On Wed, Jun 7, 2023 at 12:13 PM Izaac <izaac@setec.org> wrote:
A quick search of https://cve.mitre.org/cve/search_cve_list.html shows between 600 and 3700 CVEs related to default configurations that are
You literally just gave me a link to the CVE search page, waved your hand, and said, "See?" Well, I'll admit to not being as good at conducting CVE research as you.
Evidently. Since we're talking about default configurations, the obvious search is "default configurations." That yields 770 results. The fourth in my list is CVE-2023-33949, a piece of software whose default configuration lets folks create accounts without verifying their email address. That's a reasonable setting when the application is not exposed to the public Internet and you want to minimize setup effort. The mitigation is to change the configuration setting. Expanding the search to "defaults" yields 3769 results. I didn't read through 3769 results to find one that was perfectly, flawlessly on point but there were plenty where something about the software's default configuration is insecure until the operator changes the configuration. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/