Skip to content
This repository has been archived by the owner on Jan 19, 2023. It is now read-only.

Incorrect vulnerability details CVE-2022-2191 #308

Closed
msymons opened this issue Jul 10, 2022 · 6 comments
Closed

Incorrect vulnerability details CVE-2022-2191 #308

msymons opened this issue Jul 10, 2022 · 6 comments
Labels
bug Something isn't working

Comments

@msymons
Copy link

msymons commented Jul 10, 2022
edited
Loading

Vulnerability URL

https://ossindex.sonatype.org/vulnerability/CVE-2022-2191?component-type=maven&component-name=org.eclipse.jetty/jetty-io

Component URL
One example of many...

https://ossindex.sonatype.org/component/pkg:maven/org.eclipse.jetty/[email protected]

Description
The OSSI text for vulnerability CVE-2022-2191 states "In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions..." and yet OSSI is incorrectly matching against versions before 10.0.0

If the matching against (say) v9.4.43.v20210629 is deemed to be correct based on internal Sonatype research then the OSSI description text needs to be updated to make this explicitly clear.

I have dug into the GHSA advisories and things are confusing there. The one published in Jetty repo differs that the "official" GHSA... although both have the same id.

"Offical": https://github.com/advisories/GHSA-8mpp-f3f7-xc28 (< 10.0.10, >= 11.0.0, < 11.0.10)
"Jetty": https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28 (10.0.0 to 10.0.9, 11.0.0 to 11.0.9)

Also, note that both report that the vulnerability affects jetty-server and not jetty-io.
@msymons msymons added the bug Something isn't working label Jul 10, 2022
@msymons msymons changed the title Incorrect vulnerability details Incorrect vulnerability details CVE-2022-2191 Jul 10, 2022
@msymons
Copy link
Author

msymons commented Jul 11, 2022
edited
Loading

I emailed webtide security and received a response in less than 10 minutes...

The database version at https://github.com/advisories/GHSA-8mpp-f3f7-xc28 has the original ranges.

This invalid range was pointed out in our issue tracker at
jetty/jetty.project#8161 (comment)

And a ticket to update the range has been submitted at
github/advisory-database#489

The official advisory at https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28 was updated.
We expect the database version to be updated once github reviews the changes.

ie, this confirms that versions lower than 10.0.0 are not affected by this vulnerability

@joakime
Copy link

joakime commented Jul 12, 2022

The github advisory database version has had it's version range updated a few minutes ago ...

GHSA-8mpp-f3f7-xc28

@joakime
Copy link

joakime commented Jul 12, 2022
edited
Loading

For the record, I'm the one that responded to @msymons from "webtide security" portion of his comment with that exact text that he copy/pasted into this issue.
I'm also an Eclipse Jetty committer - https://github.com/eclipse/jetty.project/graphs/contributors

@ken-duck
Copy link
Contributor

Looks like our researchers got at this one already. Looking at the chart here seems to indicate the issue has been resolved: https://ossindex.sonatype.org/component/pkg:maven/org.eclipse.jetty/jetty-io

@msymons
Copy link
Author

msymons commented Jul 12, 2022

@ken-duck, now what we need is for MITRE to support SWID or PURL so that these kinds of problems can be more easily avoided.

I so hate CPE.

@msymons
Copy link
Author

msymons commented Jul 13, 2022

@ken-duck, the issue has been resolved for jetty-io but not replaced by jetty-server. Thus the vuln is now not alerting against anything that I can see.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joakime @msymons @ken-duck