The Bogus CVE Problem

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
HacktoberFest Server Applications Jackson Go JSON

WorkOS
Our great sponsors
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • jackson-databind

    General data-binding package for Jackson (2.x): works on streaming API (core) implementation(s)

    • Jackson had this problem a few months back, where someone reported a critical CVE against the project and broke builds all around the planet https://github.com/FasterXML/jackson-databind/issues/3972

    Basically the programmer (not the attacker) had to write code where an object contained itself

    HashMap map=new HashMap<>();

    map.put("recursive",map);

    After this, Jackson would indeed stack overflow if you asked it to wrap the object to JSON. Then again, half the build-in Java functions (e.g. getting an object hashcode for the map object) also fail for a recursive structure.

    The issue remains open 3 months later, Mitre still thinks it's hella serious, and people have yet again learned to just ignore their CI warning about CVEs

  • Caddy

    Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS

    • Unfortunately, the CVE database(s) are too noisy to be useful. It could benefit from higher standards and more thorough vetting. (Maybe take some lessons from academia.)

    A "security researcher" once filed a CVE for a regular bug in Caddy [0], making claims that were totally provably false. It was assigned 7.5... the same as Heartbleed [1] -- yes, the one that leaked almost all the private encryption keys on the Internet back in 2014.

    More recently I inadvertently discovered a 0-day RCE in acme.sh [2]. (ACME clients are security-sensitive contexts since they typically deal with private keys and download signed credentials.) Anyway, it was assigned a CVSS 3.x score of * 9.8 * [3] -- I imagine that should be like "cyber-nuclear meltdown" territory, but no, this was actually benign as far as we can tell. Probably deserves more like a 5 or 6 or something.

    Anyway, the whole system is broken, and I'm effectively ignoring CVEs now. But if someone tells me to patch my , I'll probably just do that.

    [0]: https://github.com/caddyserver/caddy/issues/4775

    [1]: https://nvd.nist.gov/vuln/detail/cve-2014-0160

    [2]: https://matt.life/writing/the-acme-protocol-in-practice-and-...

    [3]: https://nvd.nist.gov/vuln/detail/CVE-2023-38198

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

    WorkOS logo

  • presentation-cve-is-dead

    "CVEs are dead, long live the CVE!" presentation

    • Greg Kroah-Hartman (the kernel developer/maintainer) in 2019 gave a presentation about some of the issues with CVEs.

    https://www.youtube.com/watch?v=HeeoTE9jLjM

    https://github.com/gregkh/presentation-cve-is-dead

  • packj-github-action

    Packj audits pull requests for malicious/risky open-source deps

    • 2. https://github.com/ossillate-inc/packj-github-action

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts