On 9/6/19, 5:44 AM, "RvG" <rick.vanga...@onegini.com> wrote:
> I was going for a reading like this as well, but there's a little too much > ambiguity in the original wording for me to feel comfortable reading it like > that. I say that considering that the CVSSv3 score assigned to this > vulnerability (7.5) is rather high if the bug requires you to load untrusted > XML parsers to be effective. I think quantitiative scoring like that is ridiculous and will never be meaningful, nor do I know who scored it. I think it's entirely fair to expect the upstream project to be clear about the issue if it can be without disclosing information that would put people at risk, but it's not my advisory, so it's not my place to clarify it beyond what I've already said. If my understanding is incorrect, then I'm sure I'll be corrected. -- Scott
