Skip to content

Latest commit

 

History

History
70 lines (58 loc) · 9.33 KB

README.md

File metadata and controls

70 lines (58 loc) · 9.33 KB

Bogus CVEs (some of them at least ..)

Got a bogus CVE? Please share here!

Nr. CVE ID Credit 👎 More info
1 CVE-2020-21469 - https://www.postgresql.org/about/news/cve-2020-21469-is-not-a-security-vulnerability-2701/
2 CVE-2020-19909 - https://daniel.haxx.se/blog/2023/09/05/bogus-cve-follow-ups/
3 CVE-2023-39615 - https://gitlab.gnome.org/GNOME/libxml2/-/issues/535
4 CVE-2023-35116 https://github.com/PoppingSnack FasterXML/jackson-databind#3972 (comment)
5 CVE-2023-33546 https://github.com/PoppingSnack janino-compiler/janino#201 (comment)
janino-compiler/janino#201 (comment)
6 CVE-2023-29824 - scipy/scipy#14713
7 CVE-2023-25399 they apologized .. scipy/scipy#16235
8 CVE-2023-34585 and CVE-2023-36262 https://github.com/fu2x2000 https://hackaday.com/2023/07/07/this-week-in-security-bogus-cves-bogus-pocs-and-maybe-a-bogus-breach/, obsproject/obs-studio#8966
9 CVE-2023-37941 https://www.horizon3.ai/ apache/superset#23888 (comment)
10 CVE-2023-35866 https://www.cybercitizen.tech/en/ (They even wrote a blog post about it: https://medium.com/@cybercitizen.tech/keepassxc-vulnerability-cve-2023-35866-dc7d447c4903) keepassxreboot/keepassxc#9339
https://keepassxc.org/blog/2023-06-20-cve-202335866/
11 CVE-2022-45868 - h2database/h2database#3686
12 CVE-2022-0329 https://github.com/anon-artist https://tomforb.es/cve-2022-0329-and-the-problems-with-automated-vulnerability-management/ , Delgan/loguru#563
13 CVE-2022-3108 - https://lore.kernel.org/lkml/[email protected]/T/ (even linux Kernel?)
14 CVE-2021-20066 - jsdom/jsdom#3124
15 CVE-2021-33026 https://github.com/subnix pallets-eco/flask-caching#209 (comment)
apache/superset#15271
16 CVE-2021-30123 - https://trac.ffmpeg.org/ticket/8845 , NixOS/nixpkgs#124623
17 CVE-2020-22916 https://github.com/snappyJack/ tukaani-project/xz#61
18 CVE-2020-26159 - kkos/oniguruma#207 (comment)
19 CVE-2017-7397 - https://blog.backbox.org/2017/04/07/false-cve-on-backbox-4-6-unmasked/
20 CVE-2016-6595 Kaixiang Zhang of the Cloud Security Team, Qihoo 360 moby/moby#25629
21 CVE-2023-36266 -
22 CVE-2023-34256 - https://bugzilla.suse.com/show_bug.cgi?id=1211895
23 CVE-2023-26735 and CVE-2020-16248 prometheus/blackbox_exporter#1024 (comment)
24 CVE-2023-24068 and CVE-2023-24069 https://github.com/johnjhacking and also blogged about the severe vulns: https://johnjhacking.com/blog/cve-2023-24068-cve-2023-24069/
25 CVE-2022-32275 and CVE-2022-32276 https://github.com/BrotherOfJhonny/grafana grafana/grafana#50336
26 CVE-2021-33430 - numpy/numpy#21713 (comment)
27 CVE-2024-23080 LLMISP, LLM4IG https://github.com/JodaOrg/joda-time/commit/4a1402a47cab4636bf4c73d42a62bfa80c1535ca#diff-457dbda9d8c4b5152ba13997c3266a1df6508a850065771a7f0b764ea9375f60R17
28 CVE-2024-27322 HiddenLayer Inc. qsbase/qs#93 (comment)
https://mstdn.social/@gws/112359739655466497
https://stackoverflow.com/questions/58426972/r-could-malicious-code-be-injected-into-an-rds-object
https://rud.is/b/2024/05/03/cve-2024-27322-should-never-have-been-assigned-and-r-data-files-are-still-super-risky-even-in-r-4-4-0/
29 CVE-2024-23081 and CVE-2024-23082 LLMISP, LLM4IG https://www.threeten.org/threetenbp/security.html
ThreeTen/threetenbp#191
https://gist.github.com/LLM4IG/3cc9183dcd887020368a0bafeafec5e3
https://gist.github.com/LLM4IG/d2618f5f4e5ac37eb75cff5617e58b90
30 CVE-2019-8341 JameelNabbo https://bugzilla.redhat.com/show_bug.cgi?id=1677653#c4
31 CVE-2023-42282 cosmosofcyberspace indutny/node-ip#138 (comment)
github/advisory-database#3504 (comment)

Why do people do this?

Anyone can request a CVE with no obligation to get in touch with the maintainers. Validation of the vulnerability is done on a cursory level, but of course, this process is not thorough because often validation requires an in-depth understanding and deep knowledge of the tools involved. Triaging the bugs is a time-consuming process that even the biggest companies struggle with in their bug bounty programs.

Mostly, this process works well, and researchers get in touch with maintainers, share PoCs, and, with mutual approval, get CVEs where applicable. Not all bugs even deserve CVEs. With more CVE Numbering Authorities (CNAs) out there to assign CVE IDs and automated tools to scan for these in build pipelines, the problem of fake CVE IDs is becoming quite prominent. My guess on the motivation behind why some companies and individuals try to get such CVEs includes:

How to dispute a CVE?

Useful resources to learn security

Explore more on what this is about