Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing advisories for npm packages from CVE-2024-4067 #4548

Open
aarongoldenthal opened this issue Jun 23, 2024 · 6 comments
Open

Missing advisories for npm packages from CVE-2024-4067 #4548

aarongoldenthal opened this issue Jun 23, 2024 · 6 comments

Comments

@aarongoldenthal
Copy link

The npm packages braces and micromatch have been reported as susceptible to CVE-2024-4067. While the CVE and advisory are officially "unreviewed", the vulnerabilities have been clearly established and reported to the maintainers with no response here and here.

Given the current state of NVD data and the lengthy backlog of CVE's needing review, this advisory should be promoted and mapped to the applicable npm packages given the additional supporting data (it is currently not mapped to any npm packages, which is inaccurate).

@aarongoldenthal aarongoldenthal closed this as not planned Won't fix, can't repro, duplicate, stale Jun 30, 2024
@aarongoldenthal
Copy link
Author

After further review, while there seems to be some questions still floating around about the viability of this CVE, the packages themselves were updated to protect against it, so not sure why they should not be mapped to this advisory.

@jayvdb
Copy link

jayvdb commented Aug 22, 2024

Hi @aarongoldenthal and @darakian and @hauserkristof, yesterday #4713 was merged, which I guess is why GHSA-952p-6rrq-rcjv now says "Github Reviewed", and we've had one PR here to escalate this further #4714 .

There is feedback from the maintainer at micromatch/micromatch#264 (comment)

And my initial investigation concludes that they maintainer is correct that this advisory is problematic. micromatch/micromatch#264 (comment)

@darakian
Copy link
Contributor

So, this CVE was assigned by Checkmarx
https://nvd.nist.gov/vuln/detail/CVE-2024-4067
if the goal is to get the CVE revoked then you should really reach out to them. That said, I think the best route forward from where we are is to wait for the 4.0.8 release and to update the advisory with that as a fixed release. Not ideal I know, but it seems like the least friction to me. Thoughts?

@jayvdb
Copy link

jayvdb commented Aug 22, 2024

I have emailed Checkmarx just now.

@darakian
Copy link
Contributor

Right on. Keep me in the loop and let me know how that line evolves. 👍

@aarongoldenthal
Copy link
Author

Thanks @jayvdb and @darakian. My goal wasn't specifically to get the CVE revoked, but until a few days ago the advisory had a reference to micromatch in the description, but not a mapping to the project, so tools like OSV Scanner that use this database were not flagging it (although tools like OWASP Dependency Check were). That discrepancy was really my concern, but that is resolved as of a few days ago (and it is being flagged).

I know there's a heated battle on whether it is or isn't a vulnerability, which I'm happy to let play out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants