(www.bleepingcomputer.com)

174 points andy99 | 2 comments | 06 Apr 25 17:21 UTC | HN request time: 0s | source

Show context

jtchang ◴[06 Apr 25 20:52 UTC] No.43604870[source]▶

It's so dumb to assign it a CVSS score of 10.

Unless you are blindly accepting parquet formatted files this really doesn't seem that bad.

A vulnerability in parsing images, xml, json, html, css would be way more detrimental.

I can't think of many services that accept parquet files directly. And of those usually you are calling it directly via a backend service.

replies(3): >>43605359 #>>43605393 #>>43606782 #

1. bigfatkitten ◴[06 Apr 25 22:06 UTC] No.43605359[source]▶

>>43604870 #

Vendor CVSS scores are always inherently meaningless because they can't take into account the factors specific to the user's environment.

Users need to do their own assessments.

replies(1): >>43606784 #

2. worthless-trash ◴[07 Apr 25 01:57 UTC] No.43606784[source]▶

>>43605359 (TP) #

This comment over generalises the problem, but is inherently absurd. There are key indicators in scoring that explain the attack itself which isn't environment specific.

I do agree that in most cases the deployment specific configuration affects the ability to be exploited and users or developers should analyse their own configuration.

↑

Max severity RCE flaw discovered in widely used Apache Parquet