"at least one being a buffer overflow"
Really ? A buffer overflow ? In 2020 ?
Dear God that should be a hanging offense by now.
Cisco has issued a series of security updates for its SD-WAN and Webex software, just when they're most needed. Switchzilla says the SD-WAN code is host to five vulnerabilities ranging from privilege escalation to remote code injection. The five CVE-listed bugs (CVE-2020-3264, CVE-2020-3265, CVE-2020-3266, CVE-2019-16010, CVE- …
Within the last few months I and another reviewer asked an open-source project lead to reject a PR because its API alone had a buffer overflow vulnerability - it didn't even pass the size of the buffer at all, let alone check the data fit...
The author of the PR then spent the next few weeks denying there could be a problem, and calling us trolls.
They even said that the test case was "not a valid file" and so they wouldn't fix it.
I don't know if that particular idiot works in the industry, but if they do it's pretty obvious that their professional projects will be worse...
The difference is Cisco finds vulnerabilities, patches them and reports them.
Yes, some are severe - most of the infrastructure vulnerabilities are very specific issues and have workarounds (i.e. ACL's using existing features of the product) available.
For WebEx, yes it is high profile but is it part of the core product or an add-on utility where equivlent products from other vendors have similar issues? How often have you used offline players with other products or do the not have that functionality?