Getting a CVE number for a security issue in an open source project
My first CVE number
Last week I got an email with an alarming subject which opened up with the following sentence:
In our bug bounty program we received a vulnerability report….
Turns out someone discovered a security issue in the Cordova fingerprint plugin I have been maintaining for over 5 years now. Fortunately I could quickly find out that I just need to change the attribute
android:exported="false" in plugin.xml. This mitigates the issue and the plugin still works as expected.
I don’t consider the security issue a severe one because it only allows the attacker to crash your app if they somehow manage to install an app on the victim’s device containing specific code to trigger the vulnerability in the targeted app. In my opinion this is very unlikely to happen.
The person that sent the email did the right thing to contact me privately about the issue. That is the right way to go and you should do this as well if you find security issues. I then started the process of a responsible disclosure. This was my first time doing it and I hope I did everything right.
I knew that GitHub has some security features for maintainers. I created a security policy a while ago. With a detailed description of the issue and a possible fix I started drafting the security advisory. GitHub lets you create a private fork where you can commit your code privately and collaborate with others. I fixed the code and tried the example exploit code I got from the company reporting the issue.
My tests where successful and I wanted to publish a new version for the company reporting this. NPM lets you publish versions with tags and I have used the tag “rc” for pre-release versions before. App developers can add the version tag like this:
cordova plugin add cordova-plugin-fingerprint-aio@rc and test out versions before you publish them as “normal releases”.
Getting the CVE number
I informed the company that the issue was fixed and let some time pass. In the meantime I requested a CVE number from GitHub by just pressing one button. Soon later GitHub assigned the issue a CVE number and after publishing the advisory the issue will become part of all public CVE databases for easy reference. GitHub really made this process easy.
The advisory is now public and the issue is officially called CVE-2021-43849. Version 5.0.1 is out and fixes the issue.
The journey from an email about a security issue to a real responsible disclosure with a CVE number was very interesting to me. With GitHub’s tools it was very easy and convenient to announce this issue properly. I hope every app affected can fix this quickly and nobody experiences any problems because of this bug.
I hope this story is helpful for you if you need to handle a security issue in open source and I hope all people and companies disclose their security issues responsibly.