[VIM] Vendor dispute / researcher retraction: Agavi (CVE-2008-4920)
str0ke
str0ke at milw0rm.com
Thu Nov 6 16:00:02 UTC 2008
Received this from the researcher which confirms the false vuln.
Hi dude ! Can you remove the exploit AGAVI <=Agavi 1.0.0 beta 5
Directory Transversal Exploit, because after discussing with the
developper of AGAVI, we saw that the vulnerability I found was only dur
to a bad server configuration and not the value cmplang from AGAVI....
Steven M. Christey wrote:
> (also MILW0RM:6970)
>
> The report covered by CVE-2008-4920 is false. This was for a claimed
> directory traversal in Agavi involving the cmplang parameter. This
> parameter does not exist in Agavi. Further investigation by the vendor
> and original researcher show that it is due to a site-specific
> modification.
>
> See: http://blog.agavi.org/post/58189391/false-agavi-vulnerability-reports
>
> We have been notified by the original vendor as well as the original
> researcher. The researcher has retracted the claim that it is in Agavi.
> Since it's site-specific, it is outside CVE's scope, so we're rejecting
> it.
>
> - Steve
>
> ======================================================
> Name: CVE-2008-4920
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4920
> Reference: MISC:http://blog.agavi.org/post/58189391/false-agavi-vulnerability-reports
> Reference: MILW0RM:6970
> Reference: URL:http://www.milw0rm.com/exploits/6970
> Reference: MISC:http://blog.agavi.org/post/58189391/false-agavi-vulnerability-reports
> Reference: BID:32086
> Reference: URL:http://www.securityfocus.com/bid/32086
>
> ** REJECT **
>
> DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this
> candidate was based on an incorrect claim regarding a directory issue
> in Agavi. The vendor has disputed the issue and the original
> researcher has retracted the original claim, so this is not a
> vulnerability. Further investigation by the vendor and original
> researcher show that the original issue was in a site-specific
> modification, which is outside the scope of CVE. Notes: CVE users
> should not use this identifier.
>
>
>
>
More information about the VIM
mailing list