Hi Mark, OK I will do thanks. Just for clarity, when you say they can update the entry without Mitre - are you referring to the description https://nvd.nist.gov/vuln/detail/CVE-2015-5183 or just in https://bugzilla.redhat.com/show_bug.cgi?id=1249182 ?
Colm. On Wed, Feb 26, 2020 at 12:54 PM Mark J Cox <m...@apache.org> wrote: > Hi Colm; as the assigning CNA was Red Hat I'd suggest reaching out to them > via secal...@redhat.com and ask them to update the entry (they have the > ability to do this themselves and very quickly and easily without having to > involve Mitre at all). Once that is done which should take only a day or > two you can ask NIST to update the CPE list based on that change. > > Cheers, Mark > > On Tue, Feb 25, 2020 at 2:40 PM Colm O hEigeartaigh <cohei...@apache.org> > wrote: > >> Hi all, >> >> A few months ago I raised the issue of a number of CVEs reported against >> AMQ which have no "fix for" version. I have some time again to look into >> this, and so I'd like to take them one by one. >> >> https://nvd.nist.gov/vuln/detail/CVE-2015-5183 >> >> "The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes on >> cookies." >> >> The original JIRA (https://bugzilla.redhat.com/show_bug.cgi?id=1249182) >> refers to the Hawt IO Console, and not anything in ActiveMQ. Although note >> that we didn't set HTTPOnly for the AMQ Web Console until the 5.15.11 >> release (https://issues.apache.org/jira/browse/AMQ-7322). >> >> As this CVE does not concern ActiveMQ at all, I would like to mail NIST >> and request that they change the CPE score to stop referencing ActiveMQ, >> and also update the description not to refer to ActiveMQ. >> >> It would be great if someone from the PMC could give me a +1 to this >> plan, and I will be able to link to this thread when contacting NIST. >> >> Colm. >> >
