vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard

Published 20 hours ago verified publisher icon nexB

Extract interesting data from CVE and other vulnerabilities body

Open pombredanne opened this issue 2 years ago • 6 comments

We should extract interesting data from CVE and other vulnerabilities body. This is based on this research https://rp.os3.nl/2020-2021/p06/report.pdf and https://rp.os3.nl/2020-2021/p06/presentation.pdf by Bart van Dongen and @armijnhemel See also for related projects https://rp.os3.nl/2020-2021/index.html

For instance in https://nvd.nist.gov/vuln/detail/CVE-2020-0002 we have a description choke full of unstructured data, with clues of file name, function name and various Android version and Android IDs:

Description

In ih264d_init_decoder of ih264d_api.c, there is a possible out of bounds write due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation Product: Android Versions: Android-8.0, Android-8.1, Android-9, and Android-10 Android ID: A-142602711

Here for instance we could extract a cross reference between the Android ID and the actual advisory which is in https://source.android.com/security/bulletin/2020-01-01

See also:

  • #317
  • #251
  • #340 (also list a file name)

pombredanne avatar Sep 15 '21 12:09 pombredanne