Open question: vendor / tool name mapping across sources #5
Comments
|
Follow up question on that: how do we handle vulnerabilities that only apply if multiple products are involved? Example: CVE-2008-0732 {
"cve": {
"id": "CVE-2008-0732",
"sourceIdentifier": "cve@mitre.org",
"published": "2008-02-12T21:00:00.000",
"lastModified": "2008-09-05T21:35:50.617",
"vulnStatus": "Analyzed",
"descriptions": [
{
"lang": "en",
"value": "The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories."
},
{
"lang": "es",
"value": "La secuencia de comandos init de Apache Geronimo sobre SUSE Linux sigue enlaces simbólicos cuando realiza una operación de cambio en la propiedad de ficheros o directorios, que permite a usuarios locales obtener acceso a ficheros y directorios no especificados."
}
],
"metrics": {
"cvssMetricV2": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "2.0",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"accessVector": "LOCAL",
"accessComplexity": "LOW",
"authentication": "NONE",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1
},
"baseSeverity": "LOW",
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-59"
}
]
}
],
"configurations": [
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:o:suse:suse_linux:*:*:*:*:*:*:*:*",
"matchCriteriaId": "67527281-81FA-4068-9E0A-7B19FB6A208A"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:apache:geronimo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "67517877-5475-4CDA-A634-4CDE447D41D1"
}
]
}
]
}
],
"references": [
{
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00003.html",
"source": "cve@mitre.org",
"tags": [
"Patch"
]
}
]
}
}If we use the same approach as defined in the existing CVE Search API, we'll have this vulnerability in |
|
Could we imagine a fuzzy strategy for the different sources? where approximate results are calculated in another set? Like we did for cpe-guesser https://github.com/cve-search/cpe-guesser |
|
We can do something like that, but I really fear there will be a lot of improper guesses (the CPE refs are super weak). As long as we have a reference to a CVE in whichever vulnerability entry, we automatically get the CPE:
It doesn't really solve the issue with the CPE requiring operators, but it's better than nothing. |
We have a few ways to represent what is affected by a vulnerability.
Let's go through them with a random CVE (CVE-2023-21825).
{ "resultsPerPage": 1, "startIndex": 0, "totalResults": 1, "format": "NVD_CVE", "version": "2.0", "timestamp": "2023-06-01T16:03:47.303", "vulnerabilities": [ { "cve": { "id": "CVE-2023-21825", "sourceIdentifier": "secalert_us@oracle.com", "published": "2023-01-18T00:15:12.517", "lastModified": "2023-01-24T19:41:12.840", "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Supplier Management). Supported versions that are affected are 12.2.6-12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iSupplier Portal. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle iSupplier Portal accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)." } ], "metrics": { "cvssMetricV31": [ { "source": "secalert_us@oracle.com", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM" }, "exploitabilityScore": 3.9, "impactScore": 1.4 } ] }, "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "NVD-CWE-noinfo" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:oracle:isupplier_portal:*:*:*:*:*:*:*:*", "versionStartIncluding": "12.2.6", "versionEndIncluding": "12.2.8", "matchCriteriaId": "7B6D4280-C1CC-4361-9A7C-B9C55F8CFF8C" } ] } ] } ], "references": [ { "url": "https://www.oracle.com/security-alerts/cpujan2023.html", "source": "secalert_us@oracle.com", "tags": [ "Patch", "Vendor Advisory" ] } ] } } ] }{ "GSD": { "alias": "CVE-2023-21825", "id": "GSD-2023-21825" }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "secalert_us@oracle.com", "ID": "CVE-2023-21825", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "iSupplier Portal", "version": { "version_data": [ { "version_affected": "=", "version_value": "12.2.6-12.2.8" } ] } } ] }, "vendor_name": "Oracle Corporation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Supplier Management). Supported versions that are affected are 12.2.6-12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iSupplier Portal. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle iSupplier Portal accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)." }, { "lang": "eng", "value": "Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Supplier Management). Supported versions that are affected are 12.2.6-12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iSupplier Portal. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle iSupplier Portal accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)." } ] }, "impact": { "cvss": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iSupplier Portal. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle iSupplier Portal accessible data." } ] } ] }, "references": { "reference_data": [ { "name": "https://www.oracle.com/security-alerts/cpujan2023.