Full Disclosure mailing list archives

From: Art Manion via Fulldisclosure <fulldisclosure () seclists org> Date: Thu, 08 Jan 2026 18:26:44 +0000

Hi,

the vulnerabilities are no longer considered eligible for CVE tracking, despite being real, independently discovered,
responsibly disclosed, and acknowledged by the vendor.

CVE IDs *can* be assigned for SaaS or similarly "cloud only" software.  For a period of time, there was a restriction
that only the provider could make or request such an assignment.  But the current CVE rules remove this restriction:

4.2.3 CNAs MUST NOT consider the type of technology (e.g., cloud, on-premises, artificial intelligence, machine
learning) as the sole basis for determining assignment.

It would have been acceptable (even preferred) to leave CVE-2025-34411 and CVE-2025-34412 published and identify them
as affecting an "exclusively-hosted-service:"

5.1.11.1 (A CVE Record) MUST use the “exclusively-hosted-service” tag when all known Products listed in the CVE Record
exist only as fully hosted services. If the Vulnerability affects both hosted services and on-premises Products, then
this tag MUST NOT be used.

Rules: https://www.cve.org/resourcessupport/allresources/cnarules

Regards,

- Art


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• Re: Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group) Art Manion via Fulldisclosure (Jan 10)