ReDoS (Regular Expression Denial of Service) being High severity in MITRE is such a crock of shit.
@yossarian wrote about this 2 years ago, and it's just as true today. MITRE acts like they're paid per CVE, and they're desperate for pocket money. The wrong people have been incentivised for the wrong things.
A DoS of a library/application should not be a High. A DoS of an OS or appliance could maybe be a High!
https://blog.yossarian.net/2022/12/28/ReDoS-vulnerabilities-and-misaligned-incentives
=> More informations about this toot | View the thread | More toots from bea@infosec.exchange
=> View yossarian@infosec.exchange profile
text/geminiThis content has been proxied by September (ba2dc).