Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Data quality issue with CVE-2021-42384 #2128

Open
ASKAC0810 opened this issue Apr 22, 2024 · 3 comments
Open

Data quality issue with CVE-2021-42384 #2128

ASKAC0810 opened this issue Apr 22, 2024 · 3 comments
Assignees
@andrewpollock
Labels
bug Something isn't working data quality Issues with data quality worker Worker-related infrastructure

Comments

@ASKAC0810
Copy link

The CVE ID
CVE-2021-42384

Describe the data quality issue observed
When I searched this CVE ID from osv.dev, I got different result with NVD when echo system is GIT.
Result of osv.dev

The affected version shows as below image
image

Result of NVD

The affected version shows as below image
image

The "From" (1_18_0) and and "Up to" (1_33_1) version are both the same between osv.dev and NVD.

However, osv.dev does not link this CVE to all tag version .

For example, I use the busybox v1.30.1, the tag ID is 1_30_1 , and the GIT commit hash is as following
1dd2685dcc735496d7adde87ac60b9434ed4a04c

As you can see, CVE-2021-42384 can not be found on osv.dev and osv-scanner tool with this version.

image

Suggested changes to record
Link CVE to all tag version between from and Up .

Hope my description is clear :)
Thank you very much.
@ASKAC0810 ASKAC0810 added the data quality Issues with data quality label Apr 22, 2024
@ASKAC0810 ASKAC0810 changed the title CVE-2021-42384 Data quality issue with CVE-2021-42384 Apr 22, 2024
@andrewpollock
Copy link
Contributor

Confirmed that 1dd2685dcc735496d7adde87ac60b9434ed4a04c is tagged as 1.30.1:

$ git ls-remote https://github.com/mirror/busybox | fgrep 1dd2685dcc735496d7adde87ac60b9434ed4a04c
1dd2685dcc735496d7adde87ac60b9434ed4a04c        refs/heads/1_30_stable
1dd2685dcc735496d7adde87ac60b9434ed4a04c        refs/tags/1_30_1

Confirmed that querying for 1dd2685dcc735496d7adde87ac60b9434ed4a04c only returns CVE-2023-39810 and not CVE-2021-42384:

$ curl -d \
  '{"commit": "1dd2685dcc735496d7adde87ac60b9434ed4a04c"}' \
  "https://api.osv.dev/v1/query"
{"vulns":[{"id":"CVE-2023-39810","details":"An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal.","modified":"2024-05-14T12:59:18.428091Z","published":"2023-08-28T19:15:07Z","references":[{"type":"ARTICLE","url":"https://www.pentagrid.ch/en/blog/busybox-cpio-directory-traversal-vulnerability/"},{"type":"WEB","url":"http://busybox.com"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mirror/busybox","events":[{"introduced":"0"},{"last_affected":"1dd2685dcc735496d7adde87ac60b9434ed4a04c"},{"last_affected":"db726ae0c61ffec6b58e19749e0c63aaaf4f6989"}]}],"versions":["0_29alpha2","0_32","0_33","0_34","0_36","0_39","0_40","0_41","0_42","0_43","0_43pre1","0_45","0_46","0_47","0_48","0_49","0_50","0_51","0_52","0_60_0","0_60_1","0_60_2","0_60_3","0_60_4","0_60_5","1_00","1_00_pre1","1_00_pre10","1_00_pre2","1_00_pre3","1_00_pre4","1_00_pre5","1_00_pre6","1_00_pre7","1_00_pre8","1_00_pre9","1_00_rc1","1_00_rc2","1_00_rc3","1_10_0","1_12_0","1_14_0","1_15_0","1_16_0","1_17_0","1_18_0","1_19_0","1_1_0","1_1_1","1_20_0","1_21_0","1_22_0","1_23_0","1_24_0","1_25_0","1_26_0","1_27_0","1_28_0","1_29_0","1_2_0","1_30_0","1_30_1","1_31_0","1_32_0","1_33_0","1_33_1","1_33_2","1_4_0","1_8_0","1_9_0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-39810.json"}}],"schema_version":"1.6.0","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}]}

