Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

CVE-2020-35728 - mapping to purls more than NVD described #112

Open
cg122 opened this issue Jan 14, 2022 · 2 comments
Open

CVE-2020-35728 - mapping to purls more than NVD described #112

cg122 opened this issue Jan 14, 2022 · 2 comments

Comments

@cg122
Copy link

cg122 commented Jan 14, 2022

As described in NVD:

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction ...

The current mapping includes later versions:

    "purls": [
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.0-RC1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.0-RC2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.0-RC3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.0.6",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.2.0-rc1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.2.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.2.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.2.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.2.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.0-rc1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.0-rc1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.0-rc2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.0-rc3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.2.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.1.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.1.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.1.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.5.0-rc1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.5.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.3.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.5.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.5.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.5.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.4.6",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.5.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.0-rc1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.0-rc2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.0-rc3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.0-rc4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0-rc1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.5.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0-rc2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0-rc3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.1-1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.6",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0.rc1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0.rc2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.6",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.7",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.8",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.6",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.7",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.0.pr1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.0.pr2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.8",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.8.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.0.pr3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.9",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.0.pr4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.10",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.6",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.7",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.8",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0.pr1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.6",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0.pr2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0.pr3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.7.9.7",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.11.6",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.11.0.rc1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.11.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.11.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.5",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.11.2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.6",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.11.3",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.0-rc1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.6.7.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.0-rc2",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.12.0",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.5.1",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10.7",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.11.4",
      "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.9.4"
    ]
@MagielBruntink
Copy link
Member

MagielBruntink commented Jan 18, 2022
edited
Loading

The trouble with this one is that GHSA lists a non-existing Maven coordinate: com.fasterxml.jackson:jackson-databind: GHSA-5r5r-6hpj-8gg9

The proper coordinate is com.fasterxml.jackson.core:jackson-databind, which we list. However, on our end the versions are not correctly limited to the vulnerable range, and also the first_patched_purl we have is using the bad coordinate from GHSA: pkg:maven/com.fasterxml.jackson/jackson-databind@2.9.10.8

@MagielBruntink
Copy link
Member

MagielBruntink commented Jan 20, 2022
edited
Loading

The story is complicated, but it seems that things are working as intended for the most part.

Because GHSA names an incorrect Maven coordinate, we fall back to previous known purl mapping of the CPE cpe:2.3:a:fasterxml:jackson-databind, which is correctly pkg:maven/com.fasterxml.jackson.core/jackson-databind.

At that stage however, the version range of GHSA is also not used anymore to identify the vulnerable versions. Instead, the code checks here for all versions of the Maven package: https://repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-databind/
which is then compared to the patch date to infer which versions are vulnerable. The patch date is correctly found to be 2020-12-26 as can be seen here: https://github.com/FasterXML/jackson-databind/issues/2999. All version before are assumed vulnerable, which is plausible IMO.

Checking back at Maven https://repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-databind/ results in the list of versions listed above by @cg122, so that is working as intended.

I wonder why the version range is set differently in both the NVD and the GHSA data. Perhaps it's related to responsible disclosure?

There is one bug here, and that is the first_patched_purl in our data points to the wrong Maven coordinate pkg:maven/com.fasterxml.jackson/jackson-databind@2.9.10.8 because it has yanked that from the GHSA data without further validation.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cg122 @MagielBruntink