iDefense, CVE or Oracle; The two iDefense advisories present a bit of confusion over the CVE assignments and number of vulnerabilities. There appear to be two vulnerabilities (login.php and common.php) that may have 3 CVE numbers assigned. Could anyone clarify? First advisory, mail list post and original jibe suggesting common.php issue is CVE-2008-5449: iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration Server login.php Command Injection Vulnerability http://archives.neohapsis.com/archives/bugtraq/2009-01/0111.html The vulnerability is in a function of common.php which is called from the login.php page. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-5449 to this issue. Oracle Secure Backup Administration Server login.php Command Injection Vulnerability http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=769 The vulnerability is in a function of common.php which is called from the login.php page. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-5449 to this issue. Second advisory, mail list post and original do not match, mentioning CVE-2008-4006 and then CVE-2008-5448 for what appear to be login.php and common.php. This implies that common.php may have had two CVE assigned: iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration Server login.php Command Injection Vulnerability http://archives.neohapsis.com/archives/bugtraq/2009-01/0110.html The first vulnerability is in "php/login.php". The second vulnerability is in "php/common.php". The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-4006 to this issue. Oracle Secure Backup Administration Server login.php Command Injection Vulnerability http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=768 The first vulnerability is in "php/login.php". The second vulnerability is in "php/common.php". The Common Vulnerabilities and Exposures (CVE) project has assigned the names CVE-2008-4006 and CVE-2008-5448 to this issue. Any clarification would be appreciated.
