- Issue created by @greggles
- πΊπΈUnited States greggles Denver, Colorado, USA
I created a default json for core.
And here's a start for sa-core-2024-003. I think
It seems for xss we can make them CWE 79. There are several CAPEC to choose from, including 63 XSS, 591 reflected XSS, 588 DOM based XSS, and 592 stored XSS. I chose just 79 and 63 for 003.
- πΊπΈUnited States greggles Denver, Colorado, USA
Just realized I left the title as default, so need to change that on 003 before creating it.
For 004, I think CWE should be
https://cwe.mitre.org/data/definitions/178.html Improper Handling of Case Sensitivity
AND https://cwe.mitre.org/data/definitions/289.html Authentication Bypass by Alternate Name
And the CAPEC should be https://capec.mitre.org/data/definitions/233.html Privilege Escalation - πΊπΈUnited States greggles Denver, Colorado, USA
005 is pretty easy if we just accept the same values as 003 for CWE and CAPEC.
For the 3 gadget chains, the problem type and impact seem like they should be
https://cwe.mitre.org/data/definitions/502.html CWE-502: Deserialization of Untrusted Data
https://capec.mitre.org/data/definitions/586.html CAPEC-586: Object InjectionThis is all of them, so moving to "Needs Review"
- π¬π§United Kingdom mcdruid π¬π§πͺπΊ
Thanks @greggles
For the Gadget Chains I'm not sure that CWE-502 is a perfect fit, although it's certainly very relevant.
Seems to me that one is tied to the initial vector whereby an application passes untrusted data to
unserialize(), which is not what was addressed in these SAs.https://cwe.mitre.org/data/definitions/915.html might be a better fit as that's more about the idea that it's possible for an attacker to modify properties of objects in an unintended way such that they can influence the state of the application (with malicious intent).
It seems like these two CWEs are both closely associated with PHP Object Injection, but I think 915 maps better to the Gadget Chains as they are not directly exploitable, but rather represent tools that an attacker can leverage if they find a way to pass their malicious payload to
unserlialize().I think CAPEC-586 looks good.
- π¬π§United Kingdom mcdruid π¬π§πͺπΊ
Sorry didn't mean to change status.
- πΊπΈUnited States greggles Denver, Colorado, USA
915 makes sense to me, thanks for reviewing these and finding that.
2 adjustments:
* fixing title on 003
* changing the gadget chains to 915Other than that I think these are ready to go.
- πΊπΈUnited States greggles Denver, Colorado, USA
OK, here's new files for 003, 006, 007, 008 fixing the title on 003 and the CWE on 6, 7, 8 and also an accidental duplicated "Drupal Drupal Core" in 006.
- π¦πΊAustralia larowlan π¦πΊπ.au GMT+10
These look good to me, thanks @greggles
- πΊπΈUnited States greggles Denver, Colorado, USA
OK, I published these and updated the advisories to include the CVE number.
Up next is π Create CVEs for contributed projects in 2024 Active .
If there's any proposed necessary edits to these feel free to comment with them, though my priority personally is on getting all of 2024 filed.
- πΊπΈUnited States greggles Denver, Colorado, USA
I guess I should link to the CVEs:
https://www.cve.org/CVERecord?id=CVE-2024-12393 SA-CORE-2024-003
https://www.cve.org/CVERecord?id=CVE-2024-55634 SA-CORE-2024-004
https://www.cve.org/CVERecord?id=CVE-2024-55635 SA-CORE-2024-005
https://www.cve.org/CVERecord?id=CVE-2024-55636 SA-CORE-2024-006
https://www.cve.org/CVERecord?id=CVE-2024-55637 SA-CORE-2024-007
https://www.cve.org/CVERecord?id=CVE-2024-55638 SA-CORE-2024-008
