|
|
|
|
|
|
by DiabloD3
1991 days ago
|
|
|
So... the real question is, why are CVEs that are just packages of software being accepted to the CVE database anyways? If its in a Docker image, it should be immediately rejected: report the CVE for the precise upstream project instead. |
|
|
Ultimately, because there are now a few hundred [0] CNAs [1] which are "authorized to assign CVE IDs" and, AFAICT, there is nothing in the "CNA rules" [2] that requires them to (attempt to) verify the (alleged) vulnerabilities -- although, in at least some instances, I assume it simply wouldn't be possible for them to do so.
--
> 7.1 What Is a Vulnerability?
> The CVE Program does not adhere to a strict definition of a vulnerability. For the most part, CNAs are left to their own discretion to determine whether something is a vulnerability. [3]
Officially, a "vulnerability" is:
> A flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components.
Fortunately, there is a "Process to Correct Assignment Issues or Update CVE Entries" [5]. In instances of multiple, "duplicate" or "invalid" CVEs, I can see how this might be both frustrating and time-consuming for software developers, though.
--
[0]: https://cve.mitre.org/cve/request_id.html
[1]: https://cve.mitre.org/cve/cna.html
[2]: https://cve.mitre.org/cve/cna/rules.html
[3]: https://cve.mitre.org/cve/cna/rules.html#section_7-1_what_is...
[4]: https://cve.mitre.org/about/terminology.html#vulnerability
[5]: https://cve.mitre.org/cve/cna/rules.html#appendix_c_process_...