- Issue created by @yesct
- πΊπΈUnited States yesct
I didn't have a token to use to run in the script till this week.
@greggles ended up needing to reserve the CVEs for this time period.
I assigned them to the SAs.
I'll try the token.
- πΊπΈUnited States yesct
Token was a success.
Next steps for me:
Edit the script.
Run the script. - πΊπΈUnited States yesct
- πΊπΈUnited States yesct
https://www.drupal.org/project/securitydrupalorg/issues/3528864 π Create CVEs for May 21, 2025 Active is merged.
Next steps:
- me: update branch (resolve conflicts if any)
- me: make sure new hunk is at the beginning of the advisories array.
- me: look at the changes critically and see if there are better CWE and CAPEC identifies to use.
- optional review by someone else
- me: run the script (maybe improve it, eg optional arg which is the limit for the query
- me: use the json files to make cve's
- maintainer of this repo: merge
- πΊπΈUnited States yesct
I think I need to close the fork and open a new fork??? I just want to be up to date with the source.
- Merge request !10Issue #3528281: May 28 2025 Add CWE/CAPEC mappings for SA-CONTRIB-2025-070 through SA-CONTRIB-2025-076 β (Merged) created by yesct
- πΊπΈUnited States yesct
ug. I think I got it now. (earlier I when I made the new branch, I confusingly thought it would be up to date. but forks!)
- πΊπΈUnited States yesct
Analysis of CWE and CAPEC Assignments for New Advisories
I used CursorAI in privacy mode to help me analyze the CWE and CAPEC assignments for the new advisories (SA-2025-070 through SA-2025-076) by comparing them with similar advisories in the codebase. Here's the analysis:
-
SA-2025-070 β
(Missing Authorization):
- Assigned CWE-862 (Missing Authorization) with CAPEC-87 (Forceful Browsing)
- Consistent with 15+ other advisories using the same combination
- Examples: SA-2025-055 β , SA-2025-020 β , SA-2024-076 β
- SA-2025-071 β (XSS):
-
SA-2025-072 β
(XSS):
- Same as SA-2025-071
- Part of the same pattern of XSS vulnerabilities
-
SA-2025-073 β
(XSS):
- Same as SA-2025-071
- Part of the same pattern of XSS vulnerabilities
-
SA-2025-074 β
(XSS):
- Same as SA-2025-071
- Part of the same pattern of XSS vulnerabilities
-
SA-2025-075 β
(XSS):
- Same as SA-2025-071
- Part of the same pattern of XSS vulnerabilities
-
SA-2025-076 β
(XSS):
- Same as SA-2025-071
- Part of the same pattern of XSS vulnerabilities
Analysis Process
- CursorAI first checked each advisory's description to understand the vulnerability type
- Compared with similar advisories in the codebase
- Verified the CWE/CAPEC combinations were consistent with the established patterns
- Found that all assignments follow the same classification scheme used throughout the codebase
How CursorAI Read the SAs
To read the SAs, CursorAI used curl to fetch the content from drupal.org. Here's an example command for one of the SAs:
curl -s "https://www.drupal.org/sa-contrib-2025-070" | grep -A 20 "Vulnerability"
This command:
- Uses curl to fetch the SA page content
- Pipes it through grep to find the vulnerability description section
- Shows 20 lines after the match to get the full context
For each SA, CursorAI:
- Read the vulnerability description to understand the type of issue
- Looked for key terms like "XSS", "authorization", "access control" etc.
- Compared the description with similar SAs in the codebase
- Verified the CWE/CAPEC assignments matched the vulnerability type
For example, for SA-2025-070 β , the description indicated a missing authorization check, which aligns with the assigned CWE-862 and CAPEC-87. This pattern is consistent with other similar advisories in the codebase.
For the XSS advisories (SA-2025-071 through SA-2025-076), the descriptions all indicated improper input neutralization leading to cross-site scripting, which matches the assigned CWE-79 and CAPEC-63 combination.
This methodical approach helps ensure consistency in CWE/CAPEC assignments across all advisories.
The assignments are appropriate and consistent with the existing patterns in the codebase. No changes are needed.
Analysis Timeline
-
Initial Request: "please do an analysis for the new entries in this branch. git diff to 7.x-1.x to see the new entries. and then summarize the analysis that is appropriate for me to post on a comment on d.o. Note comments on d.o use html (not markdown). Include my prompts in chronological order (including this one) and your responses, so others can double check out logic."
Response: [Previous analysis of SA-2025-070 through SA-2025-076]
-
Request: "say how you read the SAs (give the curl/grep command as an example)"
Response: [Added section on how SAs were read]
-
Request: "Does this include the caveat: Analysis of CWE and CAPEC Assignments for New Advisories I used CursorAI in privacy mode to help me analyze the CWE and CAPEC assignments for the new advisories (SA-2025-064 through SA-2025-069) by comparing them with similar advisories in the codebase. Here's the analysis: ?? please include that, and in the analysis summary, when it is the AI doing it don't say "I" say "Cursor AI"
Response: [Added AI disclosure and adjusted language]
I hope this helps a reviewer. It at least documents what I read, in case it turns out to be incorrect, we can track where the info came from.
Next steps:
- optional review by someone else
- me: run the script
- me: upload the genearted json files https://vulnogram.github.io/#editor
- a maintainer of this repo: merge
-
SA-2025-070 β
(Missing Authorization):
- πΊπΈUnited States greggles Denver, Colorado, USA
Thanks for this work and for documenting your process.
The CWE and CAPEC assignments look good to me. I reviewed the code changes as well and they look good to me. Moving to RTBC.
Let's coordinate to get these filed.
- πΊπΈUnited States yesct
I'm running the script now. Update coming soon.
- πΊπΈUnited States yesct
I made the CVEs!!
-
sa-contrib-2025-070 β
CVE-2025-48916 -
sa-contrib-2025-071 β
CVE-2025-48918 -
sa-contrib-2025-072 β
CVE-2025-48917 -
sa-contrib-2025-073 β
CVE-2025-48919 -
sa-contrib-2025-074 β
CVE-2025-48920 -
sa-contrib-2025-075 β
CVE-2025-48914 -
sa-contrib-2025-076 β
CVE-2025-48915
I also pushed a docs change to help limit manual editing and added --info and --limit options to the script.
Now this is super ready for re-review of my new changes, and hopeful merge,
Next issue was https://www.drupal.org/project/securitydrupalorg/issues/3528283 π Create CVEs for June 4, 2025 Active but there were no advisories, so that issue is closed.
-
sa-contrib-2025-070 β
-
greggles β
committed b7916ac2 on 7.x-1.x authored by
yesct β
Issue #3528281 by yesct, greggles: Create CVEs for May 28, 2025
-
greggles β
committed b7916ac2 on 7.x-1.x authored by
yesct β
- πΊπΈUnited States greggles Denver, Colorado, USA
Thanks, yesct! This is a nice improvement in addition to filing the CVEs.
Automatically closed - issue fixed for 2 weeks with no activity.