Hello,

I'm wondering why this vulnerability isn't submitted to the CVE database. Under CPE cpe:/a:codeigniter:codeigniter

http://www.cvedetails.com/vulnerability-list/vendor_id-6918/Codeigniter.html
Can I help you submitting this to the CVE database?

Greetings!

I believe that a CVE has already been allocated for this issue (CVE-2014-8686) - although this currently shows up as reserved on MITRE's site.

I don't think this was assigned when the vuln was originally reported to EllisLab - but this was around the time when the ownership of CodeIgniter was changing, so it's possible that the requests got lost at that point.

BeyondBinary wrote an advisory earlier this year about an issue on Seagate NASs, and he references that CVE in that advisory, so MITRE are definitely aware of this issue - but quite why the CVE details aren't public I don't know. If you're in contact with someone at MITRE they may be able to shed some light onto this.

Thanks,

~rbsec

Thank you @rbsec. I have just contact MITRE about this and I will possibly contact the authors of this articles as well:

• https://beyondbinary.io/advisory/seagate-nas-rce/
• https://www.mehmetince.net/codeigniter-object-injection-vulnerability-via-encryption-key/