Reporting Inaccurate Affected Components in Gitlab Advisory Database
Dear maintainers of gitlab advisory-database:
We thank Gitlab Advisory for providing valuable data to the public. We are utilizing this database for security purposes, and we greatly appreciate the contribution.
During our analysis of the CVE entries, we have identified an issue with the accuracy of the "package_slug" field where the listed affected components does not align with the actual affected components. It can either be incomplete or incorrect.
For instance, in the first entry, CVE-2019-15477(https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/maven/io.jooby/jooby/CVE-2019-15477.yml), the database states that the affected component is io.jooby:jooby. However, upon further investigation, we have found that the correct affected component should be org.jooby:jooby, as evidenced by the patch available at https://github.com/jooby-project/jooby/pull/1368/commits/34856a738829d8fedca4ed27bd6ff413af87186f.
Another example is CVE-2018-20094(https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/maven/com.xuxueli/xxl-conf/CVE-2018-20094.yml), where the same discrepancy occurs. As mentioned in the poc (https://github.com/xuxueli/xxl-conf/issues/61), the ConfController.java line 150 is affected, and this method is located in https://github.com/xuxueli/xxl-conf/blob/6726dfe7979ea6d8fb983771471cde69789de632/xxl-conf-admin/src/main/java/com/xxl/conf/admin/controller/ConfController.java, the affected scope can be more specific: com.xuxueli:xxl-conf-admin.
After thorough examination, we have discovered a total of 51 CVE that contain incorrect or incomplete affected component information. In order to prevent misleading information to end users or false alarms from tools built upon this database, we chose to report these issues to you.
Attached csv document contains 51 records of the erroneous components in the vulnerability database. The fields in the csv file are explained as follows:
- Vulnerability ID: Unique CVE identifier for each vulnerability entry.
- Erroneous Affected Component: The list affected ecosystem and component names in vulnerability database which is either incomplete or incorrect. The format is: “ecosystem__split__component”.
- Suggested Component: The correct affected ecosystem and component names according to our inspection where it is corrected either by adding component names or rectifying the existing component names. The format is: “ecosystem__split__component”.
- Evidence: Justification for the change.
For further details, please refer to the attached csv file. We hope our findings are beneficial to the community security. (The attached csv file: https://github.com/catch22out/Inaccurate-Affected-Components-in-Gitlab-Advisory-Database/blob/main/Gitlab%20Inaccurate%20Affected%20Components.csv)
If you have any questions or require additional information, please do not hesitate to reach out to us. We kindly request your feedback on the accuracy of our analysis and look forward to receiving your input.