-4

I found some serious vulnerabilities in my university's infrastructure. The infrastructure is a web app built with Spring and it's developed and used solely by the University.

Using it I can get sensitive information for all students and gain access to their accounts on the infrastructure. I'm planning to coordinate a vulnerability disclosure.

I am wondering whether I can get CVE numbers for it.

schroeder
  • 125,553
  • 55
  • 289
  • 326
John Doe
  • 5
  • 1
  • 2
  • Have you looked up the CVE number assigning process? – schroeder Mar 16 '20 at 07:37
  • @schroeder Yes, but it was not very clear. – John Doe Mar 16 '20 at 07:43
  • @JohnDoe: https://cve.mitre.org/cve/request_id.html – fgk Mar 16 '20 at 07:44
  • 1
    What was not clear? Any answer will simply point you to the CVE page. If you've read it, then you need to explain why the page *didn't* help you. – schroeder Mar 16 '20 at 07:44
  • 4
    Does this answer your question? [How can I report a new vulnerability to cve.mitre.org such that they assign a CVE ID to it?](https://security.stackexchange.com/questions/121044/how-can-i-report-a-new-vulnerability-to-cve-mitre-org-such-that-they-assign-a-cv), [How to exactly create a CVE?](https://security.stackexchange.com/questions/107828/how-to-exactly-create-a-cve), [CVE submission process?](https://security.stackexchange.com/questions/172243/cve-submission-process), ... – Steffen Ullrich Mar 16 '20 at 08:15
  • It's closed source OK ... but is it distributed in any manner ? If the vulnerable app was developed internally only for your university usage, then there's totally no need of CVE. – binarym Mar 16 '20 at 10:35
  • @binarym That's what I was asking. It's closed source and not distributed so can I obtain a cve? Not that I need one. – John Doe Mar 16 '20 at 10:46
  • 1
    I don't think so... Who cares about a software that is only deployed on your university? Nobody but your university staff. So there's absolutely no interest to have a CVE for such a product.... Just contact your university staff and forget about glory in this case ;-) – binarym Mar 16 '20 at 11:10
  • 2
    I didn't found a strict reference on CVE site, but if you have a look to [wikipedia](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) page, you can read: "MITRE Corporation's documentation defines CVE Identifiers (also called "CVE names", "CVE numbers", "CVE-IDs", and "CVEs") as unique, common identifiers for publicly known information-security vulnerabilities in **publicly released software packages**." – binarym Mar 16 '20 at 11:15
  • Your answer is directly contained within the form to request a CVE ID: "Please ensure vendor or product exists in the Products and Sources list http://cve.mitre.org/cve/data_sources_product_coverage.html" From your description, it's not a "product" it's an internal project. – schroeder Mar 16 '20 at 11:44

1 Answers1

5

The short answer is no.

If it's a closed source product, and it is not off-the-shelf, or distributed, then there is no benefit to having a CVE number assigned.

In fact, the CVE assigning authorities would not consider such a request.

Please ensure vendor or product exists in the Products and Sources list cve.mitre.org/cve/data_sources_product_coverage.html

A CVE number is a way of alerting the public to an issue in applications they might use. It is not a posterity number.

You should contact the responsible persons for maintaining the system and disclose it as soon as possible to them, so that the risk that a malicious actor might find what you have found is minimized.

schroeder
  • 125,553
  • 55
  • 289
  • 326
h01592863
  • 51
  • 1