Create CVEs for May 21, 2025

Created on 3 June 2025, 2 months ago

Following from ✨ Publish Advisory -> CVE script to support better Active

We should create CVEs for the advisories today.

πŸ“Œ Task
Status

Active

Version

1.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States yesct

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @yesct
  • πŸ‡ΊπŸ‡ΈUnited States yesct
  • πŸ‡ΊπŸ‡ΈUnited States yesct

    I didn't have a token to use to run in the script till this week.

    @greggles ended up needing to reserve the CVEs for this time period.

    I assigned them to the SAs.

    I'll try the token.

  • πŸ‡ΊπŸ‡ΈUnited States yesct
  • πŸ‡ΊπŸ‡ΈUnited States yesct

    Token was a success.

    Next steps for me:

    Edit the script.
    Run the script.

  • Merge request !8Draft: Resolve #3528281 "Create cves for" β†’ (Closed) created by yesct
  • πŸ‡ΊπŸ‡ΈUnited States yesct
  • πŸ‡ΊπŸ‡ΈUnited States yesct

    Created a MR using AI help.

    Next step:

    1. me: look at the changes critically and see if there are better CWE and CAPEC identifies to use.
    2. optional review by someone else
    3. me: run the script
    4. maintainer of this repo: merge
  • πŸ‡ΊπŸ‡ΈUnited States yesct

    https://www.drupal.org/project/securitydrupalorg/issues/3528864 πŸ“Œ Create CVEs for May 21, 2025 Active is merged.

    Next steps:

    1. me: update branch (resolve conflicts if any)
    2. me: make sure new hunk is at the beginning of the advisories array.
    3. me: look at the changes critically and see if there are better CWE and CAPEC identifies to use.
    4. optional review by someone else
    5. me: run the script (maybe improve it, eg optional arg which is the limit for the query
    6. me: use the json files to make cve's
    7. maintainer of this repo: merge
  • πŸ‡ΊπŸ‡ΈUnited States yesct

    I think I need to close the fork and open a new fork??? I just want to be up to date with the source.

  • πŸ‡ΊπŸ‡ΈUnited States yesct

    ug. I think I got it now. (earlier I when I made the new branch, I confusingly thought it would be up to date. but forks!)

  • πŸ‡ΊπŸ‡ΈUnited States yesct

    Analysis of CWE and CAPEC Assignments for New Advisories

    I used CursorAI in privacy mode to help me analyze the CWE and CAPEC assignments for the new advisories (SA-2025-070 through SA-2025-076) by comparing them with similar advisories in the codebase. Here's the analysis:

    1. SA-2025-070 β†’ (Missing Authorization):
    2. SA-2025-071 β†’ (XSS):
      • Assigned CWE-79 (Improper Neutralization of Input) with CAPEC-63 (Cross-Site Scripting)
      • Most common vulnerability type in the codebase
      • Matches 40+ other advisories using the same combination
    3. SA-2025-072 β†’ (XSS):
      • Same as SA-2025-071
      • Part of the same pattern of XSS vulnerabilities
    4. SA-2025-073 β†’ (XSS):
      • Same as SA-2025-071
      • Part of the same pattern of XSS vulnerabilities
    5. SA-2025-074 β†’ (XSS):
      • Same as SA-2025-071
      • Part of the same pattern of XSS vulnerabilities
    6. SA-2025-075 β†’ (XSS):
      • Same as SA-2025-071
      • Part of the same pattern of XSS vulnerabilities
    7. SA-2025-076 β†’ (XSS):
      • Same as SA-2025-071
      • Part of the same pattern of XSS vulnerabilities

    Analysis Process

    1. CursorAI first checked each advisory's description to understand the vulnerability type
    2. Compared with similar advisories in the codebase
    3. Verified the CWE/CAPEC combinations were consistent with the established patterns
    4. Found that all assignments follow the same classification scheme used throughout the codebase

    How CursorAI Read the SAs

    To read the SAs, CursorAI used curl to fetch the content from drupal.org. Here's an example command for one of the SAs:

    curl -s "https://www.drupal.org/sa-contrib-2025-070" | grep -A 20 "Vulnerability"
    

