search

google / osv.dev

Open source vulnerability DB and triage service.
https://osv.dev
Apache License 2.0
1.45k stars 176 forks source link

Data quality issue with CVE-2021-42384 #2128

Open ASKAC0810 opened 2 months ago

ASKAC0810 commented 2 months ago

The CVE ID CVE-2021-42384

Describe the data quality issue observed When I searched this CVE ID from osv.dev, I got different result with NVD when echo system is GIT. Result of osv.dev

The affected version shows as below image image

Result of NVD

The affected version shows as below image image

The "From" (1_18_0) and and "Up to" (1_33_1) version are both the same between osv.dev and NVD.

However, osv.dev does not link this CVE to all tag version .

For example, I use the busybox v1.30.1, the tag ID is 1_30_1 , and the GIT commit hash is as following 1dd2685dcc735496d7adde87ac60b9434ed4a04c

As you can see, CVE-2021-42384 can not be found on osv.dev and osv-scanner tool with this version.

image

Suggested changes to record Link CVE to all tag version between from and Up .

Hope my description is clear :) Thank you very much.

andrewpollock commented 2 weeks ago

Confirmed that 1dd2685dcc735496d7adde87ac60b9434ed4a04c is tagged as 1.30.1:

$ git ls-remote https://github.com/mirror/busybox | fgrep 1dd2685dcc735496d7adde87ac60b9434ed4a04c
1dd2685dcc735496d7adde87ac60b9434ed4a04c        refs/heads/1_30_stable
1dd2685dcc735496d7adde87ac60b9434ed4a04c        refs/tags/1_30_1

Confirmed that querying for 1dd2685dcc735496d7adde87ac60b9434ed4a04c only returns CVE-2023-39810 and not CVE-2021-42384:

