|
|
|
|
|
|
by alipitch
1531 days ago
|
|
|
Also to understand the problem correctly, what is the class of weakness of the two CVEs (CVE-2022-22965, CVE-2010-1622)? The following look like good candidates. - CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes <https://cwe.mitre.org/data/definitions/915.html> (Ruby on Rails Mass assignment bug) - CWE-502: Deserialization of Untrusted Data <https://cwe.mitre.org/data/definitions/502.html> - CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') <https://cwe.mitre.org/data/definitions/470.html> I think the one assigned (CWE-20:) is not a good approach to dealing with the "class" of weaknesses. - CWE-20: Improper Input Validation <https://cwe.mitre.org/data/definitions/20.html> As long as you see this as a "CWE-20: Improper Input Validation" class problem, it seems like you try to fix this with a deny-list approach or a partial allow-list approach that needs additional fixing some time in the future. |
|
|