The original post: /r/cybersecurity by /u/Free_Trial_Of_Life on 2024-11-19 12:25:47.
Hello folks, I need advice from guys with experience of obtaining CVE. I am facing issues while getting a CVE for my finding. It gets rejected for unknown reasons. Let me describe the situation:
-
Software is an NPM library X that offers utility methods for abstract usage of another software Y. Library X was developed by an independent person, not tied to vendor of Y. The library X has around 150k weekly downloads, so it's prevalently used.
-
The library exports a function to process certain files and perform operations on it. Vulnerability is a command injection in filename that is passed to this function. The filename is inserted into a CLI command for running Y and can be escaped to inject malicious commands. I built a sample webapp and showcased PoC exploitation.
-
I shared this finding with both vendor Y and developer of library X, and got successful responses from each. Developer of X even invited me for collaboration in fixing this vuln. But he ghosted me afterwards, didn't get back to my messages. So vulnerability remained unresolved.
After a while I applied for a CVE record both in mitre and vuldb but both rejected my request. VulDB's response:
* Unfortunately, we are not able to handle this issue. Please contact MITRE at https://cveform.mitre.org/
MITRE's response:
There is no CVE ID associated with the X NPM library for this. The existence of exported functions does not mean that the library is intended to be used in a situation where "a user-controlled filename
is passed to X function as it is."
MITRE's response does not make sense in my opinion. CVE ID does not exist because it's a new finding. My PoC also shows how applications using this library can be exploited to gain RCE. Library cannot guarantee that filename is not user-controlled.
I am confused. How should I navigate this situation? What am I missing that makes my finding invalid? I would appreciate any kind of help.