Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-28200PUBLISHED: 2022-07-02
NVIDIA DGX A100 contains a vulnerability in SBIOS in the BiosCfgTool, where a local user with elevated privileges can read and write beyond intended bounds in SMRAM, which may lead to code execution, escalation of privileges, denial of service, and information disclosure. The scope of impact can ext...
CVE-2022-32551PUBLISHED: 2022-07-02Zoho ManageEngine ServiceDesk Plus MSP before 10604 allows path traversal (to WEBINF/web.xml from sample/WEB-INF/web.xml or sample/META-INF/web.xml).
CVE-2022-32411PUBLISHED: 2022-07-01An issue in the languages config file of HongCMS v3.0 allows attackers to getshell.
CVE-2022-32412PUBLISHED: 2022-07-01An issue in the /template/edit component of HongCMS v3.0 allows attackers to getshell.
CVE-2022-34903PUBLISHED: 2022-07-01GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.
User Rank: Author
4/20/2014 | 12:38:43 PM
I don't view assurance as a black-and-white situation. And neither did the authors of the Orange Book. All the problems you mention could be easily verified by a set of automated tests delivered with the software. You don't have to get all the way to formal methods and proof-carrying code to gain assurance.
Give me some software with some reproduceable test cases, the results of some testing tools, let me know a little bit about who wrote it, what tools they used, and their process and I'm probably in a lot better situation than if I just download some code off the Internet.