top | item 40838195

(no title)

throwaway_62022 | 1 year ago

Ugh - say I wrote a daemon that runs every 2 hours, it exposes no end points and has no metrics. But just because I depend on some library that brings in promethus which in turn brings some http2 library, I am on the hook for fixing this Cve in my code.

Shouldn't it be on security researcher to prove that how this can be exploited if no http end points are created?

So much of security scanning is such bullshit.

discuss

mschuster91|1 year ago

> Shouldn't it be on security researcher to prove that how this can be exploited if no http end points are created?

The problem is, from their viewpoint the security researcher is completely correct: a vulnerability is a vulnerability.

Consuming applications absolutely have to do their own research for CVEs in dependencies, to determine if they are impacted or not, and to develop mitigations on their side as well if needed.

philipwhiuk|1 year ago

> The problem is, from their viewpoint the security researcher is completely correct: a vulnerability is a vulnerability.

In the app using the library, not in the library.