CVE by License Plat

Posted inprofessional, security, software, technology, work

Unlikely the car itself represents a CVE but my curiosity took hold: what CVEs may be 905s? Let’s query the database and find out!

There are 26 distinct CVEs ending in -0905 since 1999 with only 2018 and 2021 unaccounted for, and only a couple with a CVSS assigned (2 highs, 1 medium, 1 low):

  • CVE-2019-0905 (Score 7.8, High) A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory.
  • CVE-2023-0905 (Score 7.3, High) A vulnerability classified as critical has been found in SourceCodester Employee Task Management System 1.0. Affected is an unknown function of the file changePasswordForEmployee.php. The manipulation leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-221454 is the identifier assigned to this vulnerability.
  • CVE-2022-0905 (Score 6.5, Medium) Missing Authorization in GitHub repository go-gitea/gitea prior to 1.16.4.
  • CVE-2025-0905 (Score 3.3, Low) PDF-XChange Editor JB2 File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JB2 files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-25433.

By no means am I a security expert and rarely (ever?) have I needed to track a CVE for legitimate business purposes, but these types of exploits are not what immediately comes to mind: race conditions, buffer overflows, using memory after its release, OS-level problems are my naive view of CVEs. For example.

  • CVE-2001-0904: Race condition in signal handling of procmail 3.20 and earlier, when running setuid, allows local users to cause a denial of service or gain root privileges by sending a signal while a signal handling routine is already running.
  • CVE-2002-0905: Buffer overflow in sqlexec for Informix SE-7.25 allows local users to gain root privileges via a long INFORMIXDIR environment variable.
  • CVE-2004-0905: Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allows remote attackers to perform cross-domain scripting and possibly execute arbitrary code by convincing a user to drag and drop javascript: links to a frame or page in another domain.
  • CVE-2006-0905: A “programming error” in fast_ipsec in FreeBSD 4.8-RELEASE through 6.1-STABLE and NetBSD 2 through 3 does not properly update the sequence number associated with a Security Association, which allows packets to pass sequence number checks and allows remote attackers to capture IPSec packets and conduct replay attacks.
  • CVE-2011-0905: The rfbSendFramebufferUpdate function in server/libvncserver/rfbserver.c in vino-server in Vino 2.x before 2.28.3, 2.32.x before 2.32.2, 3.0.x before 3.0.2, and 3.1.x before 3.1.1, when tight encoding is used, allows remote authenticated users to cause a denial of service (daemon crash) via crafted dimensions in a framebuffer update request that triggers an out-of-bounds read operation.

This also raises questions about whom should be tracking CVEs: as I, as a technology professionally, be regularly reviewing CVEs to see what may affect my organization? Is OWASP enough (assuming, of course, engineers actually took their Top Ten seriously)? Aside from tech giants and Fortune 500s, how many organizations lack the expertise and bandwidth to regularly review/evaluate CVEs for impact? Organizations may hire external organizations to do security and penetration testing on their software products but ignore recommendations due to product roadmaps.

True story: a previous employed sold their software with a hard-coded password used for initial setup. The password was intended to be changed during setup, but wasn’t forced and did not always happen. It was deemed unimportant because, supposedly, it wasn’t public (Google searches would find it) and therefore not a risk. However, a competitor’s customer was hacked with their hard-coded password and suddenly our hard-coded password became priority #1.

The more things change, the more they stay the same….