osv.dev icon indicating copy to clipboard operation
osv.dev copied to clipboard
verified publisher icon google

Missing version in affected version list of the GIT section of CVE-2024-50382 and https://osv.dev/vulnerability/CVE-2024-50383

Open sha-cy opened this issue 10 months ago • 5 comments

Describe the bug In the affected version range of the GIT section, there are a few missing versions of Botan 2.*, specifically 2.18 and 2.19 and their subversions.

To Reproduce Steps to reproduce the behaviour:

  1. Go to 'CVE-2024-50382' or 'CVE-2024-50383'
  2. Click on the GIT section of the affected libraries
  3. Click on 2.*

Expected behaviour a full list of the library 2.* versions

Screenshots

Image Image

Additional context I am reporting it here and not in NVD as the vulnerabilities are still under analysis there, so there are no assigned CPEs yet, and looking through the documentation, I saw no reason for those versions to not be included as well.

sha-cy avatar Feb 16 '25 17:02 sha-cy

:sparkles: Thank you for your interest in OSV.dev's data quality! :sparkles:

Please review our FAQ entry on how to most efficiently have this addressed.

github-actions[bot] avatar Feb 17 '25 00:02 github-actions[bot]

Confirmed:

$ comm -23 <(git ls-remote -t https://github.com/randombit/botan | awk '{ print $2 }' | fgrep tags/2. | sed 's!refs/tags/!!' | sort --version-sort) <(curl -s https://api.osv.dev/v1/vulns/CVE-2024-50382 | jq -r 
'.affected[] | select(.ranges[].type == "GIT") | .versions[]' | grep '^2.' | sort --version-sort)
2.17.1
2.17.2
2.17.3
2.18.0
2.18.1
2.18.2
2.19.0
2.19.1
2.19.2
2.19.3
2.19.4
2.19.5

$ comm -23 <(git ls-remote -t https://github.com/randombit/botan | awk '{ print $2 }' | fgrep tags/2. | sed 's!refs/tags/!!' | sort --version-sort) <(curl -s https://api.osv.dev/v1/vulns/CVE-2024-50383 | jq -r 
'.affected[] | select(.ranges[].type == "GIT") | .versions[]' | grep '^2.' | sort --version-sort)
2.17.1
2.17.2
2.17.3
2.18.0
2.18.1
2.18.2
2.19.0
2.19.1
2.19.2
2.19.3
2.19.4
2.19.5

My current theory is that these additional versions were released after the record was imported by OSV.dev (version enumeration is currently only performed at import time, which is #2017). I am testing this theory by reimporting these two records in our staging environment. If successful, I will repeat in our production environment.

andrewpollock avatar Feb 17 '25 06:02 andrewpollock

That didn't seem to change anything.

I've had a cursory look at the revision history of this repository, and where the fix commit fits into things, and I think the reason that nothing higher than 2.17.0 is showing up is because the commits tagged with versions higher than 2.17.0 are after the fix commit

Interestingly,

$ git tag --contains 53b0cfde5
3.6.0
3.6.1
3.7.0
3.7.1

So now I'm more confused 🤔

andrewpollock avatar Feb 17 '25 08:02 andrewpollock

I'm seeing some similarities with #2128

andrewpollock avatar Feb 18 '25 05:02 andrewpollock

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.

github-actions[bot] avatar Jun 01 '25 06:06 github-actions[bot]