CVE in Your CVE: When the Patch Doesn't Fix the Vulnerability (opens in new tab)

A big part of what I do for PentesterLab is reading CVEs. I spend a lot of time going through them: it's how I find interesting content, spot trends, and decide what to build next. The best ones end up as hacking labs or code review labs. Every so often, something else happens. I'm reading the patch that's supposed to fix a vulnerability, and I find a way around it. The fix doesn't actually fix the issue. When that happens, I report the bypass before I publish anything. The reason is simple: ...