    This command:

    • Uses curl to fetch the SA page content
    • Pipes it through grep to find the vulnerability description section
    • Shows 20 lines after the match to get the full context

    For each SA, CursorAI:

    1. Read the vulnerability description to understand the type of issue
    2. Looked for key terms like "XSS", "authorization", "access control" etc.
    3. Compared the description with similar SAs in the codebase
    4. Verified the CWE/CAPEC assignments matched the vulnerability type

    For example, for SA-2025-070 β†’ , the description indicated a missing authorization check, which aligns with the assigned CWE-862 and CAPEC-87. This pattern is consistent with other similar advisories in the codebase.

    For the XSS advisories (SA-2025-071 through SA-2025-076), the descriptions all indicated improper input neutralization leading to cross-site scripting, which matches the assigned CWE-79 and CAPEC-63 combination.

    This methodical approach helps ensure consistency in CWE/CAPEC assignments across all advisories.

    The assignments are appropriate and consistent with the existing patterns in the codebase. No changes are needed.

    Analysis Timeline

    1. Initial Request: "please do an analysis for the new entries in this branch. git diff to 7.x-1.x to see the new entries. and then summarize the analysis that is appropriate for me to post on a comment on d.o. Note comments on d.o use html (not markdown). Include my prompts in chronological order (including this one) and your responses, so others can double check out logic."

      Response: [Previous analysis of SA-2025-070 through SA-2025-076]

    2. Request: "say how you read the SAs (give the curl/grep command as an example)"

      Response: [Added section on how SAs were read]

    3. Request: "Does this include the caveat: Analysis of CWE and CAPEC Assignments for New Advisories I used CursorAI in privacy mode to help me analyze the CWE and CAPEC assignments for the new advisories (SA-2025-064 through SA-2025-069) by comparing them with similar advisories in the codebase. Here's the analysis: ?? please include that, and in the analysis summary, when it is the AI doing it don't say "I" say "Cursor AI"

      Response: [Added AI disclosure and adjusted language]

    I hope this helps a reviewer. It at least documents what I read, in case it turns out to be incorrect, we can track where the info came from.

    Next steps:

    1. optional review by someone else
    2. me: run the script
    3. me: upload the genearted json files https://vulnogram.github.io/#editor
    4. a maintainer of this repo: merge
  • πŸ‡ΊπŸ‡ΈUnited States greggles Denver, Colorado, USA

    Thanks for this work and for documenting your process.

    The CWE and CAPEC assignments look good to me. I reviewed the code changes as well and they look good to me. Moving to RTBC.

    Let's coordinate to get these filed.

  • πŸ‡ΊπŸ‡ΈUnited States yesct

    I'm running the script now. Update coming soon.

  • πŸ‡ΊπŸ‡ΈUnited States yesct

    I made the CVEs!!

    1. sa-contrib-2025-070 β†’
      CVE-2025-48916
    2. sa-contrib-2025-071 β†’
      CVE-2025-48918
    3. sa-contrib-2025-072 β†’
      CVE-2025-48917
    4. sa-contrib-2025-073 β†’
      CVE-2025-48919
    5. sa-contrib-2025-074 β†’
      CVE-2025-48920
    6. sa-contrib-2025-075 β†’
      CVE-2025-48914
    7. sa-contrib-2025-076 β†’
      CVE-2025-48915

    I also pushed a docs change to help limit manual editing and added --info and --limit options to the script.

    Now this is super ready for re-review of my new changes, and hopeful merge,

    Next issue was https://www.drupal.org/project/securitydrupalorg/issues/3528283 πŸ“Œ Create CVEs for June 4, 2025 Active but there were no advisories, so that issue is closed.

  • πŸ‡ΊπŸ‡ΈUnited States yesct
  • Pipeline finished with Skipped
    about 2 months ago
    #521796
  • πŸ‡ΊπŸ‡ΈUnited States greggles Denver, Colorado, USA

    Thanks, yesct! This is a nice improvement in addition to filing the CVEs.

  • Automatically closed - issue fixed for 2 weeks with no activity.

Production build 0.71.5 2024