- Issue created by @yesct
- Merge request !9Issue #3528864: Update CWE and CAPEC values for new security advisories β (Merged) created by yesct
- πΊπΈUnited States yesct
Created a MR using AI help.
Next step:
* me: look at the changes critically and see if there are better CWE and CAPEC identifies to use. - πΊπΈUnited States yesct
HA the links in the commit message aren't correct. Sorry.
- πΊπΈUnited States yesct
I did verify no CVEs were created for this time period.
So then I tried to look critically at and check the AI output.
Analysis of CWE and CAPEC Assignments for New Advisories
I used CursorAI in privacy mode to help me analyze the CWE and CAPEC assignments for the new advisories (SA-2025-064 through SA-2025-069) by comparing them with similar advisories in the codebase. Here's the analysis:
-
SA-2025-064 β
(Missing Authorization):
- Assigned CWE-862 (Missing Authorization) with CAPEC-87 (Forceful Browsing)
- Consistent with 15 other advisories using the same combination
- Examples: SA-2025-055 β , SA-2025-020 β , SA-2024-076 β , SA-2024-075 β
-
SA-2025-065 β
(Missing Authorization):
- Same as SA-2025-064
- Part of the same pattern of missing authorization checks
-
SA-2025-066 β
(Incorrect Authorization):
- Assigned CWE-863 (Incorrect Authorization) with CAPEC-212 (Functionality Misuse)
- Matches SA-2025-067 β and SA-2024-042 β
- Different from CWE-862 because it involves insufficient verification rather than missing checks
-
SA-2025-067 β
(Incorrect Authorization):
- Same as SA-2025-066
- Both involve payment status verification issues
-
SA-2025-068 β
(Resource Allocation):
- Assigned CWE-770 (Allocation of Resources Without Limits or Throttling) with CAPEC-130 (Excessive Allocation)
- Matches SA-2025-059 β and SA-2025-030 β
- Consistent with other resource allocation vulnerabilities
- SA-2025-069 β (XSS):
Analysis Process
- First checked each advisory's description to understand the vulnerability type
- Compared with similar advisories in the codebase
- Verified the CWE/CAPEC combinations were consistent with the established patterns
- Found that all assignments follow the same classification scheme used throughout the codebase
The assignments are appropriate and consistent with the existing patterns in the codebase. No changes are needed.
Analysis Timeline
-
Initial Request: "please write a summary of all that analysis that is appropriate for me to post on a comment on d.o. Note comments on d.o use html (not markdown). Include my prompts in chronological order (including this one) and your responses, so others can double check out logic."
Response: [Previous analysis of SA-2025-064 through SA-2025-069]
-
Request: "list which other SAs had similar values."
Response: [Previous search results showing similar advisories for each CWE/CAPEC combination]
-
Request: "pre is a terrible accessibility, use html that is meaningful like ordered lists, paragraphs, and anchor links, link each SA to the SA on drupal.org, and link each CWE and CAPEC reference to their webpages, to make it easy for others to double check. (include this new prompt in the summary)"
Response: [This current response]
I hope this helps a reviewer. It at least documents what I read, in case it turns out to be incorrect, we can track where the info came from.
Next steps:
- optional review by someone else
- me: run the script
- maintainer of this repo: merge
-
SA-2025-064 β
(Missing Authorization):
- πΊπΈUnited States yesct
I ran the script. I needed to fudge the limit to get this older batch.
I did some linting fixes, and ignored some linting errors.
I tried to use the json file for the first SA in this batch, 64, but I got some errors in the js console in https://vulnogram.github.io/#editor
I pinged in the security slack channel for help. - πΊπΈUnited States yesct
I think this can be merged though. The issue can remain open after merge for my next steps which are to upload the json files to https://vulnogram.github.io/#editor .
- πΊπΈUnited States yesct
I made the CVEs!!
-
sa-contrib-2025-064 β
CVE-2025-48444 -
sa-contrib-2025-065 β
CVE-2025-48013 -
sa-contrib-2025-066 β
CVE-2025-48445 -
sa-contrib-2025-067 β
CVE-2025-48446 -
sa-contrib-2025-068 β
CVE-2025-48448 -
sa-contrib-2025-069 β
CVE-2025-48447
I also pushed a docs change to help me remember how to log in.
Now this is super ready to merge, and merging will make it easier for me to work on the next one: https://www.drupal.org/project/securitydrupalorg/issues/3528281 π Create CVEs for May 21, 2025 Active
-
sa-contrib-2025-064 β
-
pwolanin β
committed cead58d7 on 7.x-1.x authored by
yesct β
Issue #3528864 by yesct, pwolanin: Create CVEs for May 21, 2025
-
pwolanin β
committed cead58d7 on 7.x-1.x authored by
yesct β
- πΊπΈUnited States yesct
Thanks! I'll mark this fixed, and rebase the branch for the next issue: https://www.drupal.org/project/securitydrupalorg/issues/3528281 π Create CVEs for May 21, 2025 Active
- πΊπΈUnited States greggles Denver, Colorado, USA
Actually marking it fixed after #12.
I spot checked these and they look good to me. Thanks, yesct and pwolanin!
Automatically closed - issue fixed for 2 weeks with no activity.