. Let's ship it."

AppSec: *gurgles*

Wade Baker

Did you know that following the advice of several security standards to remediate all vulnerabilities with a CVSS score of 7 or above would barely address half of those known to be exploited and almost 70% of that effort would be wasted on things that don't represent real risk right now?

Seem impossible to believe? Check our math in Prioritization to Prediction, Volume 1: lnkd.in/eyKzzX25

***
Coverage measures the completeness of remediation. Of all vulnerabilities that should be remediated, what percentage was correctly identified for remediation?

Efficiency measures the precision of remediation. Of all vulnerabilities identified for remediation, what percentage should have been remediated?

#vulnerabilitymanagement#vulnerabilityassessment#cybersecurity
Elias Mårtenson

I don't know if this is a controversial opinion, but I will state it anyway:

I believe that the CVE system has some serious deficiencies. In particular, using the same system for both user-facing products and third-party libraries is problematic to the point of actually reducing overall security in the industry.

Let me give an example: Let's say you run a self-hosted piece of server-software written in Java. Let's call the product "Foo". You use something like Sonatype to monitor vulnerabilities in the software you use.

You happily run Foo for a few months and CVE-2023-0001 is reported on product Foo with a CVSS score of 9.9. In this case the system works great because you can now patch Foo as soon as possible, and in the meantime you can look at the remediation procedure documented in the CVE report to determine how much of a hurry you are in.

But that's unfortunately not what happens. What you are actually going to see is hundreds of vulnerabilities of varying severity reported not just on Foo as a product, but on every single third-party library that the product Foo happens to use.

Let's say that Foo generates SVG from a template and then uses a library to convert said SVG into images before sending them to the client (never mind that seems like a stupid solution, just go with it). And then a CVSS 10.0 appears because there is an RCE when passing specially crafted SVG data to the library.

Now you have Sonatype reporting that you have a severity 10 issue with the workaround static "upgrade this library". This information would be useful for the developer of Foo, but not for the user.

In fact, the developer may already have investigated this and downgraded the score since the library is never used to process untrusted input.

What this means is that as a user of some piece of software you will feel a lot of pressure internally to pursue CVE reports that are in fact not relevant, but since it shows up in your scan you have an obligation to do this, and check with the vendor to ask about the root cause of these results. This takes time and energy away from your real job: To keep your infrastructure secure.

I lay the blame for this happening squarely on the bad organisation of the CVE database, and I really wish there was a better way. Unfortunately right now it's all we have.

#cve#infosec#cvss
TrendingLive feeds
About