fasten-project / vulnerability-producer

Gathers, enriches and publishes vulnerability information to a Kafka topic.
https://www.fasten-project.eu/
Apache License 2.0
6 stars 3 forks source link

CVE-2020-35728 - mapping to purls more than NVD described #112

Open cg122 opened 2 years ago

cg122 commented 2 years ago

As described in NVD:

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction ...

The current mapping includes later versions:

    "purls": [
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.0-RC1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.0-RC2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.0-RC3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.6",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.2.0-rc1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.2.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.2.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.2.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.2.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.0-rc1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.0-rc1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.0-rc2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.0-rc3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.2.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.1.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.1.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.1.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.5.0-rc1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.5.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.5.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.5.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.5.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.6",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.5.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.0-rc1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.0-rc2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.0-rc3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.0-rc4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0-rc1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.5.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0-rc2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0-rc3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.1-1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.6",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0.rc1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0.rc2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.6",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.7",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.8",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.6",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.7",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.0.pr1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.0.pr2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.8",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.8.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.0.pr3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.9",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.0.pr4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.10",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.7",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0.pr1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.6",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0.pr2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0.pr3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.7",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.6",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.11.0.rc1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.11.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.11.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.11.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.6",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.11.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.0-rc1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.0-rc2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.5.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.7",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.11.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9.4"
    ]
MagielBruntink commented 2 years ago

The trouble with this one is that GHSA lists a non-existing Maven coordinate: com.fasterxml.jackson:jackson-databind: https://github.com/advisories/GHSA-5r5r-6hpj-8gg9

The proper coordinate is com.fasterxml.jackson.core:jackson-databind, which we list. However, on our end the versions are not correctly limited to the vulnerable range, and also the first_patched_purl we have is using the bad coordinate from GHSA: pkg:maven/com.fasterxml.jackson/jackson-databind@2.9.10.8

MagielBruntink commented 2 years ago

The story is complicated, but it seems that things are working as intended for the most part.

Because GHSA names an incorrect Maven coordinate, we fall back to previous known purl mapping of the CPE cpe:2.3:a:fasterxml:jackson-databind, which is correctly pkg:maven/com.fasterxml.jackson.core/jackson-databind.

At that stage however, the version range of GHSA is also not used anymore to identify the vulnerable versions. Instead, the code checks here for all versions of the Maven package: https://repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-databind/ which is then compared to the patch date to infer which versions are vulnerable. The patch date is correctly found to be 2020-12-26 as can be seen here: https://github.com/FasterXML/jackson-databind/issues/2999. All version before are assumed vulnerable, which is plausible IMO.

Checking back at Maven https://repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-databind/ results in the list of versions listed above by @cg122, so that is working as intended.

I wonder why the version range is set differently in both the NVD and the GHSA data. Perhaps it's related to responsible disclosure?

There is one bug here, and that is the first_patched_purl in our data points to the wrong Maven coordinate pkg:maven/com.fasterxml.jackson/jackson-databind@2.9.10.8 because it has yanked that from the GHSA data without further validation.