Yes, they can update the master CVE (Mitre) description which appears https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5183 which NVD are downstream from.
Mark On Wed, Feb 26, 2020 at 1:12 PM Colm O hEigeartaigh <cohei...@apache.org> wrote: > Hi Mark, > > OK I will do thanks. Just for clarity, when you say they can update the > entry without Mitre - are you referring to the description > https://nvd.nist.gov/vuln/detail/CVE-2015-5183 or just in > https://bugzilla.redhat.com/show_bug.cgi?id=1249182 ? > > Colm. > > On Wed, Feb 26, 2020 at 12:54 PM Mark J Cox <m...@apache.org> wrote: > >> Hi Colm; as the assigning CNA was Red Hat I'd suggest reaching out to >> them via secal...@redhat.com and ask them to update the entry (they have >> the ability to do this themselves and very quickly and easily without >> having to involve Mitre at all). Once that is done which should take only >> a day or two you can ask NIST to update the CPE list based on that change. >> >> Cheers, Mark >> >> On Tue, Feb 25, 2020 at 2:40 PM Colm O hEigeartaigh <cohei...@apache.org> >> wrote: >> >>> Hi all, >>> >>> A few months ago I raised the issue of a number of CVEs reported against >>> AMQ which have no "fix for" version. I have some time again to look into >>> this, and so I'd like to take them one by one. >>> >>> https://nvd.nist.gov/vuln/detail/CVE-2015-5183 >>> >>> "The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes >>> on cookies." >>> >>> The original JIRA (https://bugzilla.redhat.com/show_bug.cgi?id=1249182) >>> refers to the Hawt IO Console, and not anything in ActiveMQ. Although note >>> that we didn't set HTTPOnly for the AMQ Web Console until the 5.15.11 >>> release (https://issues.apache.org/jira/browse/AMQ-7322). >>> >>> As this CVE does not concern ActiveMQ at all, I would like to mail NIST >>> and request that they change the CPE score to stop referencing ActiveMQ, >>> and also update the description not to refer to ActiveMQ. >>> >>> It would be great if someone from the PMC could give me a +1 to this >>> plan, and I will be able to link to this thread when contacting NIST. >>> >>> Colm. >>> >>
