Update CVE-2025-22376 following independent review #154
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I did an independent review of this CVE as it felt like the CVSS score was a bit high for what the vulnerability is. I've published the full review on my blog which explains the rationale behind this PR and adjusted CVSS score. I've also added the blog post as a reference.
|
@psyker156 thank you for the report. Our analysts will review your suggestions. We may not be able to merge this PR depending on the outcome of that analysis, but will try to do so if we are able. |
|
@psyker156 one of our analysts reviewed this entry and made some updates to the CVSS score. Thank you for the input! |
|
Hi Jonathan! Is it possible that a mistake was made inputting the CIA
impacts on the new value? The new values are somewhat the opposite of what
I mentioned in my analysis. The confidentiality and integrity would be
impacted if there was no nonce. But in this case, there is a nonce. Which
means that pretty much the only thing an attacker could do with this would
be to send requests with nonce that are yet to be generated by the client
effectively resulting in a DoS. I understand that the confidentiality of
the nonce itself (of future nonces) is compromised but then this results in
an availability impact and not a confidentiality impact and also does not
enable a replay attack since previously valid nonce would still be
invalidated.
Does that make sense??
Thank you!
Phil
…On Thu, Jan 16, 2025, 2:34 p.m. Jonathan Woytek ***@***.***> wrote:
@psyker156 <https://github.com/psyker156> one of our analysts reviewed
this entry and made some updates to the CVSS score. Thank you for the input!
—
Reply to this email directly, view it on GitHub
<#154 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAB3ELAJZHYJOUEGZUIS6WL2LACV5AVCNFSM6AAAAABUWNH3RCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKOJWGY4TCNBZHE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@psyker156 I am not the analyst on this CVE, but will pass your questions along for review. |
|
Awesome, thank you so much!
…On Thu, Jan 16, 2025, 4:42 p.m. Jonathan Woytek ***@***.***> wrote:
@psyker156 <https://github.com/psyker156> I am not the analyst on this
CVE, but will pass your questions along for review.
—
Reply to this email directly, view it on GitHub
<#154 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAB3ELGUNBO2TXFGMJGX7XD2LARVZAVCNFSM6AAAAABUWNH3RCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKOJWHE2TEMJSG4>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I did an independent review of this CVE as it felt like the CVSS score was a bit high for what the vulnerability is. I've published the full review on my blog which explains the rationale behind this PR and adjusted CVSS score. I've also added the blog post as a reference.