search

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
https://owasp.org/www-project-dependency-check/
Apache License 2.0
6.12k stars 1.23k forks source link

Incorrect severity reported from ossindex data #6734

Open mwardell-agfa opened 2 weeks ago

mwardell-agfa commented 2 weeks ago

Describe the bug CVE-2024-28752 which is CRITICAL according to ossindex is reported as a HIGH by dependency check

Version of dependency-check used The problem occurs using version 9.2.0 of the cli

To Reproduce

  1. get the problem jar wget https://repo1.maven.org/maven2/org/apache/cxf/cxf-core/3.4.10/cxf-core-3.4.10.jar

  2. Run cli dependency-check.sh --format json --nvdApiKey XXXXXXX -s . --log log.txt

  3. Dump json

           "vulnerabilities": [
            {
                "source": "OSSINDEX",
                "name": "CVE-2024-28752",
                "severity": "HIGH",
                "cvssv2": {
                    "score": 9.300000190734863,
                    "accessVector": "NETWORK",
                    "accessComplexity": "LOW",
                    "authenticationr": "$enc.json($vuln.cvssV2.cvssData.authentication)",
                    "confidentialityImpact": "$enc.json($vuln.cvssV2.cvssData.confidentialityImpact)",
                    "integrityImpact": "$enc.json($vuln.cvssV2.cvssData.integrityImpact)",
                    "availabilityImpact": "$enc.json($vuln.cvssV2.cvssData.availabilityImpact)",
                    "severity": "HIGH",
                    "version": "2.0"
                },
                "cwes": [

Expected behavior Expect severity of CRITICAL but recorded as HIGH

Additional context

log.txt shows this request

DEBUG - POST https://ossindex.sonatype.org/api/v3/component-report; payload: {"coordinates":["pkg:maven/org.apache.cxf/cxf-core@3.4.10"]} (application/vnd.ossindex.component-report-request.v1+json); accept: application/vnd.ossindex.component-report.v1+json
2024-06-21 16:04:35,761 org.sonatype.ossindex.service.client.transport.HttpUrlConnectionTransport:89
DEBUG - Connecting to: https://ossindex.sonatype.org/api/v3/component-report
2024-06-21 16:04:36,284 org.sonatype.ossindex.service.client.internal.OssindexClientImpl:184
DEBUG - 1 component-reports; 538.3 ms
2024-06-21 16:04:36,286 org.owasp.dependencycheck.analyzer.OssIndexAnalyzer:248
DEBUG - Enrich dependency: Dependency{ fileName='cxf-core-3.4.10.jar', actualFilePath='/home/axehm/dev/depcheck/target/cxf-core-3.4.10.jar', filePath='/home/axehm/dev/depcheck/target/cxf-core-3.4.10.jar', packagePath='/home/axehm/dev/depcheck/target/cxf-core-3.4.10.jar'}
2024-06-21 16:04:36,286 org.owasp.dependencycheck.analyzer.OssIndexAnalyzer:252
DEBUG -   Package: pkg:maven/org.apache.cxf/cxf-core@3.4.10 -> HIGH

Making the same OSSINDEX request

curl -X POST -H "Content-Type: application/vnd.ossindex.component-report-request.v1+json" -d "{\"coordinates\":[\"pkg:maven/org.apache.cxf/cxf-core@3.4.10\"]}" https://ossindex.sonatype.org/api/v3/component-report | jq

output

[
  {
    "coordinates": "pkg:maven/org.apache.cxf/cxf-core@3.4.10",
    "description": "Apache CXF Core",
    "reference": "https://ossindex.sonatype.org/component/pkg:maven/org.apache.cxf/cxf-core@3.4.10?utm_source=curl&utm_medium=integration&utm_content=8.6.0",
    "vulnerabilities": [
      {
        "id": "CVE-2024-28752",
        "displayName": "CVE-2024-28752",
        "title": "[CVE-2024-28752] CWE-918: Server-Side Request Forgery (SSRF)",
        "description": "A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.\n\n",
        "cvssScore": 9.3,
        "cvssVector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
        "cwe": "CWE-918",
        "cve": "CVE-2024-28752",
        "reference": "https://ossindex.sonatype.org/vulnerability/CVE-2024-28752?component-type=maven&component-name=org.apache.cxf%2Fcxf-core&utm_source=curl&utm_medium=integration&utm_content=8.6.0",
        "externalReferences": [
          "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-28752",
          "https://github.com/advisories/GHSA-qmgx-j96g-4428"
        ]
      }
    ]
  }
]

Returns a CVSS:4.0 vector, maybe that is related

Scoring that vector confirms the 9.3 scrore, but a critical severity

https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Shows

CVSS v4.0 Score: 9.3 / Critical ⊖ Macro vector: 000200 Exploitability: High Complexity: High Vulnerable system: High Subsequent system: Low Exploitation: High Security requirements: High

Also Web UI confirms it has critical severity: https://ossindex.sonatype.org/vulnerability/CVE-2024-28752?component-type=maven&component-name=org.apache.cxf%2Fcxf-core&utm_source=dependency-check&utm_medium=integration&utm_content=9.2.0

Similar to the closed issue https://github.com/jeremylong/DependencyCheck/issues/5598 but that seems related to CVSS3.1 and this maybe to CVSS4 vectors

aikebah commented 2 weeks ago

Same root cause indeed: not supporting the CVSS version 4 and then putting the data it does detect into a CVSS v2 structure