Netbox CVEs

[andy-shady-org]

@jeremystretch Are you aware of the following being done:

https://github.com/anhdq201/netbox/issues

A CVE has been created for each of these, and is now being flagged in CVE parsing tools such as Flexera, and therefore flagging V3.5.1 as a risk.

An example CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33787

Full List: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Netbox

Thanks

Andy

[kkthxbye-code]

Issue #1-15 is the same XSS, same field, just different models. No idea why anyone would submit 15 duplicate CVE's, but it pretty much underlines how useless CVE's really are. I assume he's farming CVE's.

The last one is invalid I think, however there's not really enough information to tell for sure. The screenshot is just an introspection query to get the schema, there's no data from the database, and no sensitive data as he claims.

The one xss should probably be fixed, but not sure if it's been reported at all. Feel free to create an issue.

[kkthxbye-code]

I'll probably dispute the graphql one if I get the time as it seems invalid and misrepresented. I would hope that MITRE would catch spam like the first 15 CVE's, but we'll see.

[andy-shady-org]

Ive raised the issue, just bringing awareness really, as our instances have been flagged by our SEC teams, which requires replying to the inevitable tickets, etc. Im pretty sure most larger companies will start flagging this soon, as that is the default response with these things, regardless of knowledge.

[andy-shady-org]

@kkthxbye-code Thanks for your response, I will create an issue, highlighting the CVE's and leave it you guys how to interpret and fix :)

[jeremystretch]

FYI our policy for reporting suspected security vulnerabilities is documented here per convention for open source projects. We have no control over information published by a third party and act only on reports submitted to us directly.

[kkthxbye-code]

I've now disputed CVE-2023-33796 and I've requested that CVE-2023-33800,CVE-2023-33799,CVE-2023-33798,CVE-2023-33797,CVE-2023-33796,CVE-2023-33795,CVE-2023-33794,CVE-2023-33793,CVE-2023-33792,CVE-2023-33791,CVE-2023-33790,CVE-2023-33789,CVE-2023-33788,CVE-2023-33787,CVE-2023-33786,CVE-2023-33785 be merged into one CVE.

I hope MITRE will take action, as the reports are bordering on malicious.

I'll also reopen this discussion, just so it's easier to find for people looking for the same answer. Hope that's okay.

[DanSheps]

Did anything ever come of this?

[kkthxbye-code]

CVE-2023-33796 has been marked as disputed: https://nvd.nist.gov/vuln/detail/CVE-2023-33796

Not sure what the next step for that is.

For the 15 duplicate CVE's, I haven't gotten any response since 29th of may, where the CVE Assignment Team posted a snippet from their rules indicating that they should be folded into one CVE. Think they misunderstood something or didn't read my text, but I've since provided proof (two line fix for all 15 issues) but have gotten no response. Not holding my breath to be honest.

The CVE database is next to useless, it shouldn't be taken serious but sadly it is.

[kkthxbye-code]

For context this is the only response I have received:

Reading that rule it seems pretty cut and dry that the 15 CVE's should have been one. This was already mentioned in my initial report (can't share it, because it's a web form and I have gotten no copy of the initial message).