$ curl -d \
  '{"commit": "1dd2685dcc735496d7adde87ac60b9434ed4a04c"}' \
  "https://api.osv.dev/v1/query"
{"vulns":[{"id":"CVE-2023-39810","details":"An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal.","modified":"2024-05-14T12:59:18.428091Z","published":"2023-08-28T19:15:07Z","references":[{"type":"ARTICLE","url":"https://www.pentagrid.ch/en/blog/busybox-cpio-directory-traversal-vulnerability/"},{"type":"WEB","url":"http://busybox.com"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mirror/busybox","events":[{"introduced":"0"},{"last_affected":"1dd2685dcc735496d7adde87ac60b9434ed4a04c"},{"last_affected":"db726ae0c61ffec6b58e19749e0c63aaaf4f6989"}]}],"versions":["0_29alpha2","0_32","0_33","0_34","0_36","0_39","0_40","0_41","0_42","0_43","0_43pre1","0_45","0_46","0_47","0_48","0_49","0_50","0_51","0_52","0_60_0","0_60_1","0_60_2","0_60_3","0_60_4","0_60_5","1_00","1_00_pre1","1_00_pre10","1_00_pre2","1_00_pre3","1_00_pre4","1_00_pre5","1_00_pre6","1_00_pre7","1_00_pre8","1_00_pre9","1_00_rc1","1_00_rc2","1_00_rc3","1_10_0","1_12_0","1_14_0","1_15_0","1_16_0","1_17_0","1_18_0","1_19_0","1_1_0","1_1_1","1_20_0","1_21_0","1_22_0","1_23_0","1_24_0","1_25_0","1_26_0","1_27_0","1_28_0","1_29_0","1_2_0","1_30_0","1_30_1","1_31_0","1_32_0","1_33_0","1_33_1","1_33_2","1_4_0","1_8_0","1_9_0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-39810.json"}}],"schema_version":"1.6.0","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}]}
andrewpollock commented 2 weeks ago
Version enumeration does not appear to be identifying 1.30.1 or the 1_30_1 tag, by the looks of it, so it stands to reason it's also not enumerating the related commits (note the lack of this in the `versions` array): ``` $ ~/bin/analyze_this.prod CVE-2021-42384 Copying gs://cve-osv-conversion/osv-output/CVE-2021-42384.json... / [0 files][ 0.0 B/ 5.4 KiB] / [0 files][ 5.4 KiB/ 5.4 KiB] - - [1 files][ 5.4 KiB/ 5.4 KiB] Operation completed over 1 objects/5.4 KiB. INFO:root:Analyzing /tmp/CVE-2021-42384.json ERROR:root:Tried to enumerate alpine version without workdir being set ERROR:root:Tried to enumerate alpine version without workdir being set ERROR:root:Tried to enumerate alpine version without workdir being set ERROR:root:Tried to enumerate alpine version without workdir being set ERROR:root:Tried to enumerate alpine version without workdir being set ERROR:root:Tried to enumerate alpine version without workdir being set ERROR:root:Tried to enumerate alpine version without workdir being set ERROR:root:Tried to enumerate alpine version without workdir being set ERROR:root:Tried to enumerate alpine version without workdir being set ERROR:root:Tried to enumerate alpine version without workdir being set INFO:root:Cloning https://github.com/mirror/busybox to /tmp/tmpwev3m37i INFO:root:Finding equivalent regress commit to 5ab20641d687bfe4d86d255f8c369af54b6026e7 in refs/remotes/origin/1_33_stable in https://github.com/mirror/busybox INFO:root:Finding equivalent last_affected commit to bcc5b0e6caca6c7602a6a41faa5f980292e0fbc5 in refs/remotes/origin/1_33_stable in https://github.com/mirror/busybox INFO:root:Getting commits 5ab20641d687bfe4d86d255f8c369af54b6026e7..bcc5b0e6caca6c7602a6a41faa5f980292e0fbc5 from https://github.com/mirror/busybox INFO:root:Writing changes. { "id": "CVE-2021-42384", "details": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function", "modified": "2024-06-20T02:14:49.586561Z", "published": "2021-11-15T21:15:08Z", "references": [ { "type": "ADVISORY", "url": "https://security.netapp.com/advisory/ntap-20211223-0002/" }, { "type": "ARTICLE", "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/" }, { "type": "WEB", "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/" } ], "affected": [ { "package": { "name": "busybox", "ecosystem": "Alpine:v3.11", "purl": "pkg:apk/alpine/busybox?arch=source" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.31.1-r11" } ] } ], "versions": [] }, { "package": { "name": "busybox", "ecosystem": "Alpine:v3.12", "purl": "pkg:apk/alpine/busybox?arch=source" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.31.1-r21" } ] } ], "versions": [] }, { "package": { "name": "busybox", "ecosystem": "Alpine:v3.13", "purl": "pkg:apk/alpine/busybox?arch=source" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.32.1-r7" } ] } ], "versions": [] }, { "package": { "name": "busybox", "ecosystem": "Alpine:v3.14", "purl": "pkg:apk/alpine/busybox?arch=source" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.33.1-r6" } ] } ], "versions": [] }, { "package": { "name": "busybox", "ecosystem": "Alpine:v3.15", "purl": "pkg:apk/alpine/busybox?arch=source" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.34.0-r0" } ] } ], "versions": [] }, { "package": { "name": "busybox", "ecosystem": "Alpine:v3.16", "purl": "pkg:apk/alpine/busybox?arch=source" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.34.0-r0" } ] } ], "versions": [] }, { "package": { "name": "busybox", "ecosystem": "Alpine:v3.17", "purl": "pkg:apk/alpine/busybox?arch=source" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.34.0-r0" } ] } ], "versions": [] }, { "package": { "name": "busybox", "ecosystem": "Alpine:v3.18", "purl": "pkg:apk/alpine/busybox?arch=source" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.34.0-r0" } ] } ], "versions": [] }, { "package": { "name": "busybox", "ecosystem": "Alpine:v3.19", "purl": "pkg:apk/alpine/busybox?arch=source" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.34.0-r0" } ] } ], "versions": [] }, { "package": { "name": "busybox", "ecosystem": "Alpine:v3.20", "purl": "pkg:apk/alpine/busybox?arch=source" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.34.0-r0" } ] } ], "versions": [] }, { "ranges": [ { "type": "GIT", "repo": "https://github.com/mirror/busybox", "events": [ { "introduced": "5ab20641d687bfe4d86d255f8c369af54b6026e7" }, { "last_affected": "bcc5b0e6caca6c7602a6a41faa5f980292e0fbc5" } ] } ], "versions": [ "1_18_0", "1_19_0", "1_20_0", "1_21_0", "1_22_0", "1_23_0", "1_24_0", "1_25_0", "1_26_0", "1_27_0", "1_28_0", "1_29_0", "1_30_0", "1_31_0", "1_32_0", "1_33_0", "1_33_1" ] } ], "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" } ] } ```
andrewpollock commented 2 weeks ago

My current conclusion is that this is an issue in the version enumeration/repository analysis code and not the CVE conversion itself.