CVEs fixed in the 6/20 releases not published to NVD yet

[abscondment]

A number of the CVEs fixed in the 6/20 releases (v16.20.1, v18.16.1, v20.3.1) are marked as RESERVED in mitre, and therefore have no corresponding NVD entry.

CVE-2023-30581 is a great example:

• Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30581
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-30581

  • "Although a CVE ID may have been assigned by either CVE or a CNA, it will not be available in the NVD if it has a status of RESERVED by CVE."

One impact of this is that some tools which rely on the Known Affected Software Configurations present in the CPE dictionary report these CVEs as unfixed in the patched versions.

[RafaelGSS]

Hey, thanks for reporting it. I'll be looking to it during this week.

[abscondment]

Hey @RafaelGSS, any updates on this? Thank you!

[RafaelGSS]

We'll enter into contact with the HackerOne team. We requested the disclosure + publication of those CVEs a long time ago.

[RafaelGSS]

It should be fixed in the next few days. I've manually requested disclosure of those reports, so CVE should be automatically published.

[Haxatron]

Hello, dropping by here. It seems weird that H1 doesn't publish the CVE without the report disclosure. In any case, I've disclosed of all outstanding reports on my end. Sorry for that!

[abscondment]

Hey folks, just checking in to report that 4 of these are still not published:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30581
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30585
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30588
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30590

If there's a public place I can comment on HackerOne, let me know and I will. I realize you've all done your parts in this chain :)

[mhdawson]

@RafaelGSS for the ones listed by @abscondment have you already requested disclosure?

[RafaelGSS]

@RafaelGSS for the ones listed by @abscondment have you already requested disclosure?

I did but sometimes the reporter doesn't want to disclose the report so the CVE isn't automatically published. Therefore, we'll need to manually change the public reference to link to a github issue or commit (possibly the patch one). I've asked the H1 team how to do it, but I didn't get an answer yet.

[RafaelGSS]

I've just tried it for 30581, let's see if that gets published in the next 2 days.

[RafaelGSS]

Nothing yet. @mhdawson do we have a contact in H1?

[mhdawson]

@RafaelGSS I'll send you the email of the person I usually reach out to through slack

[RafaelGSS]

Another attempt to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30581. Let's see.

[RafaelGSS]

Requested for CVE-2023-30585 to guarantee the workflow provided by H1 works.

[RafaelGSS]

It worked. I just did it for the last ones.