Re: Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group)
好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内。首先,我得仔细阅读用户提供的文章内容,理解其主要观点。 文章来自Art Manion,讨论的是漏洞是否符合CVE跟踪的条件。他提到某些漏洞虽然真实且负责任地披露,但不再被视为符合条件。接着,他提到SaaS或类似云服务软件可以分配CVE ID,过去有供应商才能申请的限制,但现在规则已经改变。 规则中提到CNAs不能仅以技术类型作为判断依据,并且必须使用“exclusively-hosted-service”标签来明确影响范围。因此,总结时需要涵盖这些关键点:漏洞不符合CVE条件、云服务的CVE分配变化、规则调整以及标签使用的重要性。 接下来,我要将这些信息浓缩到100字以内,确保准确传达核心内容。需要注意的是,用户要求不要以“文章内容总结”或“这篇文章”开头,直接描述即可。 最后,检查字数是否符合要求,并确保语言简洁明了。 </think> 文章讨论了漏洞是否符合CVE跟踪条件的问题,指出某些漏洞虽真实且负责任地披露,但不再被视为符合条件。尽管SaaS或云服务软件可分配CVE ID,但过去供应商需自行申请的限制已取消,当前规则允许更灵活的处理方式。 2026-1-11 04:24:51 Author: seclists.org(查看原文) 阅读量:7 收藏
好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内。首先,我得仔细阅读用户提供的文章内容,理解其主要观点。 文章来自Art Manion,讨论的是漏洞是否符合CVE跟踪的条件。他提到某些漏洞虽然真实且负责任地披露,但不再被视为符合条件。接着,他提到SaaS或类似云服务软件可以分配CVE ID,过去有供应商才能申请的限制,但现在规则已经改变。 规则中提到CNAs不能仅以技术类型作为判断依据,并且必须使用“exclusively-hosted-service”标签来明确影响范围。因此,总结时需要涵盖这些关键点:漏洞不符合CVE条件、云服务的CVE分配变化、规则调整以及标签使用的重要性。 接下来,我要将这些信息浓缩到100字以内,确保准确传达核心内容。需要注意的是,用户要求不要以“文章内容总结”或“这篇文章”开头,直接描述即可。 最后,检查字数是否符合要求,并确保语言简洁明了。 </think> 文章讨论了漏洞是否符合CVE跟踪条件的问题,指出某些漏洞虽真实且负责任地披露,但不再被视为符合条件。尽管SaaS或云服务软件可分配CVE ID,但过去供应商需自行申请的限制已取消,当前规则允许更灵活的处理方式。 2026-1-11 04:24:51 Author: seclists.org(查看原文) 阅读量:7 收藏
Full Disclosure mailing list archives
From: Art Manion via Fulldisclosure <fulldisclosure () seclists org>
Date: Thu, 08 Jan 2026 18:26:44 +0000
Hi,
the vulnerabilities are no longer considered eligible for CVE tracking, despite being real, independently discovered, responsibly disclosed, and acknowledged by the vendor.
CVE IDs *can* be assigned for SaaS or similarly "cloud only" software. For a period of time, there was a restriction that only the provider could make or request such an assignment. But the current CVE rules remove this restriction: 4.2.3 CNAs MUST NOT consider the type of technology (e.g., cloud, on-premises, artificial intelligence, machine learning) as the sole basis for determining assignment. It would have been acceptable (even preferred) to leave CVE-2025-34411 and CVE-2025-34412 published and identify them as affecting an "exclusively-hosted-service:" 5.1.11.1 (A CVE Record) MUST use the “exclusively-hosted-service” tag when all known Products listed in the CVE Record exist only as fully hosted services. If the Vulnerability affects both hosted services and on-premises Products, then this tag MUST NOT be used. Rules: https://www.cve.org/resourcessupport/allresources/cnarules Regards, - Art _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Re: Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group) Art Manion via Fulldisclosure (Jan 10)
文章来源: https://seclists.org/fulldisclosure/2026/Jan/17
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh