You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
is apparently attempting to allow reservations in October/November/December for the next calendar year, but in practice also allows reservations for all non-negative earlier years (even year 0, which did not exist) because daysUntilYear can return a negative number.
Traditionally, cve_year 1999 has been for vulnerabilities disclosed in 1999 or earlier. If this principle is maintained, then it should not be possible to manipulate parameters to auto-reserve for 1998 or earlier.
Example:
POST /api/cve-id?short_name=exampleCNA&batch_type=sequential&cve_year=0000&amount=1
In v2.5.1,
cve-services/src/controller/cve-id.controller/cve-id.controller.js
Lines 549 to 550 in 078cbdb
is apparently attempting to allow reservations in October/November/December for the next calendar year, but in practice also allows reservations for all non-negative earlier years (even year 0, which did not exist) because daysUntilYear can return a negative number.
Traditionally, cve_year 1999 has been for vulnerabilities disclosed in 1999 or earlier. If this principle is maintained, then it should not be possible to manipulate parameters to auto-reserve for 1998 or earlier.
Example:
Outcome:
The text was updated successfully, but these errors were encountered: