Data quality issue with CVE-2021-42384 #2128

ASKAC0810 · 2024-04-22T03:18:22Z

The CVE ID
CVE-2021-42384

Describe the data quality issue observed
When I searched this CVE ID from osv.dev, I got different result with NVD when echo system is GIT.
Result of osv.dev

The affected version shows as below image

Result of NVD

The affected version shows as below image

The "From" (1_18_0) and and "Up to" (1_33_1) version are both the same between osv.dev and NVD.

However, osv.dev does not link this CVE to all tag version .

For example, I use the busybox v1.30.1, the tag ID is 1_30_1 , and the GIT commit hash is as following
1dd2685dcc735496d7adde87ac60b9434ed4a04c

As you can see, CVE-2021-42384 can not be found on osv.dev and osv-scanner tool with this version.

Suggested changes to record
Link CVE to all tag version between from and Up .

Hope my description is clear :)
Thank you very much.

andrewpollock · 2024-06-20T01:38:18Z

Confirmed that 1dd2685dcc735496d7adde87ac60b9434ed4a04c is tagged as 1.30.1:

$ git ls-remote https://github.com/mirror/busybox | fgrep 1dd2685dcc735496d7adde87ac60b9434ed4a04c
1dd2685dcc735496d7adde87ac60b9434ed4a04c        refs/heads/1_30_stable
1dd2685dcc735496d7adde87ac60b9434ed4a04c        refs/tags/1_30_1

Confirmed that querying for 1dd2685dcc735496d7adde87ac60b9434ed4a04c only returns CVE-2023-39810 and not CVE-2021-42384:

$ curl -d \
  '{"commit": "1dd2685dcc735496d7adde87ac60b9434ed4a04c"}' \
  "https://api.osv.dev/v1/query"
{"vulns":[{"id":"CVE-2023-39810","details":"An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal.","modified":"2024-05-14T12:59:18.428091Z","published":"2023-08-28T19:15:07Z","references":[{"type":"ARTICLE","url":"https://www.pentagrid.ch/en/blog/busybox-cpio-directory-traversal-vulnerability/"},{"type":"WEB","url":"http://busybox.com"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mirror/busybox","events":[{"introduced":"0"},{"last_affected":"1dd2685dcc735496d7adde87ac60b9434ed4a04c"},{"last_affected":"db726ae0c61ffec6b58e19749e0c63aaaf4f6989"}]}],"versions":["0_29alpha2","0_32","0_33","0_34","0_36","0_39","0_40","0_41","0_42","0_43","0_43pre1","0_45","0_46","0_47","0_48","0_49","0_50","0_51","0_52","0_60_0","0_60_1","0_60_2","0_60_3","0_60_4","0_60_5","1_00","1_00_pre1","1_00_pre10","1_00_pre2","1_00_pre3","1_00_pre4","1_00_pre5","1_00_pre6","1_00_pre7","1_00_pre8","1_00_pre9","1_00_rc1","1_00_rc2","1_00_rc3","1_10_0","1_12_0","1_14_0","1_15_0","1_16_0","1_17_0","1_18_0","1_19_0","1_1_0","1_1_1","1_20_0","1_21_0","1_22_0","1_23_0","1_24_0","1_25_0","1_26_0","1_27_0","1_28_0","1_29_0","1_2_0","1_30_0","1_30_1","1_31_0","1_32_0","1_33_0","1_33_1","1_33_2","1_4_0","1_8_0","1_9_0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-39810.json"}}],"schema_version":"1.6.0","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}]}

andrewpollock · 2024-06-20T02:17:05Z

Version enumeration does not appear to be identifying 1.30.1 or the 1_30_1 tag, by the looks of it, so it stands to reason it's also not enumerating the related commits (note the lack of this in the `versions` array):

