There seems to be something wrong with CVE-2017-16138

[dougwilson]

Hi, I'm not sure if this is the right place to report this, but my understanding is that this is the group that manages the Node.js CVEs.

Recently I started getting reports that something is detecting CVE-2017-16138 present in the latest version of Express.js as it is detecting that the dependency mime 1.4.1 is vulnerable to CVE-2017-16138.

Unfortunately this is incorrect, as 1.4.1 was the specific release made to fix that CVE.

No, I don't yet know what software is alerting this, as everyone so far that has reported this just simply ghosted and never followed back up.

I even got a few who posted this as a public issue on GitHub (though the majority of the reports were through private channels): expressjs/express#3841

Is there anything that just needs to be updated in CVE-2017-16138 to correct this? What can we do?

[dougwilson]

If it helps, the npm site has the full list of which versions are vulnerable vs not: https://www.npmjs.com/advisories/535/versions

[lirantal]

Hi Doug,
Thanks for bringing this up.

Looks like you are correct with regards to 1.4.1 not being vulnerable and I can assume that the fix was backported after the CVE was requested and that's why it's not in the original CVE report. Also, it seems that the CVE was requested through HackerOne but probably with an older process than what we have today which is perhaps why I can't find the entry for that in our database.

I will email HackerOne support to see if they can help update this information, but it's not an immediate action and will take some time for them to process it through their support queue and such.

Is there anything else we can do to help?

[dougwilson]

I can assume that the fix was backported after the CVE was requested and that's why it's not in the original CVE report.

No, it was never backported. The 2 and 1 lines are maintained in that module. The fix was released for both majors at the same time: broofa/mime#167 (comment)

Is there anything else we can do to help?

Maybe if there is just somewhere I can point people to? I am trying to enjoy holiday but getting multiple emails a day, some are not very nice.

[lirantal]

You can point to the npm page as you did in the thread.
Specifically, the snyk vuln page shows clearly in the title that 1.4.1 is not vulnerable

Hope you get to enjoy the holiday. It will not help you with email but perhaps consider having the security issue on github open so people can see it and the discussion there otherwise they might go ahead and create new issues and you'll keep closing them.

[lirantal]

Support ticket to HackerOne opened: 257136

[dougwilson]

consider having the security issue on github open so people can see it and the discussion there

Good point. I just did and updated the title so hopefully it helps vs people posting update mime over and over :)

[lirantal]

Sure thing.
Go enjoy your vacation, I will monitor that thread in the express repo and answer promptly to anything that I can help with :-)

[lirantal]

@dougwilson I have some positive update from the folks at HackerOne on this:

It sounds like NVD probably interpreted the vulnerable versions incorrectly. Additionally, the description and versions on the CVE are not as clear as we would like. So the actions we'll take here:

• contact NVD to see if they can fix the incorrect versions
• update the CVE to add vulnerable versions in the description and fixed versions in the version field

I'll keep you posted.

[lirantal]

The issue is still open in H1 and their support hadn't got back to me after several pings on my part.

[lirantal]

This has been attended to so I'm closing.