search

OSSIndex / vulns

Report missing advisories and corrections on OSS Index
17 stars 12 forks source link

Incorrect vulnerability details CVE-2022-2191 #308

Closed msymons closed 2 years ago

msymons commented 2 years ago

Vulnerability URL

https://ossindex.sonatype.org/vulnerability/CVE-2022-2191?component-type=maven&component-name=org.eclipse.jetty/jetty-io

Component URL One example of many...

https://ossindex.sonatype.org/component/pkg:maven/org.eclipse.jetty/jetty-io@9.4.43.v20210629

Description The OSSI text for vulnerability CVE-2022-2191 states "In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions..." and yet OSSI is incorrectly matching against versions before 10.0.0

If the matching against (say) v9.4.43.v20210629 is deemed to be correct based on internal Sonatype research then the OSSI description text needs to be updated to make this explicitly clear.

I have dug into the GHSA advisories and things are confusing there. The one published in Jetty repo differs that the "official" GHSA... although both have the same id.

"Offical": https://github.com/advisories/GHSA-8mpp-f3f7-xc28 (< 10.0.10, >= 11.0.0, < 11.0.10) "Jetty": https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28 (10.0.0 to 10.0.9, 11.0.0 to 11.0.9)

Also, note that both report that the vulnerability affects jetty-server and not jetty-io.

msymons commented 2 years ago

I emailed webtide security and received a response in less than 10 minutes...

The database version at https://github.com/advisories/GHSA-8mpp-f3f7-xc28 has the original ranges.

This invalid range was pointed out in our issue tracker at https://github.com/eclipse/jetty.project/issues/8161#issuecomment-1178712744

And a ticket to update the range has been submitted at https://github.com/github/advisory-database/pull/489

The official advisory at https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28 was updated. We expect the database version to be updated once github reviews the changes.

ie, this confirms that versions lower than 10.0.0 are not affected by this vulnerability

joakime commented 2 years ago

The github advisory database version has had it's version range updated a few minutes ago ...

https://github.com/advisories/GHSA-8mpp-f3f7-xc28

joakime commented 2 years ago

For the record, I'm the one that responded to @msymons from "webtide security" portion of his comment with that exact text that he copy/pasted into this issue. I'm also an Eclipse Jetty committer - https://github.com/eclipse/jetty.project/graphs/contributors

ken-duck commented 2 years ago

Looks like our researchers got at this one already. Looking at the chart here seems to indicate the issue has been resolved: https://ossindex.sonatype.org/component/pkg:maven/org.eclipse.jetty/jetty-io

msymons commented 2 years ago

@ken-duck, now what we need is for MITRE to support SWID or PURL so that these kinds of problems can be more easily avoided.

I so hate CPE.

msymons commented 2 years ago

@ken-duck, the issue has been resolved for jetty-io but not replaced by jetty-server. Thus the vuln is now not alerting against anything that I can see.