CVEs fixed in the 6/20 releases not published to NVD yet #1058
Comments
|
Hey, thanks for reporting it. I'll be looking to it during this week. |
|
Hey @RafaelGSS, any updates on this? Thank you! |
|
We'll enter into contact with the HackerOne team. We requested the disclosure + publication of those CVEs a long time ago. |
|
It should be fixed in the next few days. I've manually requested disclosure of those reports, so CVE should be automatically published. |
|
Hello, dropping by here. It seems weird that H1 doesn't publish the CVE without the report disclosure. In any case, I've disclosed of all outstanding reports on my end. Sorry for that! |
|
Hey folks, just checking in to report that 4 of these are still not published: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30581 If there's a public place I can comment on HackerOne, let me know and I will. I realize you've all done your parts in this chain :) |
|
@RafaelGSS for the ones listed by @abscondment have you already requested disclosure? |
I did but sometimes the reporter doesn't want to disclose the report so the CVE isn't automatically published. Therefore, we'll need to manually change the public reference to link to a github issue or commit (possibly the patch one). I've asked the H1 team how to do it, but I didn't get an answer yet. |
|
I've just tried it for 30581, let's see if that gets published in the next 2 days. |
|
Nothing yet. @mhdawson do we have a contact in H1? |
|
@RafaelGSS I'll send you the email of the person I usually reach out to through slack |
|
Another attempt to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30581. Let's see. |
|
Requested for CVE-2023-30585 to guarantee the workflow provided by H1 works. |
|
It worked. I just did it for the last ones. |
|
They were published. |
|
Thank you! |
This was the workaround provided by HackerOne team PR-URL: #50945 Refs: nodejs/security-wg#1058 Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
This was the workaround provided by HackerOne team PR-URL: #50945 Refs: nodejs/security-wg#1058 Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
|
FWIW I wrote a repository to automatically check if the CVE was published to NVD. https://github.com/RafaelGSS/nodejs-cve-checker |
This was the workaround provided by HackerOne team PR-URL: #50945 Refs: nodejs/security-wg#1058 Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
A number of the CVEs fixed in the 6/20 releases (v16.20.1, v18.16.1, v20.3.1) are marked as RESERVED in mitre, and therefore have no corresponding NVD entry.
CVE-2023-30581 is a great example:
One impact of this is that some tools which rely on the Known Affected Software Configurations present in the CPE dictionary report these CVEs as unfixed in the patched versions.
The text was updated successfully, but these errors were encountered: