vulns: add curl and libcurl vulns

[RTann]

I ran a genesis dump without these changes (see #1276). You'll notice in that PR in the genesis dump logs, you will find logs saying CVE-2023-38545 and CVE-2023-38546 are missing for several distributions. With this PR, they are no longer missing, as we utilize the CVSSv3 scores from our "NVD" manual entries.

Note: this does not affect Red Hat, as they track CVSS scores, themselves

[RTann]

/retest

[ghost]

Images are ready for the commit at f338fed.

To use the images, use the tag 2.31.x-20-gf338fedd01.

[RTann]

postgres=# select v.name, n.name, v.metadata from vulnerability v join namespace n on v.namespace_id = n.id where v.name = 'CVE-2023-38545';
      name      |      name       |                                                           
                                                                                   metadata   
                                                                                              
                                             
----------------+-----------------+-----------------------------------------------------------
----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------
---------------------------------------------
 CVE-2023-38545 | debian:12       | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":5.9,"Score":7.5,"Vec
tors":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"LastModifiedDateTime":"2023-10-11T00:00
Z","PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38545 | debian:unstable | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":5.9,"Score":7.5,"Vec
tors":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"LastModifiedDateTime":"2023-10-11T00:00
Z","PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38545 | debian:13       | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":5.9,"Score":7.5,"Vec
tors":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"LastModifiedDateTime":"2023-10-11T00:00
Z","PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38545 | debian:11       | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":5.9,"Score":7.5,"Vec
tors":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"LastModifiedDateTime":"2023-10-11T00:00
Z","PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38545 | debian:10       | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":5.9,"Score":7.5,"Vec
tors":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"LastModifiedDateTime":"2023-10-11T00:00
Z","PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38545 | alpine:v3.17    | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":5.9,"Score":7.5,"Vec
tors":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"LastModifiedDateTime":"2023-10-11T00:00
Z","PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38545 | alpine:v3.15    | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":5.9,"Score":7.5,"Vec
tors":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"LastModifiedDateTime":"2023-10-11T00:00
Z","PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38545 | alpine:v3.16    | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":5.9,"Score":7.5,"Vec
tors":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"LastModifiedDateTime":"2023-10-11T00:00
Z","PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38545 | alpine:v3.18    | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":5.9,"Score":7.5,"Vec
tors":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"LastModifiedDateTime":"2023-10-11T00:00
Z","PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38545 | alpine:edge     | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":5.9,"Score":7.5,"Vec
tors":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"LastModifiedDateTime":"2023-10-11T00:00
Z","PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38545 | ubuntu:16.04    | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":5.9,"Score":7.5,"Vec
tors":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"LastModifiedDateTime":"2023-10-11T00:00
Z","PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38545 | ubuntu:14.04    | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":5.9,"Score":7.5,"Vec
tors":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"LastModifiedDateTime":"2023-10-11T00:00
Z","PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38545 | ubuntu:23.04    | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":5.9,"Score":7.5,"Vec
tors":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"LastModifiedDateTime":"2023-10-11T00:00
Z","PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38545 | ubuntu:18.04    | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":5.9,"Score":7.5,"Vec
tors":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"LastModifiedDateTime":"2023-10-11T00:00
Z","PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38545 | ubuntu:22.04    | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":5.9,"Score":7.5,"Vec
tors":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"LastModifiedDateTime":"2023-10-11T00:00
Z","PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38545 | ubuntu:20.04    | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":5.9,"Score":7.5,"Vec
tors":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"LastModifiedDateTime":"2023-10-11T00:00
Z","PublishedDateTime":"2023-10-11T00:00Z"}}
(16 rows)

postgres=# select v.name, n.name, v.metadata from vulnerability v join namespace n on v.namespace_id = n.id where v.name = 'CVE-2023-38546';
      name      |      name       |                                                           
                                                                                              
                                                                                              
                         metadata                                                             
                                                                                              
                                                                                              
                        
----------------+-----------------+-----------------------------------------------------------
----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------
------------------------
 CVE-2023-38546 | debian:unstable | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":3.4,"Score":5,"Vecto
rs":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"LastModifiedDateTime":"2023-10-11T00:00Z"
,"PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38546 | debian:13       | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":3.4,"Score":5,"Vecto
rs":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"LastModifiedDateTime":"2023-10-11T00:00Z"
,"PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38546 | debian:10       | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":3.4,"Score":5,"Vecto
rs":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"LastModifiedDateTime":"2023-10-11T00:00Z"
,"PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38546 | debian:11       | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":3.4,"Score":5,"Vecto
rs":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"LastModifiedDateTime":"2023-10-11T00:00Z"
,"PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38546 | debian:12       | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":3.4,"Score":5,"Vecto
rs":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"LastModifiedDateTime":"2023-10-11T00:00Z"
,"PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38546 | alpine:v3.17    | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":3.4,"Score":5,"Vecto
rs":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"LastModifiedDateTime":"2023-10-11T00:00Z"
,"PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38546 | alpine:v3.15    | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":3.4,"Score":5,"Vecto
rs":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"LastModifiedDateTime":"2023-10-11T00:00Z"
,"PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38546 | alpine:v3.18    | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":3.4,"Score":5,"Vecto
rs":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"LastModifiedDateTime":"2023-10-11T00:00Z"
,"PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38546 | alpine:v3.16    | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":3.4,"Score":5,"Vecto
rs":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"LastModifiedDateTime":"2023-10-11T00:00Z"
,"PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38546 | alpine:edge     | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":3.4,"Score":5,"Vecto
rs":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"LastModifiedDateTime":"2023-10-11T00:00Z"
,"PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38546 | centos:6        | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":3.4,"Score":5,"Vecto
rs":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"LastModifiedDateTime":"","PublishedDateTi
me":"2023-10-11T00:00:00Z"},"Red Hat":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,"Scor
e":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":3.4,"Score":5,"Vectors":"
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"LastModifiedDateTime":"","PublishedDateTime":"
2023-10-11T00:00:00Z"}}
 CVE-2023-38546 | centos:8        | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":3.4,"Score":5,"Vecto
rs":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"LastModifiedDateTime":"","PublishedDateTi
me":"2023-10-11T00:00:00Z"},"Red Hat":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,"Scor
e":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":3.4,"Score":5,"Vectors":"
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"LastModifiedDateTime":"","PublishedDateTime":"
2023-10-11T00:00:00Z"}}
 CVE-2023-38546 | centos:7        | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":3.4,"Score":5,"Vecto
rs":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"LastModifiedDateTime":"","PublishedDateTi
me":"2023-10-11T00:00:00Z"},"Red Hat":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,"Scor
e":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":3.4,"Score":5,"Vectors":"
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"LastModifiedDateTime":"","PublishedDateTime":"
2023-10-11T00:00:00Z"}}
 CVE-2023-38546 | ubuntu:16.04    | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":3.4,"Score":5,"Vecto
rs":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"LastModifiedDateTime":"2023-10-11T00:00Z"
,"PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38546 | ubuntu:14.04    | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":3.4,"Score":5,"Vecto
rs":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"LastModifiedDateTime":"2023-10-11T00:00Z"
,"PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38546 | ubuntu:23.04    | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":3.4,"Score":5,"Vecto
rs":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"LastModifiedDateTime":"2023-10-11T00:00Z"
,"PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38546 | ubuntu:18.04    | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":3.4,"Score":5,"Vecto
rs":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"LastModifiedDateTime":"2023-10-11T00:00Z"
,"PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38546 | ubuntu:20.04    | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":3.4,"Score":5,"Vecto
rs":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"LastModifiedDateTime":"2023-10-11T00:00Z"
,"PublishedDateTime":"2023-10-11T00:00Z"}}
 CVE-2023-38546 | ubuntu:22.04    | {"NVD":{"CVSSv2":{"ExploitabilityScore":0,"ImpactScore":0,
"Score":0,"Vectors":""},"CVSSv3":{"ExploitabilityScore":1.6,"ImpactScore":3.4,"Score":5,"Vecto
rs":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"LastModifiedDateTime":"2023-10-11T00:00Z"
,"PublishedDateTime":"2023-10-11T00:00Z"}}
(19 rows)

[daynewlee]

LGTM.
Do we need to remove these CVEs after OVAL feeds get updated?

[dcaravel]

Per curl.se this should be CWE-122 Heap-based Buffer Overflow

[dcaravel]

Should add VersionStartIncluding: "7.69.0"

[dcaravel]

Is the vendor ubuntu in the CPE line here accurate? See other curl vulns use haxx as the vendor.

[dcaravel]

Assuming this was sourced from RH data?

Based on vector AC:H, AttackComplexity should be HIGH

[dcaravel]

Per curl.se - CWE-73: External Control of File Name or Path

[dcaravel]

Should these links be https://curl.se/docs/CVE-2023-38546.html instead?

[dcaravel]

Should these links be https://curl.se/docs/CVE-2023-38545.html instead?

[dcaravel]

Should add VersionStartIncluding: "7.9.1"