zmanion / cve Goto Github PK

CNAs are responsible for staying up-to-date JSON schema and record format standards/must maintain compatibility with the current JSON schema

(from CVEProject/strategic-planning-working-group#4)

Consider adding rules about how to handle automated vulnerability discovery (determination in the curent CNA Operational Rules revision) and assignment. Related:

https://cve.mitre.org/data/board/archives/2015-11/msg00010.html

ossf/wg-vulnerability-disclosures#123

Specification: OpenSSF Compliant Automated Vulnerability Fix Campaign

User Stories

Microsoft assigned two quite-different vulnerabilities to CVE-2022-41049. CNA rules state:

7.2.1 CNAs MUST NOT assign the same CVE ID to more than one independently fixable vulnerability.

CVE IDs are meant to track vulnerabilities not fixes.

CC @wdormann

Review and discuss criteria for becoming a CNA, to include mergers and acquisitions, and other criteria, including motivations and intent to overly abuse or misuse CVE.

Collecting several discussions, there are questions about how CNA membership is maintained.

ossf/wg-vulnerability-disclosures#139

Required activity, publishing CVE Records within a period of time?
Does the Program send heartbeat notifications?
Practice may be that CNAs are only removed if there is a complaint or specific reason (and perhaps also lack of publication)?

This may warrant explanation in the CNA Operational Rules revision.

CVE-2023-33517 probably should not meet the requirement for "sufficient evidence" of a vulnerability. Check the vulnerability determination rules section.

Description:
"carRental 1.0 is vulnerable to Incorrect Access Control (Arbitrary File Read on the Back-end System)."

References:
https://gist.github.com/wushigudan/288ab32566615d8897c1da7ce7204838

Contents of that gist:

[CVE ID]
CVE-2023-33517
[PRODUCT]
carRental v1.0
[IVERSION]
v1.0
[PROBLEM TYPE]
Incorrect Access Control
[DESCRIPTION]
Arbitrary File Read on Back-end System

(This may be the affected Product: https://github.com/yeqifu/carRental)

The EOL policy has Appendix A Definitions, these should be removed from the EOL policy and integrated into the CVE Program Glossary.

The 'Temporary Rules Inconsistency' (Section 3 of EOL Vulnerability Assignment Process) has been addressed in the new CNA Operational Rules. Section 3.1.11 "Scope Definitions for EOL Products" now reflects the suggested wording from the EOL Vulnerability Assignment Process:

• "A CNA MAY specify in its Scope Definition whether or not the CNA assigns CVE IDs for EOL Products.

• If a CNA Scope Definition 1) specifies that the CNA does assign for EOL Products or 2) does not specify whether or not the CNA assigns for EOL Products, then vulnerabilities that may affect EOL products MUST be reported through the CNA’s vulnerability reporting and disclosure processes.

• If a CNA Scope Definition 3) specifies that the CNA does not assign for EOL Products, then CVE assignment requests MUST be handled by an appropriate CNA-LR as described in the End-of-Life Vulnerability Assignment Process.

As the rules inconsistency is addressed in the new CNA Operational Rules, it should be removed from the EOL Vulnerability Assignment Process when new rules are published.

We very carefully and intentionally balance the CNA value proposition. Particularly for "vendor" CNAs, the CNA has significant influence (editorial control) over CVE Record content. This sometimes involves languages about "ownership." In return, the Program benefits greatly from additional and distributed resources and efficient volunteer effort, since "vendor" CNAs are the least cost avoider (most likely to know the most about the vulnerabilities affecting their products).

With this in mind, as part of the current CNA Operational Rules revision, consider adding rules that make it clear that the Program owns all the content and the Secretariat retains complete editorial and content control.

Personal opinion, we're dabbling in a lot of complexity (more JSON, ADPs) when a simpler solution may be to let the Secretariat just make changes when needed.

(from CVEProject/strategic-planning-working-group#5)

cvelib-howto is old, probably missing new features. For example, CVE Services and JSON will soon support ADP.

Current CVE Services client help is focused on a Vulnogram how-to document for less-experienced users, may not be worth the effort to update cvelib-howto.

This is not specifically addressed in the CVE Program Policy and Procedure for Disputing a CVE Record, maybe it should be?

From CNA rules 3.0 https://www.cve.org/ResourcesSupport/AllResources/CNARules#appendix_c-1_dispute:

In the case the CVE Record was published by an out-of-scope CNA, the offending CNA’s Root shall invite the in-scope CNA to review and edit the CVE Record as appropriate. If at all possible, the originally published CVE ID should be preserved. If this results in a duplicate, split, or merged CVE Record, the rules on handling those conditions listed below shall apply.

Example: https://github.com/CycloneDX/cyclonedx-property-taxonomy?tab=readme-ov-file#abnf-for-official-cyclonedx-property-names

cvelib-howto uses the Development Setup guidance, change this to, e.g., python3 -m pip install --user cvelib.

I recall having trouble with the simple install on macOS, maybe venv is still a good idea.

The descriptions for CVE-2022-41049 and CVE-2022-41091 are identical except for description text stating that each is not the other and the descriptions do not convey sufficient information to uniquely identify vulnerabilities.

CVE-2022-41049 description:

Windows Mark of the Web Security Feature Bypass Vulnerability. This CVE ID is unique from CVE-2022-41091.

CVE-2022-41091 description:

Windows Mark of the Web Security Feature Bypass Vulnerability. This CVE ID is unique from CVE-2022-41049.

These descriptions do seem to meet the minimum requirements in 8.2.3 (Vulnerability Type is provided):

8.2.3 MUST include one of the following:
a. Vulnerability Type
b. Root Cause
c. Impact

https://cve.mitre.org/cve/cna/CNA_Rules_v3.0.pdf

CC @wdormann

Possibly in SPWG, a dicussion came up about CNAs that do not assign and publish much, or even at all. Should some action be taken for such CNAs?

The proposed CNA Rules reqire that CNAs are responsive to probes but there is no assignment or publication rate requirement.

CNAs who do not assign or publish (much) are essentially no cost to the Program, unless a non-responsive action is needed.