(www.bleepingcomputer.com)

174 points andy99 | 3 comments | 06 Apr 25 17:21 UTC | HN request time: 0.232s | source

Show context

nikanj ◴[06 Apr 25 18:18 UTC] No.43603575[source]▶

"Maximum severity RCE" no longer means "unauthenticated RCE by any actor", it now means "the vulnerability can only be exploited if a malicious file is imported"

Grumbling about CVE inflation

replies(3): >>43603718 #>>43604364 #>>43604433 #

1. kevincox ◴[06 Apr 25 19:49 UTC] No.43604364[source]▶

>>43603575 #

But Parquet is intended to be a safe format. So importing a malicious file should still be safe.

Like if a browser had a vulnerability parsing HTML of course it is a major concern because very often browsers to parse HTML from untrusted parties.

replies(1): >>43604910 #

2. mr_mitm ◴[06 Apr 25 20:58 UTC] No.43604910[source]▶

>>43604364 (TP) #

Why is "user interaction: none" though? There should be reasoning attached to the CVSS vector in these CVEs.

replies(1): >>43605059 #

3. StressedDev ◴[06 Apr 25 21:21 UTC] No.43605059[source]▶

>>43604910 #

Probably because there are services (AKA web services, software listening on a network port, etc.) out there which accept arbitrary Parquet files. This seems like a safe assumption given lots of organizations use micro-services or cloud venders use the same software on the same machine to process requests from different customers. This is a bad bug and if you use the affected code, you should update immediately.

↑

Max severity RCE flaw discovered in widely used Apache Parquet