Questions tagged [cve]
Common Vulnerabilities and Exposures (CVE) is a dictionary to describe known vulnerabilities.
247 questions
4votes
0answers
141views
What if MITRE's CVE goes dark? [closed]
With the recent news that MITRE's contract to maintain the Common Vulnerabilities and Exposures (CVE) program is set to expire on April 16, 2025, there's concern about the future. Also see this ...
- 141
1vote
1answer
140views
What's the deal with CISA adding CVE-2024-49035 (Microsoft Partner Center vulnerability) to its catalog of exploited vulnerabilities?
Two weeks ago (Feb 25, 2025), CISA added CVE-2024-49035 to its catalog of actively exploited vulnerabilities. Now, the thing is: CVE-2024-49035 is not a "classic" vulnerability in a software ...
- 3,940
0votes
1answer
138views
OWASP dependency checker is not reporting vulnerabilities that VS.Net reports
We are using OWASP dependency check on a Jenkins build server to check for vulnerabilities in .Net solutions. For this, we installed the OWASP Dependency-Check on Jenkins. These checks run overnight, ...
2votes
2answers
273views
Understanding CVE score
I always had a loose understanding that a CVE score gave a broad-brush overview of how impactful a vulnerability is and how urgently it needs to be addressed - however I am questioning my ...
- 713
0votes
0answers
60views
how to check usages of a class method in open source code
I detected in a codeline usage of a bouncy castle that is vulnerable to the cve CVE-2023-33201. The CVE seems to come from the guilty class X509LDAPCertStoreSpi.java, and in specific the method search(...
- 465
3votes
1answer
125views
PCI DSS SAQ A qualification - what counts as a 'found' vulnerability?
This Q pertains to PCI DSS v4.0 SAQ A - previous Q&A only touched on previous versions of PCI. Since 4.0, merchants that accept credit card payment, even if they only iframe or link to their ...
- 131
1vote
0answers
65views
RedHat get list of CVE afecting specific software [closed]
I need to build a tool to get list of CVE impacting specific software of a given RedHat system. I am aware that there is online RedHat API but i does not want to go there because : My systems do not ...
- 213
3votes
1answer
989views
CVE-2022-29190 due to telegraf?
I am working on finding workaround for CVE-2022-29190 in my application. My application makes use of telegraf. It also states this: Telegraf is written in Go and compiles into a single binary with no ...
- 133
0votes
0answers
150views
Does using a VPN to allow ssh connections provide better security, especially after seeing how CVE-2024-3094 (XZ backdoor) is done?
For my own (public) servers, is it considered a good idea to only allow ssh connections from VPN connections (OpenVPN, Wireguard or otherwise), to mitigate any possible attacks in the future on ssh? ...
0votes
0answers
107views
Should Maven Central artifacts containing known vulnerable artifacts be reported?
I have developed a tool that can find Maven Central JAR artifacts that contain classes from known vulnerable JAR artifacts. This includes but is not limited to fat (uber) JARs, JAR bundles, and ...
- 113
4votes
1answer
786views
Current (Feb 2024) High-Severity unfixed Linux Kernel CVEs
[Originally posted on ServerFault, was told it would fit better here] Our vulnerability scanner (AWS Inspector V2) in the last couple of weeks started reporting ~10 High severity CVEs with the Linux ...
0votes
1answer
320views
If a library has a vulnerable function, but my code doesn't call it, is my code at risk? Do I need to update?
I am trying to analyze CVE-2023-34453. As per the NVD description, there is an integer overflow error in snappy-java, specifically in the method shuffle(int[] input) in BitShuffle.java. In a huge ...
- 465
1vote
0answers
99views
What are the security concerns from failing to unpin memory?
I am trying to understand the implication of CVE-2023-40791. The CVE reads: "Linux kernel before 6.4.12 fails to unpin pages in certain situations". NetApp says this could lead to ...
- 11
2votes
1answer
2kviews
Should the use of the HTTP 'ETag' header be avoided for security and privacy concerns?
I'm looking into the risks associated with the use of the HTTP 'Etag' header and found the following relevant information already. Information Disclosure (inodes) This article titled: "...
- 7,657
0votes
2answers
159views
Not requiring POST requests... results in a CSRF vulnerability?
I'm setting up a Jenkins server, and ran across a reported vulnerability, SECURITY-3033, also identified as CVE-2023-37954: Rebuilder Plugin 320.v5a_0933a_e7d61 and earlier does not require POST ...
