Fedor Indutny, due to a CVE report filed against his project, started getting hounded by people on the internet bringing the vulnerability to his attention.
In recent times, open-source developers have been met with an uptick in receiving debatable or, in some cases, outright bogus CVE reports filed for their projects without confirmation.
This can lead to unwarranted panic among the users of these projects and alerts being generated by security scanners, all of which turn into a source of headache for developers.
The 'node-ip' project exists on the npmjs.com registry as the 'ip' package which scores 17 million downloads weekly, making it one of the most popular IP address parsing utilities in use by JavaScript developers.
It has to do with CVE-2023-42282, a vulnerability disclosed in the project earlier this year.
The CVE has to do with the utility not correctly identifying private IP addresses supplied to it in a non-standard format, such as hexadecimal.
Although Indutny did indeed fix the issue in later versions of his project, he disputed that the bug constituted an actual vulnerability and that too of an elevated severity.
Disputing a CVE is no straightforward task either, as a GitHub security team member explained.
It requires a project maintainer to chase the CVE Numbering Authorities that had originally issued the CVE. CNAs have conventionally comprised NIST's NVD and MITRE. Over the past few years, technology companies and security vendors joined the list and are also able to issue CVEs at will.
These CVEs, along with the vulnerability description and the reported severity rating, are then syndicated and republished by other security databases, such as GitHub advisories.
Following Indutny's post on social media, GitHub lowered the severity of the CVE in their database and suggested the developer turn on private vulnerability reporting to better manage incoming reports and cut noise.
The CVE system, originally designed to help security researchers ethically report vulnerabilities in a project and catalog these after responsible disclosure, has lately attracted a segment of community members filing unverified reports.
Developers and project maintainers have pushed back.
Another npm project, micromatch which gets 64 million weekly downloads has had 'high' severity ReDoS vulnerabilities reported against it with its creators being chased by community members inquiring about the issues.
As opposed to representing an exploitable vulnerability, it ended up being a nuisance report that developers had already been chased about.
Other than just being an annoyance for project maintainers, the act of getting CVEs issued for unverified vulnerability reports is akin to stirring up a Denial of Service against a project, its creators, and its wider consumer base, and for good reasons.
A third problem arises for projects without an active maintainer.
Abandoned software projects that have not been touched in years contain vulnerabilities that, even when disclosed, will never be fixed and there exists no means to contact their original maintainer.
On receiving a vulnerability report from a researcher, these organizations may not always be able to sufficiently vet every such report independently.
CISA: Most critical open source projects not using memory safe code.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sun, 30 Jun 2024 14:35:28 +0000