[TheDong]

If someone can template in data, it's a lot easier to just set "dhcp-script=/arbitrary/code"

If the person templating isn't validating data, then it's already RCE to let someone template into this config file without careful validation.

... Also, this is a segfault, the chance anyone can get an RCE out of '*r = 0' for r being slightly out of bounds is close to nil, you'd need an actively malicious compiler.

While CVE's in theory are "just a number to coordinate with no real meaning", in practice a "Severity: High" CVE will trigger a bunch of work for people, so it's obviously not ideal to issue garbage ones.

[akerl_]

Maybe we should issue a CVE for company vulnerability response processes that blindly take CVSS scoring as input without evaluating the vulnerability.

[TheDong]

> blindly take CVSS scoring as input without evaluating the vulnerability.

Evaluating the CVSS score in your own context is the work I'm talking about.

It does no one any good to have a CVE that says "may lead to remote code execution", when in fact it cannot, and if the reporter did more work, then you wouldn't need hundreds of people to independently do that work to determine this is garbage.

[akerl_]

People being able to collectively analyze a vulnerability instead of having to all do it independently is pretty much the whole reason for having a CVE database, so I'm glad we agree.

[tptacek]

I mean, I'm fine with the complaint about vulnerabilities that ambiguously refer to possible code execution, but that is a problem that long predates CVE.

[tptacek]

Like I said, it depends on the configuration field. But people saying "you have to be root to change this configuration" are missing the point.

If the argument is "CVSS is a complete joke", I think basically every serious practitioner in the field agrees with that.