$ ~/bin/analyze_this.prod CVE-2021-42384
Copying gs://cve-osv-conversion/osv-output/CVE-2021-42384.json...
/ [0 files][    0.0 B/  5.4 KiB]                                                
/ [0 files][  5.4 KiB/  5.4 KiB]                                                
-
- [1 files][  5.4 KiB/  5.4 KiB]                                                
Operation completed over 1 objects/5.4 KiB.                                      
INFO:root:Analyzing /tmp/CVE-2021-42384.json
ERROR:root:Tried to enumerate alpine version without workdir being set
ERROR:root:Tried to enumerate alpine version without workdir being set
ERROR:root:Tried to enumerate alpine version without workdir being set
ERROR:root:Tried to enumerate alpine version without workdir being set
ERROR:root:Tried to enumerate alpine version without workdir being set
ERROR:root:Tried to enumerate alpine version without workdir being set
ERROR:root:Tried to enumerate alpine version without workdir being set
ERROR:root:Tried to enumerate alpine version without workdir being set
ERROR:root:Tried to enumerate alpine version without workdir being set
ERROR:root:Tried to enumerate alpine version without workdir being set
INFO:root:Cloning https://github.com/mirror/busybox to /tmp/tmpwev3m37i
INFO:root:Finding equivalent regress commit to 5ab20641d687bfe4d86d255f8c369af54b6026e7 in refs/remotes/origin/1_33_stable in https://github.com/mirror/busybox
INFO:root:Finding equivalent last_affected commit to bcc5b0e6caca6c7602a6a41faa5f980292e0fbc5 in refs/remotes/origin/1_33_stable in https://github.com/mirror/busybox
INFO:root:Getting commits 5ab20641d687bfe4d86d255f8c369af54b6026e7..bcc5b0e6caca6c7602a6a41faa5f980292e0fbc5 from https://github.com/mirror/busybox
INFO:root:Writing changes.
{
  "id": "CVE-2021-42384",
  "details": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function",
  "modified": "2024-06-20T02:14:49.586561Z",
  "published": "2021-11-15T21:15:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://security.netapp.com/advisory/ntap-20211223-0002/"
    },
    {
      "type": "ARTICLE",
      "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/"
    },
    {
      "type": "WEB",
      "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/"
    }
  ],
  "affected": [
    {
      "package": {
        "name": "busybox",
        "ecosystem": "Alpine:v3.11",
        "purl": "pkg:apk/alpine/busybox?arch=source"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.31.1-r11"
            }
          ]
        }
      ],
      "versions": []
    },
    {
      "package": {
        "name": "busybox",
        "ecosystem": "Alpine:v3.12",
        "purl": "pkg:apk/alpine/busybox?arch=source"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.31.1-r21"
            }
          ]
        }
      ],
      "versions": []
    },
    {
      "package": {
        "name": "busybox",
        "ecosystem": "Alpine:v3.13",
        "purl": "pkg:apk/alpine/busybox?arch=source"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.32.1-r7"
            }
          ]
        }
      ],
      "versions": []
    },
    {
      "package": {
        "name": "busybox",
        "ecosystem": "Alpine:v3.14",
        "purl": "pkg:apk/alpine/busybox?arch=source"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.33.1-r6"
            }
          ]
        }
      ],
      "versions": []
    },
    {
      "package": {
        "name": "busybox",
        "ecosystem": "Alpine:v3.15",
        "purl": "pkg:apk/alpine/busybox?arch=source"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.34.0-r0"
            }
          ]
        }
      ],
      "versions": []
    },
    {
      "package": {
        "name": "busybox",
        "ecosystem": "Alpine:v3.16",
        "purl": "pkg:apk/alpine/busybox?arch=source"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.34.0-r0"
            }
          ]
        }
      ],
      "versions": []
    },
    {
      "package": {
        "name": "busybox",
        "ecosystem": "Alpine:v3.17",
        "purl": "pkg:apk/alpine/busybox?arch=source"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.34.0-r0"
            }
          ]
        }
      ],
      "versions": []
    },
    {
      "package": {
        "name": "busybox",
        "ecosystem": "Alpine:v3.18",
        "purl": "pkg:apk/alpine/busybox?arch=source"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.34.0-r0"
            }
          ]
        }
      ],
      "versions": []
    },
    {
      "package": {
        "name": "busybox",
        "ecosystem": "Alpine:v3.19",
        "purl": "pkg:apk/alpine/busybox?arch=source"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.34.0-r0"
            }
          ]
        }
      ],
      "versions": []
    },
    {
      "package": {
        "name": "busybox",
        "ecosystem": "Alpine:v3.20",
        "purl": "pkg:apk/alpine/busybox?arch=source"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.34.0-r0"
            }
          ]
        }
      ],
      "versions": []
    },
    {
      "ranges": [
        {
          "type": "GIT",
          "repo": "https://github.com/mirror/busybox",
          "events": [
            {
              "introduced": "5ab20641d687bfe4d86d255f8c369af54b6026e7"
            },
            {
              "last_affected": "bcc5b0e6caca6c7602a6a41faa5f980292e0fbc5"
            }
          ]
        }
      ],
      "versions": [
        "1_18_0",
        "1_19_0",
        "1_20_0",
        "1_21_0",
        "1_22_0",
        "1_23_0",
        "1_24_0",
        "1_25_0",
        "1_26_0",
        "1_27_0",
        "1_28_0",
        "1_29_0",
        "1_30_0",
        "1_31_0",
        "1_32_0",
        "1_33_0",
        "1_33_1"
      ]
    }
  ],
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
    }
  ]
}

andrewpollock · 2024-06-20T02:22:15Z

My current conclusion is that this is an issue in the version enumeration/repository analysis code and not the CVE conversion itself.

ASKAC0810 added the data quality Issues with data quality label Apr 22, 2024

ASKAC0810 changed the title ~~CVE-2021-42384~~ Data quality issue with CVE-2021-42384 Apr 22, 2024

oliverchang assigned andrewpollock Apr 22, 2024

andrewpollock added worker Worker-related infrastructure bug Something isn't working labels Jun 20, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Data quality issue with CVE-2021-42384 #2128

Data quality issue with CVE-2021-42384 #2128

ASKAC0810 commented Apr 22, 2024

andrewpollock commented Jun 20, 2024

andrewpollock commented Jun 20, 2024 •

edited

Loading

andrewpollock commented Jun 20, 2024

Data quality issue with CVE-2021-42384 #2128

Data quality issue with CVE-2021-42384 #2128

Comments

ASKAC0810 commented Apr 22, 2024

andrewpollock commented Jun 20, 2024

andrewpollock commented Jun 20, 2024 • edited Loading

andrewpollock commented Jun 20, 2024

andrewpollock commented Jun 20, 2024 •

edited

Loading