# This configuration file will be used to track CVEs that we can ignore for the # latest release of Dangerzone, and offer our analysis. ignore: # CVE-2023-7104 # ============= # # NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2023-7104 # Verdict: Dangerzone is not affected. The rationale is the following: # # 1. This CVE affects malicious/corrupted SQLite DBs. # 2. Databases can be loaded either via LibreOffice Calc or Base. Files for # the latter are not a valid input to Dangerzone. # 3. Based on the LibreOffice Calc guide [1], users can only refer to # external databases, not embed them in a spreadsheet. # 4. The actual CVSS score for this vulnerability is High, according to # NIST, not Critical. # # [1]: From https://wiki.documentfoundation.org/images/f/f4/CG75-CalcGuide.pdf: # # > The possible data sources for the pivot table are a Calc spreadsheet # > or an external data source that is registered in LibreOffice. [...] # > A registered data source is a connection to data held in a database # > outside of LibreOffice. - vulnerability: CVE-2023-7104 # CVE-2024-5535 # ============= # # NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-5535 # Verdict: Dangerzone is not affected. The rationale is the following: # # 1. This CVE affects applications that make network calls. The Dangerzone # container does not perform any such calls, and has no access to the # internet. # 2. The OpenSSL devs have marked this issue as low severity [1]. # # [1]: From https://www.openssl.org/news/secadv/20240627.txt: # # > This issue has been assessed as Low severity because applications are # > most likely to be vulnerable if they are using NPN instead of ALPN - # > but NPN is not widely used. It also requires an application # > configuration or programming error. Finally, this issue would not # > typically be under attacker control making active exploitation # > unlikely. - vulnerability: CVE-2024-5535