oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Neo4J CSRF: Potential CVE candidate

From: cve-assign () mitre org
Date: Fri, 3 Jan 2014 12:30:50 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Last August, Dinis Cruz wrote a blog entry detailing a CSRF attack



http://blog.diniscruz.com/2013/08/neo4j-csrf-payload-to-start-processes.html



on a Neo4J Server resulting in an RCE. The server's documentation
mentions the following.

  "By default, the Neo4j Server comes with some places where arbitrary
  code code execution can happen. These are the Section 19.15,



This could mean that the RCE itself is not CVE worthy as it is a
documented/expected behavior. However, should the CSRF flaw be
considered a vulnerability and assigned a CVE?


Use CVE-2013-7259 for the CSRF. There is no CVE assignment for the
documented Section 19.15 behavior.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSxvNhAAoJEKllVAevmvmscdkH/2ujYyUGrDQwoSXdENDgUCAS
fpyQfXnbL6dATF41P8y4cz7e7lCUMb/RxFJ6WBsLd/smCS/K9Q4yF0l4VAwp+2bg
Ztxcqzz4mQafgXGwAcKMtQ6ZXSk4I9r67PlBcFdO/mddhaLUDQT3MTxYBGJVfJSP
NlIuCp49QGJGpypRssK0bFkmLymHY9bMrz7n2EzgzPbk4GilVRhBrjEo3R2oJtKW
DZfRT8JO3op/3515wGXu0jeOtlKQg+YcKJbkpD3jwzmOANQsSFtfKgzNEUU9GCMt
XO7FYhLg4RyPs9/Lgy1AuFO/crqAck2SLyNTl7rd0KEKLgeANm1j8km4itnvZ+0=
=/rAS
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: