CVE’s CNA Program Is Causing Them to Fail in Their Stated Mission
The CVE program, which claims to be sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) (we tried to confirm that with CISA, but got no reply), is supposed to provide a unique identifier for vulnerabilities:
The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog.
Despite being funded by the US government, the program outsources entries to what looks to be any entity that wants to issue CVE IDs, through the CVE Numbering Authority (CNA) program. As we have documented repeatedly, those entities don’t do basic checking before issuing CVE IDs. Here was one recent example of that. Among the other issues with that, is the same providers issuing multiple CVE IDs for one vulnerability. We documented a previous example of that with Automattic’s WPScan in March, where they claimed a vulnerability had been fixed when it hadn’t and then added another entry claiming the vulnerability had been fixed again.
That has happened again with WPScan. This time it involves a plugin named Contact Form 7 Database Addon.
In January 2021, WPScan issued CVE-2021-24144 for a CSV injection vulnerability in the plugin:
Late in October, WPScan issued CVE-2022-3634 for a CSV injection vulnerability in the plugin:
It’s the same exact vulnerability.
One possible explanation for this is that the vulnerability was fixed and then that was undone, but that isn’t the case. Without that explanation, one of the claims that the vulnerability was fixed is wrong. Also, WPScan did so little due diligence that it didn’t realize that they claimed the issue had already been fixed. They also didn’t check if there was already a CVE ID for the vulnerability.
This seems like something CVE would want to know about, since they are outsourcing issuing CVE IDs, so they presumably would want to know if there were problems with the CNAs they have given that ability to. But, in our experience trying to address that with them, they instead direct people to contact the CNAs.
It’s unclear what the point of CVE is supposed to even be with its current setup, as they appear to be a middle-man in issuing CVE IDS, while not adding any value to the process.
We would have contacted CISA to get their view on this, but we got no response when tried to do that for another recent story.