Hi, Yes, Scott's interpretation is correct - I'm sorry if the wording of the CVE was not sufficiently clear. Let me see if there's a way to query the CVSSv3 score that was assigned to the CVE...
Colm. On Fri, Sep 6, 2019 at 3:03 PM Cantor, Scott <canto...@osu.edu> wrote: > On 9/6/19, 5:44 AM, "RvG" <rick.vanga...@onegini.com> wrote: > > > I was going for a reading like this as well, but there's a little too > much > > ambiguity in the original wording for me to feel comfortable reading it > like > > that. I say that considering that the CVSSv3 score assigned to this > > vulnerability (7.5) is rather high if the bug requires you to load > untrusted > > XML parsers to be effective. > > I think quantitiative scoring like that is ridiculous and will never be > meaningful, nor do I know who scored it. > > I think it's entirely fair to expect the upstream project to be clear > about the issue if it can be without disclosing information that would put > people at risk, but it's not my advisory, so it's not my place to clarify > it beyond what I've already said. If my understanding is incorrect, then > I'm sure I'll be corrected. > > -- Scott > > >
