Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Data quality issue with CVE-2024-38356 & CVE-2024-38357 #2358

Open
tjdett opened this issue Jul 2, 2024 · 1 comment
Open

Data quality issue with CVE-2024-38356 & CVE-2024-38357 #2358

tjdett opened this issue Jul 2, 2024 · 1 comment
Assignees
@andrewpollock
Labels
data quality Issues with data quality

Comments

@tjdett
Copy link

tjdett commented Jul 2, 2024

The CVE ID

Two CVEs originating from GHSAs are affected by the same underlying issue:

Describe the data quality issue observed

Some vulnerable versions (including the most recent vulnerable versions of the library) are omitted from the affected versions list of the CVEs while being correct in the GHSAs.

Additional context

Both GHSAs cover vulnerabilities that were found across three supported versions of TinyMCE, with two open-source fixed versions available:

Affected versions: <5.11.0, >=6.0.0 <6.8.4, >=7.0.0 <7.2.0
Patched versions: 5.11.0, 6.8.4, 7.2.0

There are also additional downstream software packages mentioned in the GHSA where TinyMCE is directly embedded. The GHSA definitions on OSV.dev are fine, as they rely directly on GHSA-9hcv-j9pv-qmph.json & GHSA-w9jx-4g6g-rp7x.json.

The CVE affected versions on OSV.dev appear to use the Git commit URLs provided by GitHub on the GHSA. If this worked correctly, they would omit the fix in 5.11.0 from the definition (as 5.x is now patched only under a commercial license for long-term support customers) and additional downstream software packages, but would probably work for 6.x & 7.x.

Unfortunately, for some reason while two commit URLs are present in the GHSA data, only one commit URL appears in the references section on NVD:

In both cases the commit that appears is the one for 6.x, which results in 7.0.0 onwards not appearing as vulnerable versions even though they are explicitly mentioned in the CVE text and the associated GHSA.

Suggested changes to record

Ideally the CVE would mirror the version ranges specified in the GHSA, as the GHSA is the canonical source of the affected & fixed versions. The NVD record leaves little doubt this is the case by referring to "GitHub, Inc." as the source.
@tjdett tjdett added the data quality Issues with data quality label Jul 2, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 2, 2024

✨ Thank you for your interest in OSV.dev's data quality! ✨

Please review our FAQ entry on how to most efficiently have this addressed.

@andrewpollock andrewpollock self-assigned this Jul 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andrewpollock andrewpollock

Labels
data quality Issues with data quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tjdett @andrewpollock