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2023.html" } ] } }, "nvd.nist.gov": { "configurations": { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:oracle:isupplier_portal:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "12.2.8", "versionStartIncluding": "12.2.6", "vulnerable": true } ], "operator": "OR" } ] }, "cve": { "CVE_data_meta": { "ASSIGNER": "secalert_us@oracle.com", "ID": "CVE-2023-21825" }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "en", "value": "Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Supplier Management). Supported versions that are affected are 12.2.6-12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iSupplier Portal. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle iSupplier Portal accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "en", "value": "NVD-CWE-noinfo" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.oracle.com/security-alerts/cpujan2023.html", "refsource": "MISC", "tags": [ "Patch", "Vendor Advisory" ], "url": "https://www.oracle.com/security-alerts/cpujan2023.html" } ] } }, "impact": { "baseMetricV3": { "cvssV3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "exploitabilityScore": 3.9, "impactScore": 1.4 } }, "lastModifiedDate": "2023-01-24T19:41Z", "publishedDate": "2023-01-18T00:15Z" } } }{ "schema_version": "1.4.0", "id": "GHSA-pf47-j984-4hxc", "modified": "2023-01-18T00:30:18Z", "published": "2023-01-18T00:30:18Z", "aliases": [ "CVE-2023-21825" ], "details": "Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Supplier Management). Supported versions that are affected are 12.2.6-12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iSupplier Portal. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle iSupplier Portal accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "affected": [ ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21825" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2023.html" } ], "database_specific": { "cwe_ids": [ ], "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2023-01-18T00:15:00Z" } }Other example - CVE CVE-2023-32999
{ "resultsPerPage": 1, "startIndex": 0, "totalResults": 1, "format": "NVD_CVE", "version": "2.0", "timestamp": "2023-06-01T16:16:23.483", "vulnerabilities": [ { "cve": { "id": "CVE-2023-32999", "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "published": "2023-05-16T17:15:12.160", "lastModified": "2023-05-31T18:46:35.313", "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials." } ], "metrics": { "cvssMetricV31": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM" }, "exploitabilityScore": 2.8, "impactScore": 1.4 } ] }, "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-276" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:jenkins:appspider:*:*:*:*:*:jenkins:*:*", "versionEndIncluding": "1.0.15", "matchCriteriaId": "AC299A2B-F122-46A1-B408-E3F97C9C494E" } ] } ] } ], "references": [ { "url": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3121", "source": "jenkinsci-cert@googlegroups.com", "tags": [ "Vendor Advisory" ] } ] } } ] }{ "GSD": { "alias": "CVE-2023-32999", "id": "GSD-2023-32999" }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2023-32999", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Jenkins AppSpider Plugin", "version": { "version_data": [ { "version_affected": "<=", "version_name": "0", "version_value": "1.0.15" } ] } } ] }, "vendor_name": "Jenkins Project" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3121", "refsource": "MISC", "url": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3121" } ] } }, "nvd.nist.gov": { "configurations": { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:jenkins:appspider:*:*:*:*:*:jenkins:*:*", "cpe_name": [], "versionEndIncluding": "1.0.15", "vulnerable": true } ], "operator": "OR" } ] }, "cve": { "CVE_data_meta": { "ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2023-32999" }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "en", "value": "A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "en", "value": "CWE-276" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3121", "refsource": "MISC", "tags": [ "Vendor Advisory" ], "url": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3121" } ] } }, "impact": { "baseMetricV3": { "cvssV3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "exploitabilityScore": 2.8, "impactScore": 1.4 } }, "lastModifiedDate": "2023-05-31T18:46Z", "publishedDate": "2023-05-16T17:15Z" } } }{ "schema_version": "1.4.0", "id": "GHSA-2c5c-fhr8-pwh9", "modified": "2023-05-17T03:37:09Z", "published": "2023-05-16T18:30:16Z", "aliases": [ "CVE-2023-32999" ], "summary": "Jenkins AppSpider Plugin missing permission check", "details": "Jenkins AppSpider Plugin 1.0.15 and earlier does not perform a permission check in a method implementing form validation.\n\nThis allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials.\n\nAdditionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.\n\nAppSpider Plugin 1.0.16 requires POST requests and Overall/Administer permission for the affected form validation method.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" } ], "affected": [ { "package": { "ecosystem": "Maven", "name": "com.rapid7:jenkinsci-appspider-plugin" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.0.16" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 1.0.15" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32999" }, { "type": "WEB", "url": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3121" } ], "database_specific": { "cwe_ids": [ ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-05-17T03:37:09Z", "nvd_published_at": null } }The text was updated successfully, but these errors were encountered: