advisory-database icon indicating copy to clipboard operation
advisory-database copied to clipboard

Published 20 hours ago verified publisher icon pypa

Contested advisory: GHSA-rwqr-c348-m5wr / CVE-2022-33124

Open woodruffw opened this issue 2 years ago • 6 comments

This hasn't landed in the PyPA advisory database yet, but we should probably either manually purge it or mark it as contested (if possible) when it does.

Context: upstream does not believe that this advisory corresponds to a meaningful weakness or exploitable state (and I agree): https://github.com/aio-libs/aiohttp/issues/6801

GHSA: https://github.com/advisories/GHSA-rwqr-c348-m5wr

CVE: CVE-2022-33124 (already marked as disputed)

woodruffw avatar Jun 27 '22 14:06 woodruffw

One point of confusion: pip-audit is already showing this vulnerability when using the default PyPI service, despite it not being present in this database. I guess that's because the PyPI service is pulling from other sources as well?

woodruffw avatar Jun 27 '22 14:06 woodruffw

I guess that's because the PyPI service is pulling from other sources as well?

FYI I think I've seen some mentions of the CVE database while translating Warehouse.

CVE: CVE-2022-33124 (already marked as disputed)

I believe you meant to link https://nvd.nist.gov/vuln/detail/CVE-2022-33124 and not the same GH Advisory as in the previous line.

webknjaz avatar Jun 27 '22 15:06 webknjaz

We should also document how reverts and contested advisories should work within this repo.

PyPI only gets it's data from OSV, but OSV may be pulling from other data sources including GHSA.

di avatar Jun 27 '22 15:06 di

I believe you meant to link https://nvd.nist.gov/vuln/detail/CVE-2022-33124 and not the same GH Advisory as in the previous line.

Ugh, that looks like GitHub being too clever: I actually didn't link to the CVE at all, but GitHub auto-linked to their own advisory. I'll fix that now.

Edit: Fixed.

woodruffw avatar Jun 27 '22 15:06 woodruffw

I think we should just be able to populate the withdrawn date? I believe we did it in the past for a loguru one. I can try to find it a bit later

westonsteimel avatar Jun 27 '22 16:06 westonsteimel

I think we should just be able to populate the withdrawn date? I believe we did it in the past for a loguru one. I can try to find it a bit later

+1. withdrawn is intended for cases like this. Perhaps adding a line to the README.md would suffice?

oliverchang avatar Jun 28 '22 05:06 oliverchang

Looks like this "vuln" has finally made its way in: https://github.com/pypa/advisory-database/commit/596fad27a24cb2fa855dbd1236628f6262177015

I'll look at marking it as withdrawn.

CC @Julian

woodruffw avatar Nov 08 '23 00:11 woodruffw

https://github.com/pypa/advisory-database/pull/169 should withdraw this on the PYSEC side. I still haven't heard anything from MITRE (and I suspect we never will).

woodruffw avatar Nov 08 '23 00:11 woodruffw