vulnfeeds dynamic vendor product repo caching causing false hits

[jheider-sit]

The CVE ID
https://osv.dev/vulnerability/CVE-2021-38946

Describe the data quality issue observed
CVE-2021-38946 is currently associated in OSV with: github.com/highcharts/highcharts

However, according to the official CVE record and the National Vulnerability Database, this CVE affects IBM Cognos Analytics (XSS vulnerability), not Highcharts.

There are no vendor advisories, GitHub Security Advisories, or Highcharts security notices linking this CVE to the Highcharts repository.

Suggested changes to record
Remove the affected packages pointing to highchart or provide information in summary how highchart is related to this CVE.

[github-actions]

✨ Thank you for your interest in OSV.dev's data quality! ✨

Please review our FAQ entry on how to most efficiently have this addressed.

[jheider-sit]

The same applies for the following CVEs, that are linked in OSV to highcharts repository without being mentioned in the sources for the CVEs:

• https://osv.dev/vulnerability/CVE-2021-38905
• https://osv.dev/vulnerability/CVE-2021-38904
• https://osv.dev/vulnerability/CVE-2021-38903
• https://osv.dev/vulnerability/CVE-2021-38886
• https://osv.dev/vulnerability/CVE-2021-29824
• https://osv.dev/vulnerability/CVE-2021-20464
• https://osv.dev/vulnerability/CVE-2021-39002
• https://osv.dev/vulnerability/CVE-2021-38931
• https://osv.dev/vulnerability/CVE-2021-38926
• https://osv.dev/vulnerability/CVE-2021-29678
• https://osv.dev/vulnerability/CVE-2021-29745
• https://osv.dev/vulnerability/CVE-2021-29679
• https://osv.dev/vulnerability/CVE-2021-22946

[jess-lowe]

This is really odd, but I have a hunch on what happened. I'll fix these records and look into it more thoroughly to prevent it from happening again.

Thanks for reporting!

[jess-lowe]

For investigative purposes: looks like all of these randomly successfully converted on 13 Feb, seemingly extracting a git repository from the cache with what I believe to be a hit on the "netapp:oncommand_insight" Vendor/Product combination. It hasn't happened since, so I wonder if it was a hiccup with the CPE dictionary allocation, or maybe the vp repo cache was erroneously updated by a previous record in 2021 that successfully converted with highcharts.

[jess-lowe]

Seems like my second theory is probably the case: https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-29489. This record also has "netapp:oncommand_insight" Vendor/Product combination in it's CPE dictionary.