Post AdDDGPQTvZ1M6gmq3M by eltonfc@bertha.social
 (DIR) More posts by eltonfc@bertha.social
 (DIR) Post #AdD8ImG3Viq1j8DhJ2 by mttaggart@infosec.town
       2023-12-26T19:18:48.780Z
       
       0 likes, 0 repeats
       
       @eltonfc @simontsui I found this blog with a PoC, by way of Seclists which notes that the 9.8 is "ridiculous."
       
 (DIR) Post #AdD9p0XQ3LwREjH3RY by mttaggart@infosec.town
       2023-12-26T19:35:56.588Z
       
       0 likes, 0 repeats
       
       @eltonfc @simontsui Okay, so now this makes more sense. Yes, a malicious Git submodule when pulled could exploit this. That's what I was missing.But yeah, the user interaction part is why I bumped on 9.8, but you're totally right that a supply chain attack might trigger this. Although, based on what I'm seeing, it wouldn't be all that subtle. The pull fails noisily.
       
 (DIR) Post #AdDDGPQTvZ1M6gmq3M by eltonfc@bertha.social
       2023-12-26T20:08:23Z
       
       1 likes, 0 repeats
       
       @mttaggart @simontsui yeah, if the pull fails noisily, 9.8 may be too much.This is not the first time that nonsense high CVE scores are given this year, I remember OpenSSL ones