Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential Data Discrepancy in CVE Listings #4860

Open
leoambrus opened this issue Oct 1, 2024 · 1 comment
Open

Potential Data Discrepancy in CVE Listings #4860

leoambrus opened this issue Oct 1, 2024 · 1 comment

Comments

@leoambrus
Copy link

leoambrus commented Oct 1, 2024
edited
Loading

While conducting a deeper analysis of your repository to compare it with the NVD (National Vulnerability Database) in terms of usability and available information, with the goal of making life easier for security researchers, I discovered 2,249 artifacts that lacked CVE names. Upon focusing on these, I found that 99 of them were indeed listed in the NVD, which made it odd that the CVE identifiers were not explicitly present in the JSON files. I then examined the references and noticed that these artifacts contained links to the NVD, where their respective CVEs were listed.

I wanted to bring this potential discrepancy to your attention, as these artifacts do have associated CVEs, which are documented in the attached file along with their corresponding NVD links. This might indicate a possible issue in the database that could benefit from further review.

Here are the names of the files along with the names of the CVE's mentioned in them and their links to the nvd which is where I got the CVE's from:
https://github.com/leoambrus/artefactswithoutCVEonGitHubAdvisoryDatabase/blob/main/README.md
@shelbyc
Copy link
Contributor

shelbyc commented Oct 7, 2024

Hi @leoambrus, I reviewed a sample of 25 of the advisories listed in https://github.com/leoambrus/artefactswithoutCVEonGitHubAdvisoryDatabase/blob/main/README.md to see what might have happened. The very short answer is that only one advisory can have a CVE ID attached to it, and sometimes more than one advisory discusses the same CVE.

What I found is:

  1. GHSA-2gg5-7c4v-6xx2 was withdrawn as a duplicate of GHSA-m77f-652q-wwp4, which has CVE-2022-3212.
  2. GHSA-2m65-m22p-9wjw was withdrawn as a duplicate of GHSA-vh55-786g-wjwj, which has CVE-2022-34716.
  3. GHSA-2w9p-xf5h-qwj3 was withdrawn as a duplicate of GHSA-8px5-63x9-5c7p, which has CVE-2018-25083.
  4. GHSA-32q7-gv7f-4cg5 was withdrawn as a duplicate of GHSA-g74q-5xw3-j7q9, which has CVE-2024-21386.
  5. GHSA-392c-vjfv-h7wr was withdrawn as a duplicate of GHSA-f678-j579-4xf5, which has CVE-2023-40610.
  6. GHSA-3cgw-hfw7-wc7j was withdrawn as a duplicate of GHSA-qrrg-gw7w-vp76, which has CVE-2023-1410.
  7. GHSA-3gjc-mp82-fj4q was withdrawn as a duplicate of GHSA-w6x2-jg8h-p6mp, which has CVE-2023-30451.
  8. GHSA-3mq5-fq9h-gj7j was withdrawn as a duplicate of GHSA-f8cc-g7j8-xxpm, which has CVE-2022-40151.
  9. GHSA-3p2q-mh7q-9pxj was withdrawn as a duplicate of GHSA-wm5g-p99q-66g4, which has CVE-2023-35840.
  10. GHSA-3r5c-h7g6-cqw7 was withdrawn as a duplicate of GHSA-4f25-2x2c-vg6v, which has CVE-2023-1703.
  11. GHSA-3x9g-xfj5-fq84 was withdrawn as a duplicate of GHSA-48cq-79qq-6f7x, which has CVE-2024-1727.
  12. GHSA-3xc6-7h59-j2x4 was withdrawn as a duplicate of GHSA-3qx3-6hxr-j2ch, which has CVE-2024-25817.
  13. GHSA-4553-hq82-8654 was withdrawn as a duplicate of GHSA-3px7-jm2p-6h2c, which has CVE-2024-0241.
  14. GHSA-4frv-5fj6-4p25 was withdrawn as a duplicate of GHSA-fr2g-9hjm-wr23, which has CVE-2023-47090.
  15. GHSA-4mvm-xh8j-fv27 was withdrawn as a duplicate of GHSA-x2xw-hw8g-6773, which has CVE-2024-22048.
  16. GHSA-4q82-j5c2-g2c5 was withdrawn as a duplicate of GHSA-cw9j-q3vf-hrrv, which has CVE-2024-3574.
  17. GHSA-4vrx-8phj-x3mg was withdrawn as a duplicate of GHSA-69fp-7c8p-crjr, which has CVE-2024-4540.
  18. GHSA-52jw-f3jq-hhwg was withdrawn as a duplicate of GHSA-x6p7-44rh-m3rr, which has CVE-2023-6813.
  19. GHSA-54r5-wr8x-x5v3 is a duplicate of GHSA-j94p-hv25-rm5g, which has CVE-2022-47551. Although GHSA-54r5-wr8x-x5v3 hasn't been withdrawn yet, it should be withdrawn and I'll take action on marking this advisory as a duplicate.
  20. GHSA-5968-qw33-h47j was withdrawn as a duplicate of GHSA-cvg2-7c3j-g36j, which has CVE-2023-6134.
  21. GHSA-5c6q-f783-h888 is a duplicate of GHSA-jc69-hjw2-fm86, which has CVE-2022-41828. Although GHSA-5c6q-f783-h888 hasn't been withdrawn yet, it should be withdrawn and I'll take action on marking this advisory as a duplicate.
  22. GHSA-62qf-jcq8-8gxw was withdrawn as a duplicate of GHSA-2m57-hf25-phgg, which has CVE-2024-4340.
  23. GHSA-65f3-3278-7m65 was withdrawn as a duplicate of GHSA-gw5h-h6hj-f56g, which has CVE-2022-0871.
  24. GHSA-65pc-76pq-pvf5 was withdrawn as a duplicate of GHSA-4685-2x5r-65pj, which has CVE-2024-3250.
  25. GHSA-69fc-v223-6rjw was withdrawn as a duplicate of GHSA-6qjm-39vh-729w, which has CVE-2023-1702.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shelbyc @leoambrus