A supplement for #234
We thank Gitlab Advisory for providing valuable data to the public. We are utilizing this database for security purposes, and we greatly appreciate the contribution.
During our analysis of the CVE entries, we have identified an issue with the accuracy of the "package_slug" field where the listed affected components does not align with the actual affected components. It can either be incomplete or incorrect.
After thorough examination, we have discovered a total of 4 CVEs that contain incorrect or incomplete affected component information. In order to prevent misleading information to end users or false alarms from tools built upon this database, we chose to report these issues to you.
Attached csv document contains 51 records of the erroneous components in the vulnerability database. The fields in the csv file are explained as follows:
- Vulnerability ID: Unique CVE identifier for each vulnerability entry.
- Erroneous Affected Component: The list affected ecosystem and component names in vulnerability database which is either incomplete or incorrect. The format is: “ecosystem__split__component”.
- Suggested Component: The correct affected ecosystem and component names according to our inspection where it is corrected either by adding component names or rectifying the existing component names. The format is: “ecosystem__split__component”.
- Evidence: Justification for the change.
For further details, please refer to the attached xlsx file or the table below. We hope our findings are beneficial to the community security.
Vulnerability ID | Erroneous Affected Component | Suggested Component | Evidence |
---|---|---|---|
CVE-2020-17518 | maven__split__org.apache.flink:flink-parent maven__split__org.apache.flink:flink-metrics-core |
maven__split__org.apache.flink:flink-runtime | we find the patch, which modified only the one class: FileUploadHandler |
CVE-2020-11980 | maven__split__org.apache.karaf:karaf | maven__split__org.apache.karaf.management:org.apache.karaf.management.server | the fix patched the vulnerability and It's possible to authenticate as a viewer role + invokes on the MLet getMBeansFromURL method, which goes off to a remote server to fetch the desired MBean, which is then registered in Karaf. |
CVE-2016-8746 | maven__split__org.apache.ranger:ranger | maven__split__org.apache.ranger:ranger-plugins-common | policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true. The patch fix resource-matcher to correctly handle policy containing only one resource whose value is '*'a |
CVE-2020-17518 | maven__split__io.jenkins.blueocean:blueocean | maven__split__io.jenkins.blueocean:blueocean-git-pipeline | The early version provides an undocumented feature flag that, when enabled, allows an attacker with Job/Configure or Job/Create permission to read arbitrary files on the Jenkins controller file system. The patch remove this undocumented feature which has security issue. |
If you have any questions or require additional information, please do not hesitate to reach out to us. We kindly request your feedback on the accuracy of our analysis and look forward to receiving your input.