Data Quality Issue / Spec Uncertainty: Multiple "fixed" Events for a single "introduced" event in CVE-2024-21534

[krysklyk]

I've been tracking why none of the security scanners detect my honeypot npm project with a dependency on [email protected]. I think I tracked it down to the source data but I'm not sure if the source is wrong, because the specification isn't quite clear to me on this case:

We can see that the source has a single introduced event, followed by a fixed which was release with 10.0.0 but later found to be incomplete, and then another fixed event for the fix in 10.0.7. The description is correctly stating that the fix in 6b2f1b (10.0.0) was incomplete and the first version without known exploit is b70aa7 / 10.0.7 However, OSV interprets this as "versions before 10.0.0 are affactected", resulting in false negatives on 10.0.0..10.0.6.

{
  "id": "CVE-2024-21534",
  "details": "Versions of the package jsonpath-plus before 10.0.7 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node.\r\r**Note:**\r\rThere was an attempt to fix it in version [10.0.0](https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226).",
  "affected": [
    {
      "ranges": [
        {
          "type": "GIT",
          "repo": "https://github.com/jsonpath-plus/jsonpath",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6b2f1b4c234292c75912b790bf7e2d7339d4ccd3"
            },
            {
              "fixed": "b70aa713553caf838a63bac923195a5bc541fd72"
            }
          ]
        }
      ]
    }
  ],
...
}

[github-actions]

✨ Thank you for your interest in OSV.dev's data quality! ✨

Please review our FAQ entry on how to most efficiently have this addressed.

[andrewpollock]

Thanks for bringing this to our attention.

This is one of the challenges with programmatically converting records from the NVD...

I note that for https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-21534 at time of writing:

• the NVD is yet to perform analysis on it, so it has no machine-readable applicability information
• our conversion process is resorting to treating the two (and this is where the problem lies) commit references as fixed commits

I'm not immediately seeing a good path forward for scenarios like this one, unfortunately, other than opting not to convert CVEs at all in this particular scenario (we tend to bias against false positives but false negatives are also not great either...). /cc @oliverchang

We are giving thought to also attempting to convert the CVEs from the CVE List directly, and looking at https://cveawg.mitre.org/api/cve/CVE-2024-21534 I can see that there's the possibility of a more accurate conversion from there.

In the short term, once the NVD analyses this record, its conversion story should improve.