[VIM] Vendor dispute / researcher retraction: Agavi (CVE-2008-4920)
Steven M. Christey
coley at linus.mitre.org
Thu Nov 6 15:40:53 UTC 2008
(also MILW0RM:6970)
The report covered by CVE-2008-4920 is false. This was for a claimed
directory traversal in Agavi involving the cmplang parameter. This
parameter does not exist in Agavi. Further investigation by the vendor
and original researcher show that it is due to a site-specific
modification.
See: http://blog.agavi.org/post/58189391/false-agavi-vulnerability-reports
We have been notified by the original vendor as well as the original
researcher. The researcher has retracted the claim that it is in Agavi.
Since it's site-specific, it is outside CVE's scope, so we're rejecting
it.
- Steve
======================================================
Name: CVE-2008-4920
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4920
Reference: MISC:http://blog.agavi.org/post/58189391/false-agavi-vulnerability-reports
Reference: MILW0RM:6970
Reference: URL:http://www.milw0rm.com/exploits/6970
Reference: MISC:http://blog.agavi.org/post/58189391/false-agavi-vulnerability-reports
Reference: BID:32086
Reference: URL:http://www.securityfocus.com/bid/32086
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
candidate was based on an incorrect claim regarding a directory issue
in Agavi. The vendor has disputed the issue and the original
researcher has retracted the original claim, so this is not a
vulnerability. Further investigation by the vendor and original
researcher show that the original issue was in a site-specific
modification, which is outside the scope of CVE. Notes: CVE users
should not use this identifier.
More information about the VIM
mailing list