Isn't an "exposure" that is not configurable a "vulnerability" in the classical sense (e.g., a software/hardware flaw)? If that is true, we can simply use the more specific term "vulnerability" and stop using the more abstract term "exposure". I believe that this is what has happened in the CVE community over the past 20 years.
For your error logging example, if the presence of the log message violates the security model of the software, I would call this a "vulnerability" in the classical sense. For example, users accessing this information without authentication or proper privileges would violate the security model. It wouldn't be a violation of the security model if this information was provided to administrators that authenticated first, since they are allowed access to this information for debugging purposes.
Regards,
Dave
-----Original Message-----
From: Pascal Meunier <>
Sent: Tuesday, August 18, 2020 10:53 AM
To: Waltermire, David A. (Fed) <>
Cc: CVE Editorial Board Discussion <>
Subject: Re: CVE: Exposures or Enumeration?
Good point. Of course CVEs for a configurable option per deployment instance would be noisy, have low value and be impratical. A generic CVE would be redundant with the CWE and would not be actionable, so no to that, and good riddance to those, as I agree that their place is not in the CVE. However, if it's not configurable, then a CVE per software version or version range seems reasonable, using item 7.2.4 of the assignment rules in the case of multiple products.
Does the above make sense? Thank you for your patience while I'm indulging in revisiting an issue that seemed settled.
Pascal
On Tue, 18 Aug 2020 14:03:37 +0000
"Waltermire, David A. (Fed)" <> wrote:
> Here is a list of other similar exposures that represent local configuration issues of software.
>
> Exposure of Information Through Directory Listing CWE-548 J2EE
> Misconfiguration: Missing Custom Error Page CWE-7
>
> Should we assign CVEs for these? If so, do we assign a CVE on a website-by-website basis? One for each software? One for each software version? A generic CVE for all software with this weakness?
>
> Regards,
> Dave
>
>
>
> -----Original Message-----
> From: Pascal Meunier <>
> Sent: Tuesday, August 18, 2020 6:44 AM
> To: Waltermire, David A. (Fed) <>; CVE
> Editorial Board Discussion <>
> Subject: CVE: Exposures or Enumeration?
>
> David,
> Regarding the renaming of the CVE and the role of exposures in it, I would like to point out that there are CWEs about exposures. One that I encounter often and is a problem in weighing debugging convenience over security is CWE-209 "Information Exposure Through an Error Message". It's very encouraging and helpful to an attacker to see that they're making progress and that an error message suggests that an SQL injection vulnerability is in there somewhere. Inasmuch as CVEs are instances of CWEs, and the CWE has exposures, then the CVE should have exposures in its scope.
>
> Regards,
> Pascal