@andrewpollock
Copy link
Contributor

andrewpollock commented Jun 20, 2024
edited
Loading

Version enumeration does not appear to be identifying 1.30.1 or the 1_30_1 tag, by the looks of it, so it stands to reason it's also not enumerating the related commits (note the lack of this in the `versions` array): 
$ ~/bin/analyze_this.prod CVE-2021-42384
Copying gs://cve-osv-conversion/osv-output/CVE-2021-42384.json...
/ [0 files][    0.0 B/  5.4 KiB]                                                
/ [0 files][  5.4 KiB/  5.4 KiB]                                                
-
- [1 files][  5.4 KiB/  5.4 KiB]                                                
Operation completed over 1 objects/5.4 KiB.                                      
INFO:root:Analyzing /tmp/CVE-2021-42384.json
ERROR:root:Tried to enumerate alpine version without workdir being set
ERROR:root:Tried to enumerate alpine version without workdir being set
ERROR:root:Tried to enumerate alpine version without workdir being set
ERROR:root:Tried to enumerate alpine version without workdir being set
ERROR:root:Tried to enumerate alpine version without workdir being set
ERROR:root:Tried to enumerate alpine version without workdir being set
ERROR:root:Tried to enumerate alpine version without workdir being set
ERROR:root:Tried to enumerate alpine version without workdir being set
ERROR:root:Tried to enumerate alpine version without workdir being set
ERROR:root:Tried to enumerate alpine version without workdir being set
INFO:root:Cloning https://github.com/mirror/busybox to /tmp/tmpwev3m37i
INFO:root:Finding equivalent regress commit to 5ab20641d687bfe4d86d255f8c369af54b6026e7 in refs/remotes/origin/1_33_stable in https://github.com/mirror/busybox
INFO:root:Finding equivalent last_affected commit to bcc5b0e6caca6c7602a6a41faa5f980292e0fbc5 in refs/remotes/origin/1_33_stable in https://github.com/mirror/busybox
INFO:root:Getting commits 5ab20641d687bfe4d86d255f8c369af54b6026e7..bcc5b0e6caca6c7602a6a41faa5f980292e0fbc5 from https://github.com/mirror/busybox
INFO:root:Writing changes.
{
  "id": "CVE-2021-42384",
  "details": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function",
  "modified": "2024-06-20T02:14:49.586561Z",
  "published": "2021-11-15T21:15:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://security.netapp.com/advisory/ntap-20211223-0002/"
    },
    {
      "type": "ARTICLE",
      "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/"
    },
    {
      "type": "WEB",
      "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/"
    }
  ],
  "affected": [
    {
      "package": {
        "name": "busybox",
        "ecosystem": "Alpine:v3.11",
        "purl": "pkg:apk/alpine/busybox?arch=source"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.31.1-r11"
            }
          ]
        }
      ],
      "versions": []
    },
    {
      "package": {
        "name": "busybox",
        "ecosystem": "Alpine:v3.12",
        "purl": "pkg:apk/alpine/busybox?arch=source"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.31.1-r21"
            }
          ]
        }
      ],
      "versions": []
    },
    {
      "package": {
        "name": "busybox",
        "ecosystem": "Alpine:v3.13",
        "purl": "pkg:apk/alpine/busybox?arch=source"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.32.1-r7"
            }
          ]
        }
      ],
      "versions": []
    },
    {
      "package": {
        "name": "busybox",
        "ecosystem": "Alpine:v3.14",
        "purl": "pkg:apk/alpine/busybox?arch=source"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.33.1-r6"
            }
          ]
        }
      ],
      "versions": []
    },
    {
      "package": {
        "name": "busybox",
        "ecosystem": "Alpine:v3.15",
        "purl": "pkg:apk/alpine/busybox?arch=source"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.34.0-r0"
            }
          ]
        }
      ],
      "versions": []
    },
    {
      "package": {
        "name": "busybox",
        "ecosystem": "Alpine:v3.16",
        "purl": "pkg:apk/alpine/busybox?arch=source"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.34.0-r0"
            }
          ]
        }
      ],
      "versions": []
    },
    {
      "package": {
        "name": "busybox",
        "ecosystem": "Alpine:v3.17",
        "purl": "pkg:apk/alpine/busybox?arch=source"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.34.0-r0"
            }
          ]
        }
      ],
      "versions": []
    },
    {
      "package": {
        "name": "busybox",
        "ecosystem": "Alpine:v3.18",
        "purl": "pkg:apk/alpine/busybox?arch=source"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.34.0-r0"
            }
          ]
        }
      ],
      "versions": []
    },
    {
      "package": {
        "name": "busybox",
        "ecosystem": "Alpine:v3.19",
        "purl": "pkg:apk/alpine/busybox?arch=source"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.34.0-r0"
            }
          ]
        }
      ],
      "versions": []
    },
    {
      "package": {
        "name": "busybox",
        "ecosystem": "Alpine:v3.20",
        "purl": "pkg:apk/alpine/busybox?arch=source"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.34.0-r0"
            }
          ]
        }
      ],
      "versions": []
    },
    {
      "ranges": [
        {
          "type": "GIT",
          "repo": "https://github.com/mirror/busybox",
          "events": [
            {
              "introduced": "5ab20641d687bfe4d86d255f8c369af54b6026e7"
            },
            {
              "last_affected": "bcc5b0e6caca6c7602a6a41faa5f980292e0fbc5"
            }
          ]
        }
      ],
      "versions": [
        "1_18_0",
        "1_19_0",
        "1_20_0",
        "1_21_0",
        "1_22_0",
        "1_23_0",
        "1_24_0",
        "1_25_0",
        "1_26_0",
        "1_27_0",
        "1_28_0",
        "1_29_0",
        "1_30_0",
        "1_31_0",
        "1_32_0",
        "1_33_0",
        "1_33_1"
      ]
    }
  ],
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
    }
  ]
}

@andrewpollock
Copy link
Contributor

My current conclusion is that this is an issue in the version enumeration/repository analysis code and not the CVE conversion itself.

@andrewpollock andrewpollock added worker Worker-related infrastructure bug Something isn't working labels Jun 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andrewpollock andrewpollock

Labels
bug Something isn't working data quality Issues with data quality worker Worker-related infrastructure
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andrewpollock @ASKAC0810