On Thu, Apr 27, 2023, at 8:11 AM, Carl George wrote:
The Red Hat CVSS score for CVE-2022-1184 has the same breakdown as
the
NVD CVSS score. Both rate the "privileges required" property as low.
From what I can tell that property would be rated high if they
considered root privileges to be required. How does apptainer's use
of setuid change anything here?
My read of privileges required 'low' on CVE-2022-1184 is that perhaps it is
related to the situation where, although a direct `mount` command against an extfs
filesystem usually requires root, it is common that a non-root user can initiate mounts of
extfs USB drives etc in 'standard' distro configurations via udisks2. I could be
way off here, but at least on desktop systems there's usually a way for a non-root
user to mount extfs removable drives.
With respect to CVE-2023-30549 scoring, we're going to have quite a bit of confusion
arising from the fact that the CNA suggested score at the NVD listing is different than on
the GitHub GHSA page...
On
https://nvd.nist.gov/vuln/detail/CVE-2023-30549 the CNA provided vector is
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
This results in a higher score than CVE-2022-1184 because it lists 'Privileges
Required: None' .... which is surely incorrect, as you have to have a user account
with enough privileges to run apptainer?
On
https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357... the
vector is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
So... at the GHSA page, the Privleges Required is low (which seems correct), but compared
to CVE-2022-1184:
1) attack complexity is now high... which seems odd to change.
2) the suggested scoring has bumped Confidentiality and Integrity impact to
'high', where they are both 'none' in the underlying CVE-2022-1184. Not
clear how this can be correct when CVE-2022-1184 is a denial of service vuln.
I'm quite confused looking at this now. I don't know how the GitHub submited CNA
suggest score at the NVD would differ from the score on the GitHub Security Advisory. Was
the scoring on the GHSA edited after publication, after it had been sent to the NVD?
Also, I don't know what the justification is on the GHSA for bumping confidentiality /
integrity impact, nor changing complexity from low -> high versus CVE-2022-1184.
I wonder if Dave Dykstra could clarify what's going on with the scoring differences
with CVE-2022-1184, and between the NVD submsission and what's now seen at the GHSA
link?
I guess it may not be an issue if any EL7 decision is just dependent on the NVD's own
analysis and score, which will appear in due course.
Cheers,
DT