Closed maennchen closed 2 years ago
maennchen
commented
2 years ago @greysteil I'm not aware of one. I tried looking on the MITRE CVE search.
I think we should probably merge this and also ask the phoenix team. Otherwise, it might make sense to request one ourselves.
greysteil
commented
2 years ago Let me pull in some colleagues from the GitHub Security Lab who should be able to help with both.
maennchen
commented
2 years ago @greysteil I‘ve requested CVEs a few times. If you‘d like me to request one, just let me know.
greysteil
commented
2 years ago Thanks @maennchen. We're actually a CVE Numbering Authority at GitHub, so that bit shouldn't be too hard. The tougher bit is making sure the maintainer is in the loop. I've asked someone from the GitHub Security Lab to kick off that convo.
Leave it with me.
rschultheis
commented
2 years ago 👋 @maennchen @greysteil.
As a member of GitHub Security Lab, I emailed Jose who made that commit, and he bounced the email to Chris. The TLDR is it is a potential XSS vector, but "this issue had low impact" and so they did not pursue a CVE. From my perspective this is not a serious enough issue for us to write a CVE outside of our normal process where a maintainer requests one. I prefer to only issue CVEs out-of-band for issues with more clear details on exploitation.
The Phoenix maintainers however did indicate they would keep the Security Advisory feature in mind for future security issues.
Full email:
Thanks @maennchen. No CVE for this one? Should we ask Phoenix to get one?