Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect severity reported from ossindex data #6734

Open
mwardell-agfa opened this issue Jun 21, 2024 · 1 comment
Open

Incorrect severity reported from ossindex data #6734

mwardell-agfa opened this issue Jun 21, 2024 · 1 comment
Assignees
@nhumblot
Labels
bug

Comments

@mwardell-agfa
Copy link

Describe the bug
CVE-2024-28752 which is CRITICAL according to ossindex is reported as a HIGH by dependency check

Version of dependency-check used
The problem occurs using version 9.2.0 of the cli

To Reproduce

  1. get the problem jar
    wget https://repo1.maven.org/maven2/org/apache/cxf/cxf-core/3.4.10/cxf-core-3.4.10.jar

  2. Run cli
    dependency-check.sh --format json --nvdApiKey XXXXXXX -s . --log log.txt

  3. Dump json

           "vulnerabilities": [
                {
                    "source": "OSSINDEX",
                    "name": "CVE-2024-28752",
                    "severity": "HIGH",
                    "cvssv2": {
                        "score": 9.300000190734863,
                        "accessVector": "NETWORK",
                        "accessComplexity": "LOW",
                        "authenticationr": "$enc.json($vuln.cvssV2.cvssData.authentication)",
                        "confidentialityImpact": "$enc.json($vuln.cvssV2.cvssData.confidentialityImpact)",
                        "integrityImpact": "$enc.json($vuln.cvssV2.cvssData.integrityImpact)",
                        "availabilityImpact": "$enc.json($vuln.cvssV2.cvssData.availabilityImpact)",
                        "severity": "HIGH",
                        "version": "2.0"
                    },
                    "cwes": [

Expected behavior
Expect severity of CRITICAL but recorded as HIGH

Additional context

log.txt shows this request

DEBUG - POST https://ossindex.sonatype.org/api/v3/component-report; payload: {"coordinates":["pkg:maven/org.apache.cxf/[email protected]"]} (application/vnd.ossindex.component-report-request.v1+json); accept: application/vnd.ossindex.component-report.v1+json
2024-06-21 16:04:35,761 org.sonatype.ossindex.service.client.transport.HttpUrlConnectionTransport:89
DEBUG - Connecting to: https://ossindex.sonatype.org/api/v3/component-report
2024-06-21 16:04:36,284 org.sonatype.ossindex.service.client.internal.OssindexClientImpl:184
DEBUG - 1 component-reports; 538.3 ms
2024-06-21 16:04:36,286 org.owasp.dependencycheck.analyzer.OssIndexAnalyzer:248
DEBUG - Enrich dependency: Dependency{ fileName='cxf-core-3.4.10.jar', actualFilePath='/home/axehm/dev/depcheck/target/cxf-core-3.4.10.jar', filePath='/home/axehm/dev/depcheck/target/cxf-core-3.4.10.jar', packagePath='/home/axehm/dev/depcheck/target/cxf-core-3.4.10.jar'}
2024-06-21 16:04:36,286 org.owasp.dependencycheck.analyzer.OssIndexAnalyzer:252
DEBUG -   Package: pkg:maven/org.apache.cxf/[email protected] -> HIGH

Making the same OSSINDEX request

curl -X POST -H "Content-Type: application/vnd.ossindex.component-report-request.v1+json" -d "{"coordinates":["pkg:maven/org.apache.cxf/[email protected]"]}" https://ossindex.sonatype.org/api/v3/component-report | jq

output

[
  {
    "coordinates": "pkg:maven/org.apache.cxf/[email protected]",
    "description": "Apache CXF Core",
    "reference": "https://ossindex.sonatype.org/component/pkg:maven/org.apache.cxf/[email protected]?utm_source=curl&utm_medium=integration&utm_content=8.6.0",
    "vulnerabilities": [
      {
        "id": "CVE-2024-28752",
        "displayName": "CVE-2024-28752",
        "title": "[CVE-2024-28752] CWE-918: Server-Side Request Forgery (SSRF)",
        "description": "A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.\n\n",
        "cvssScore": 9.3,
        "cvssVector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
        "cwe": "CWE-918",
        "cve": "CVE-2024-28752",
        "reference": "https://ossindex.sonatype.org/vulnerability/CVE-2024-28752?component-type=maven&component-name=org.apache.cxf%2Fcxf-core&utm_source=curl&utm_medium=integration&utm_content=8.6.0",
        "externalReferences": [
          "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-28752",
          "https://github.com/advisories/GHSA-qmgx-j96g-4428"
        ]
      }
    ]
  }
]

Returns a CVSS:4.0 vector, maybe that is related

Scoring that vector confirms the 9.3 scrore, but a critical severity

https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Shows

CVSS v4.0 Score: 9.3 / Critical ⊖
Macro vector: 000200
Exploitability: High
Complexity: High
Vulnerable system: High
Subsequent system: Low
Exploitation: High
Security requirements: High

Also Web UI confirms it has critical severity: https://ossindex.sonatype.org/vulnerability/CVE-2024-28752?component-type=maven&component-name=org.apache.cxf%2Fcxf-core&utm_source=dependency-check&utm_medium=integration&utm_content=9.2.0

Similar to the closed issue #5598 but that seems related to CVSS3.1 and this maybe to CVSS4 vectors
@aikebah
Copy link
Collaborator

aikebah commented Jun 21, 2024

Same root cause indeed: not supporting the CVSS version 4 and then putting the data it does detect into a CVSS v2 structure

@nhumblot nhumblot self-assigned this Jun 24, 2024
@nhumblot nhumblot mentioned this issue Jun 24, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nhumblot nhumblot

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aikebah @nhumblot @mwardell-agfa