Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVEs fixed in the 6/20 releases not published to NVD yet #1058

Closed
abscondment opened this issue Jul 28, 2023 · 17 comments
Closed

CVEs fixed in the 6/20 releases not published to NVD yet #1058

abscondment opened this issue Jul 28, 2023 · 17 comments

Comments

@abscondment
Copy link

A number of the CVEs fixed in the 6/20 releases (v16.20.1, v18.16.1, v20.3.1) are marked as RESERVED in mitre, and therefore have no corresponding NVD entry.

CVE-2023-30581 is a great example:

One impact of this is that some tools which rely on the Known Affected Software Configurations present in the CPE dictionary report these CVEs as unfixed in the patched versions.

@RafaelGSS
Copy link
Member

Hey, thanks for reporting it. I'll be looking to it during this week.

@abscondment
Copy link
Author

Hey @RafaelGSS, any updates on this? Thank you!

@RafaelGSS
Copy link
Member

We'll enter into contact with the HackerOne team. We requested the disclosure + publication of those CVEs a long time ago.

@RafaelGSS
Copy link
Member

It should be fixed in the next few days. I've manually requested disclosure of those reports, so CVE should be automatically published.

@Haxatron
Copy link

Hello, dropping by here. It seems weird that H1 doesn't publish the CVE without the report disclosure. In any case, I've disclosed of all outstanding reports on my end. Sorry for that!

@abscondment
Copy link
Author

Hey folks, just checking in to report that 4 of these are still not published:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30581
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30585
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30588
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30590

If there's a public place I can comment on HackerOne, let me know and I will. I realize you've all done your parts in this chain :)

@mhdawson
Copy link
Member

@RafaelGSS for the ones listed by @abscondment have you already requested disclosure?

@RafaelGSS
Copy link
Member

@RafaelGSS for the ones listed by @abscondment have you already requested disclosure?

I did but sometimes the reporter doesn't want to disclose the report so the CVE isn't automatically published. Therefore, we'll need to manually change the public reference to link to a github issue or commit (possibly the patch one). I've asked the H1 team how to do it, but I didn't get an answer yet.

@RafaelGSS
Copy link
Member

I've just tried it for 30581, let's see if that gets published in the next 2 days.

@RafaelGSS
Copy link
Member

Nothing yet. @mhdawson do we have a contact in H1?

@mhdawson
Copy link
Member

@RafaelGSS I'll send you the email of the person I usually reach out to through slack

@RafaelGSS
Copy link
Member

Another attempt to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30581. Let's see.

@RafaelGSS
Copy link
Member

Requested for CVE-2023-30585 to guarantee the workflow provided by H1 works.

@RafaelGSS
Copy link
Member

It worked. I just did it for the last ones.

@RafaelGSS
Copy link
Member

They were published.

@abscondment
Copy link
Author

Thank you!

nodejs-github-bot pushed a commit to nodejs/node that referenced this issue Nov 29, 2023
This was the workaround provided by HackerOne team

PR-URL: #50945
Refs: nodejs/security-wg#1058
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
targos pushed a commit to nodejs/node that referenced this issue Dec 4, 2023
This was the workaround provided by HackerOne team

PR-URL: #50945
Refs: nodejs/security-wg#1058
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
@RafaelGSS
Copy link
Member

RafaelGSS commented Dec 13, 2023

FWIW I wrote a repository to automatically check if the CVE was published to NVD.

https://github.com/RafaelGSS/nodejs-cve-checker

richardlau pushed a commit to nodejs/node that referenced this issue Mar 25, 2024
This was the workaround provided by HackerOne team

PR-URL: #50945
Refs: nodejs/security-wg#1058
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants