Vulnerable version 2.13.2 of CVE-2020-36518 not detected due to data issues

fasten-project / vulnerability-producer

Gathers, enriches and publishes vulnerability information to a Kafka topic.

https://www.fasten-project.eu/

Apache License 2.0

6 stars 3 forks source link

Vulnerable version 2.13.2 of CVE-2020-36518 not detected due to data issues #125

Closed MagielBruntink closed 2 years ago

MagielBruntink commented 2 years ago

NVD data seems inconsistent https://nvd.nist.gov/vuln/detail/CVE-2020-36518#range-7738624
GHSA data includes a version range that uses non-existing Maven versions 2.13.2.0 and 2.12.6.0 for comparison https://github.com/advisories/GHSA-57j2-w4cx-62h2

Fix would be to make the version range enumeration and matching more robust against this.

mir-am commented 2 years ago

Thanks for reporting the issue. I can also take a look at the issue if someone else is not.

mir-am commented 2 years ago

@MagielBruntink, I have looked at the vuln. statement for CVE-2020-36518. It does have the version 2.13.2 declared as vulnerable. See the extracted PURLs:

"pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.1",
 "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.2"

I might not have understood what is exactly the issue.

MagielBruntink commented 2 years ago

Nice, yesterday it didn’t :-)