mirror of
https://github.com/freedomofpress/dangerzone.git
synced 2025-04-28 18:02:38 +02:00
Ignore CVE-2023-7104 from our security scans
Our security scans for the released container image have flagged CVE-2023-7104. Our assessment is that this CVE doesn't affect Dangerzone, mainly because our understanding is that attackers cannot embed SQLite dbs within LibreOffice spreadsheets.
This commit is contained in:
Alex Pyrgiotis
parent
2f318f1633
commit
a6755080ad
1 changed files with 21 additions and 0 deletions
21
.grype.yaml
21
.grype.yaml
|
|
@ -2,3 +2,24 @@
|
||||||
# latest release of Dangerzone, and offer our analysis.
|
# latest release of Dangerzone, and offer our analysis.
|
||||||
|
|
||||||
ignore:
|
ignore:
|
||||||
|
# CVE-2023-7104
|
||||||
|
# =============
|
||||||
|
#
|
||||||
|
# NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2023-7104
|
||||||
|
# Verdict: Dangerzone is not affected. The rationale is the following:
|
||||||
|
#
|
||||||
|
# 1. This CVE affects malicious/corrupted SQLite DBs.
|
||||||
|
# 2. Databases can be loaded either via LibreOffice Calc or Base. Files for
|
||||||
|
# the latter are not a valid input to Dangerzone.
|
||||||
|
# 3. Based on the LibreOffice Calc guide [1], users can only refer to
|
||||||
|
# external databases, not embed them in a spreadsheet.
|
||||||
|
# 4. The actual CVSS score for this vulnerability is High, according to
|
||||||
|
# NIST, not Critical.
|
||||||
|
#
|
||||||
|
# [1]: From https://wiki.documentfoundation.org/images/f/f4/CG75-CalcGuide.pdf:
|
||||||
|
#
|
||||||
|
# > The possible data sources for the pivot table are a Calc spreadsheet
|
||||||
|
# > or an external data source that is registered in LibreOffice. [...]
|
||||||
|
# > A registered data source is a connection to data held in a database
|
||||||
|
# > outside of LibreOffice.
|
||||||
|
- vulnerability: CVE-2023-7104
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue