[Secure-testing-commits] r54447 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-08-08 20:13:03 +0000 (Tue, 08 Aug 2017)
New Revision: 54447

Modified:
   data/CVE/list
Log:
Update note for CVE-2017-1000031

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-08-08 20:04:36 UTC (rev 54446)
+++ data/CVE/list	2017-08-08 20:13:03 UTC (rev 54447)
@@ -3913,8 +3913,14 @@
 CVE-2017-1000031 (SQL injection vulnerability in graph_templates_inputs.php in Cacti ...)
 	- cacti <unfixed>
 	NOTE: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-007/?fid=7789
-	NOTE: Finding 1 looks like duplicate of of CVE-2014-4002. Finding 2.1 duplicate of
-	NOTE: CVE-2016-3172 and finding 2.2 as well duplicate of CVE-2014-4002.
+	NOTE: MITRE disagrees that this CVE is a duplicate of CVE-2014-4002 and CVE-2016-3172.
+	NOTE: MITRE believes that CVE-2017-1000031 is a different vulnerability than
+	NOTE: CVE-2014-4002 and CVE-2016-3172. This is because they seprate on vulnerability
+	NOTE: type, so it cannot be a duplicate of CVE-2014-4002 despite sharing attack
+	NOTE: vectors with this vulnerability, and covers different attack vectors than
+	NOTE: CVE-2016-3172 despite sharing vulnerability type, and appears to be
+	NOTE: independently fixable from said vulnerability based on the fix provided here:
+	NOTE: https://github.com/Cacti/cacti/issues/866.
 	NOTE: According to https://github.com/Cacti/cacti/issues/866#issuecomment-316865448
 	NOTE: the first issue was fixed by https://github.com/Cacti/cacti/commit/be800c9e552d2929106b576922e9693c83b4bd46
 	NOTE: whereas the secod issue was fixed by https://github.com/Cacti/cacti/commit/4e4dd6784adfc07b6011da999809d86a06f0f4e5