1/3/2021 CVE Stuffing – JerryGamblin.

com

    

JerryGamblin.com 

Researcher. Builder. Hacker. Traveler.

CVE Stuffing
17/12/2020 15586 Views

I monitor the @CVENew Twitter feed to keep up with any interesting new vulnerabilities that are released. On
December 11th CVE-2020-29589 was published claiming that “the kapacitor Docker images through 1.5.0-alpine
contain a blank password for the root user” and that it has a CVSS score of 9.8.

This CVE was just a re-report of CVE-2019-5021, which I researched last year when it came out. AlpineLinux rightfully
claims in their write up that “You are not affected unless you have  shadow  or  Linux-pam  packages installed.”
Checking the DockerFile for the Kapactior image, it has neither package installed, so this container is not affected by
either the root CVE-2019-5021 vulnerability or even the new CVE-2020-29589 it was just given. Mistakes happen, so I
reached out to InfluxData to ask them to dispute the CVE and moved on with my day.

Then it started to happen. Over the last 7 days, the following CVEs were filed claiming the same issue with no
verification or even attempting to reach out to the container owners to let them know a CVE was filed.

CVE-2020-29589
CVE-2020-29590
CVE-2020-29591
CVE-2020-35184
CVE-2020-35185
CVE-2020-35186
CVE-2020-35187
CVE-2020-35188
CVE-2020-35189
CVE-2020-35190
CVE-2020-35191
CVE-2020-35192
CVE-2020-35193
CVE-2020-35194
CVE-2020-35195
CVE-2020-35196

https://jerrygamblin.com/2020/12/17/cve-stuffing/ 1/2
1/3/2021 CVE Stuffing – JerryGamblin.com

CVE-2020-35197
CVE-2020-35462
CVE-2020-35463
CVE-2020-35464
CVE-2020-35465
CVE-2020-35466
CVE-2020-35467
CVE-2020-35468

The descriptions have even started to worsen as with CVE-2020-35466, which lists the affected product as “Blackfire
Docker image – store/blackfire/blackfire“, making it impossible even to check if the vulnerability exists.

With the expansion of CNAs, I know that the overall amount of CVEs will explode, with XSS bugs in specialty software
like CVE-2019-14478 becoming more common. However, as long as there is some effort to verify the vulnerability, the
data is still useful. If we get to the point where you can not even trust the data in a CVE is accurate, security teams’
ability to mitigate vulnerabilities becomes impossible. As Michael Roytman told me, “The only thing worse than no
data is bad data,” and that is what is happening here; the CVE database is being stuffed with bad data. I have not
found a way to contact the NVD or Mitre about these CVEs and am only having mixed luck letting the container
owners know to dispute the CVEs.

         

Previous Post:
 P Practitioner To Researcher

Next Post:
What Day Had The Most CVEs Published? W 

https://jerrygamblin.com/2020/12/17/cve-stuffing/ 2/2