Comment by auspex
3 years ago
If the vulnerability is present it’s still a vulnerability. Just because the module isn’t enabled doesn’t mean it can’t still be taken advantage of in a remote code execution scenario.
Not using a library !== not vulnerable.
I forget the specifics, but there was no way to exercise the module remotely. I think it was actually Apache, not nginx, and the module was not even loaded. It was one of those bullshit "medium priority" line items.
You are probably misremembering the story. If the module was really not enabled it wouldn't come up in a security scan or be present in the banner.
If it's the kind of report I've seen, it could've been along the lines of Package version X.Y.Z comes with M module which has V vulnerability. Upgrade to X.Y.Z+1, which patched it. They don't actually look at the enabled modules.
2 replies →
What happens when another dev takes over and loads the module? This sounds similar to using a vulnerable library without invoking the vulnerable function - it still could unwittingly be used in the future.