Content of CVE text, and propagation of updates

[anargam]

Select Topic Area

Question

Body

A repository can enable Github Security Advisories, and potentially request a CVE. This question concerns the contents of the CVE text, as the draft and published GHSA may change over time. In at least one case, the body of the CVE advisory differs from the one of the GHSA at the time the GHSA was published (the difference is not only the standard addition of a projcet description at the top of the advisory). I suspect that a check is performed at the time of requesting, but I (as a reporter, not repo admin) don't know of mechanisms to provide updates.

Thus

• is the CVE body fixed and fixed and based on the time the CVE was requested from Github? Can a repo owner do something to ask for a re-check and update of the text, if this is done manually? There may have been anything from cosmetic updates to new findings, affected version ranges etc between the time a CVE number was requested for the draft advisory, and when it is published.

My current case in point is CVE-2024-25633/GHSA v677-8x8p-636v (which differ at the time of writing), but the question is more general.

This may be especially important as draft advisories are part of a reporting mechanism that may contain too detailed a problem description, PoC:s etc.

• similarly, a github advisory may be updated subsequent to it being published. Does this information propagate? When? Should a repository owner do something manually?

There is a help page regarding editing advisories but I can't seem to find this information there.

A similar question appears to be #33954 from 2022. This was left unanswered, but the NVD information requested appears to have been updated since then, in accordance with the discussion content. That, however, seems to have concerned a more easily automatable piece of information (affected version ranges, rather than free-text description).

[anargam]

Additionally, is there some way of seeing what the draft CVE advisory text will be, to see if it differs in any significant way (the GHSA may of course be more verbose, lack project description etc)?

[anargam]

According the Github copilot help

Remember, once a CVE is published, any changes or updates to the CVE text need to be made through MITRE directly, as GitHub does not have control over the content of the CVE database.

When prompted with this information that the CNA should do this (according to MITRE) it says

If you're not the repository owner or don't have the necessary permissions, you should ask the repository owner to contact GitHub Support for further assistance. They can provide the updated information for the CVE, and GitHub Support will handle the update process with MITRE.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