Comment by auspex

3 years ago

If the vulnerability is present it’s still a vulnerability. Just because the module isn’t enabled doesn’t mean it can’t still be taken advantage of in a remote code execution scenario.

Not using a library !== not vulnerable.

6 comments

auspex

Reply
icedchai  3 years ago

I forget the specifics, but there was no way to exercise the module remotely. I think it was actually Apache, not nginx, and the module was not even loaded. It was one of those bullshit "medium priority" line items.

  • dizhn  3 years ago

    You are probably misremembering the story. If the module was really not enabled it wouldn't come up in a security scan or be present in the banner.

    • vladvasiliu  3 years ago

      If it's the kind of report I've seen, it could've been along the lines of Package version X.Y.Z comes with M module which has V vulnerability. Upgrade to X.Y.Z+1, which patched it. They don't actually look at the enabled modules.

      2 replies →

  • rtev  3 years ago

    What happens when another dev takes over and loads the module? This sounds similar to using a vulnerable library without invoking the vulnerable function - it still could unwittingly be used in the future.