9-month-old withdrawn CVE for aiohttp added to safety-db

[ghost]

Hi,

Recently, safety started reporting to me that all versions of aiohttp are vulnerable to CVE-2022-33124 due to a potential DoS attack relating to an invalid IPv6 URL. However, the description of the vulnerability clearly states that it has been "WITHDRAWN". Moreover, the raising of this vulnerability, and the dispute around it's validity, was discussed 9 months ago, in July 2022. But this vulnerability has been added to the database here this month.

The relevant entry of insecure_full.json is this one:

{
    "advisory": "## Withdrawn\nThis advisory has been withdrawn because the maintainers of aiohttp and multiple third parties disputed the validity of the issue. There is not sufficient evidence for the claims in the original report.\n\n## Original Description\naiohttp v3.8.1 was discovered to contain an invalid IPv6 URL which can lead to a Denial of Service (DoS).",
    "cve": "CVE-2022-33124",
    "id": "pyup.io-54318",
    "more_info_path": "/vulnerabilities/CVE-2022-33124/54318",
    "specs": [
        ">=0"
    ],
    "v": ">=0"
}

I suppose I have two questions here:

1. Why was a withdrawn / disputed CVE added to the database - In this example, not a single person actually recognises this as a real vulnerability, it as no PoC, and the original reporter is an anonymous user who made no attempt to contact the aiohttp maintainers before raising it.
2. Is this an expected timeframe to be adding vulnerabilities to the database? It seems odd to me that something that was raised and discussed this long ago is added.

Regards, Toby

[harlekeyn]

Hi Toby,

Thank you for reaching out to us regarding CVE-2022-33124. I understand your concerns and would like to provide some clarity on the matter.

As a cybersecurity company, we are constantly on the lookout for new vulnerabilities to ensure the quality of our vulnerability database. Aside from vulnerabilities independently discovered by PyUp (44% of our direct vulnerabilities are PVEs) we classify CVEs from the National Vulnerability Database. It is commonly known among threat intelligence researchers that the NVD lacks some necessary parameters, resulting in the need for a combination of both automated analyses and manual reviews of vulnerabilities.

CVE-2022-33124 was added to our database due to the implementation of new methods and sources in our vulnerability tracking. However, as you have correctly pointed out, CVE-2022-33124 was withdrawn and disputed. We acknowledge that we made an error in this instance, and upon realizing this, we promptly removed this vulnerability from our database. This was some days ago.

Our paid users received this update immediately. However, our free service includes a 30-day delay in updates, which is why you may have come across this vulnerability in the database at a later time.

Please do not hesitate to reach out if you have any further questions or concerns. We appreciate your vigilance in helping us maintain the integrity of our database.

Sincerely,

Tristan

[ghost]

Hi Tristan, thanks very much for the detailed and transparent response. This is totally understandable and I'm glad the issue is expected to be fixed in the next update.

Feel free to close this ticket whenever you feel is appropriate - now, or once the update has come through to the non-commercial database.

Regards,
Toby