Extend GitHub's CNA scope #2718
Comments
|
If you need more examples of such CVEs, other notable projects on Github which have faced this issue in recent past include: keepassxc, scipy, h2. I have compiled a list and some links while trying to assess how bad it really is: https://github.com/vin01/bogus-cves |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
(Possibly this is the wrong place for this request; in that case please point me to where I should request this instead)
TLDR: Extend GitHub's CNA scope so that MITRE or other CNAs cannot file bogus CVE entries for GitHub projects anymore.
In the past there have been multiple bogus CVE IDs assigned for projects on GitHub where the maintainers were either not properly informed, or not informed at all. Some examples are:
(and discussion in according to some vulnerability databases, dom4j is affected by CVE-2023-45960 dom4j/dom4j#171)
(and discussion in Stack overflow error caused by serialization of
Mapwith cyclic dependency -- NOT CVE FasterXML/jackson-databind#3972)(and discussion in Yii 2 <= 2.0.47 SQL Injection Vulnerability yiisoft/yii2#19755)
(and discussion in [CVE-2022-37598]/ Prototype pollution found in ast.js mishoo/UglifyJS#5699 (comment))
(and discussion in nvalid IPv6 URL aio-libs/aiohttp#6772)
(and blog post https://daniel.haxx.se/blog/2023/09/05/bogus-cve-follow-ups/ by maintainer)
In all those cases MITRE was the CNA who assigned the CVE ID.
These CVE entries harm everyone involved:
The CVE site describes MITRE as "CNA of Last Resort" for vulnerabilities which are "not already covered by a CNA listed on this website".
Some of the affected projects (curl and Jackson) are now considering to become their own CNA just to prevent bogus CVEs filed against their projects. This is certainly not the solution to this issue, otherwise you end up with hundreds or thousands of CNAs, and being their own CNA probably also adds additional work for project maintainers.
Nowadays many popular GitHub projects have their own procedure for how vulnerabilities should be reported (described in
SECURITY.mdfiles), and are working together with other CNAs, such as HackerOne to handle vulnerability reports.Additionally, every GitHub project can request a CVE ID themselves, see the documentation.
The CNA scope of GitHub is currently:
Maybe this should be extended so that other CNAs cannot by default file CVEs for GitHub projects, except for rare cases like arbitration or for unmaintained repositories, or when these CNAs are working together with the maintainers already, e.g. HackerOne for some repositories.
For comparison, GitLab's CNA scope is more extensive:
And in the past years the only disputed CVE for a project hosted on GitLab I could find was CVE-2022-35414, and that actually seems to be reasonable report.
Possibly my script to find these CVEs was not reliable enough, or maybe there are not as much projects on GitLab as on GitHub, but it could also indicate that their CNA scope did actually prevent bogus CVE requests.
I have also sent a similar request to MITRE asking them to reject CVE requests for GitHub projects in most cases and tell the requester to contact the repository maintainers instead, with the same reasoning mentioned above.
What do you think?
Maybe there are current cases though where some maintainers don't want to request a CVE ID themselves, and prefer if the reporter does this. Though possibly because the maintainers are not aware that they can use GitHub Advisories to request a CVE ID?
The text was updated successfully, but these errors were encountered: