On Thu, Apr 27, 2023, at 8:11 AM, Carl George wrote: > The Red Hat CVSS score for CVE-2022-1184 has the same breakdown as the > NVD CVSS score. Both rate the "privileges required" property as low. > From what I can tell that property would be rated high if they > considered root privileges to be required. How does apptainer's use > of setuid change anything here? My read of privileges required 'low' on CVE-2022-1184 is that perhaps it is related to the situation where, although a direct `mount` command against an extfs filesystem usually requires root, it is common that a non-root user can initiate mounts of extfs USB drives etc in 'standard' distro configurations via udisks2. I could be way off here, but at least on desktop systems there's usually a way for a non-root user to mount extfs removable drives. With respect to CVE-2023-30549 scoring, we're going to have quite a bit of confusion arising from the fact that the CNA suggested score at the NVD listing is different than on the GitHub GHSA page... On https://nvd.nist.gov/vuln/detail/CVE-2023-30549 the CNA provided vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H This results in a higher score than CVE-2022-1184 because it lists 'Privileges Required: None' .... which is surely incorrect, as you have to have a user account with enough privileges to run apptainer? On https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357-f4cg the vector is CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H So... at the GHSA page, the Privleges Required is low (which seems correct), but compared to CVE-2022-1184: 1) attack complexity is now high... which seems odd to change. 2) the suggested scoring has bumped Confidentiality and Integrity impact to 'high', where they are both 'none' in the underlying CVE-2022-1184. Not clear how this can be correct when CVE-2022-1184 is a denial of service vuln. I'm quite confused looking at this now. I don't know how the GitHub submited CNA suggest score at the NVD would differ from the score on the GitHub Security Advisory. Was the scoring on the GHSA edited after publication, after it had been sent to the NVD? Also, I don't know what the justification is on the GHSA for bumping confidentiality / integrity impact, nor changing complexity from low -> high versus CVE-2022-1184. I wonder if Dave Dykstra could clarify what's going on with the scoring differences with CVE-2022-1184, and between the NVD submsission and what's now seen at the GHSA link? I guess it may not be an issue if any EL7 decision is just dependent on the NVD's own analysis and score, which will appear in due course. Cheers, DT _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue