bogus CVE claimed on this project

[Bananeweizen]

Someone raised a bogus CVE for this project: https://nvd.nist.gov/vuln/detail/CVE-2024-22949.
Behind that seems to be someone running an LLM to look for bugs: https://gist.github.com/LLM4IG
I've reported that account to GitHub, you may want to take similar actions.

[trashgod]

In addition to CVE-2024-22949, see also CVE-2024-23076 and CVE-2024-23077. All seem spurious.

[effad]

Someone raised a bogus CVE for this project: https://nvd.nist.gov/vuln/detail/CVE-2024-22949. Behind that seems to be someone running an LLM to look for bugs: https://gist.github.com/LLM4IG I've reported that account to GitHub, you may want to take similar actions.

I've tried to find out how to "dispute" CVEs in general and must admit I'm lost :-). Why report the account to GitHub? There seems nothing wrong with running an LLM and writing down the results in a GIST. Only the fact that these findings are reported as CVE seems wrong to me ...

[effad]

I think I've found the correct way of disputing this CVE. Since the issue is assigned to MITRE, one can use https://cveform.mitre.org/ to send a reject request (which I have done now). I suggest other people do so as well in the hope that MITRE will see sense then.

[trashgod]

Why report the account to GitHub?

I think that GitHub has more information on the matter. As reported in NVD slowdown leaves thousands of vulnerabilities without analysis data, the GitHub Advisory Database is part of the effort to categorize potential vulnerabilities. For reference, the unreviewed report is mentioned in these issues.

[EntropyAndAnomie]

Poked around the repo a bit. It seems that this is part of a project being prepared as a submission for https://conf.researchr.org/home/icse-2025.
https://llm4ig.github.io/

I think the claim being made by this person is that their software is producing "better" results because it's finding more "problems" more efficiently than other code testing libraries.
https://github.com/LLMISP/LLMISP/raw/master/Evaluation/Unexpected%20behaviors.xlsx

Irrespective of whether any of these "unexpected behaviors" are true vulnerabilities, pointing LLM-based libraries that aren't even announced, at already-released software, and generating and reporting CVEs when NVD is understaffed or hibernating, is not what the world needs right now. Or, ever.

[hazendaz]

Well at least https://www.cve.org/CVERecord?id=CVE-2023-52070 is showing it disputed. Snyk tooling is also spamming on this now. I suspect this will blow up our tools at work too :(

[Bananeweizen]

I suspect this will blow up our tools at work too :(

That's how I noticed this. 1 day after submission I was already flooded with several dozen new "vulnerabilities" in our company Dependency-Track installation, which is fed by all the available CVE databases.

[JiaJinming]

Hello, our products use jfreechart, which has vulnerabilities CVE-2024-22949, CVE-2023-52070, and CVE-2024-23077. We would like to know which of your current assessments of vulnerabilities are valid and accurate? How to handle invalid CVE vulnerabilities? Are there any plans to address valid CVE vulnerabilities?

[svaens]

Same here. I configured our system to ignore the first initial CVE entry, ...
and now there are two extra ones blocking my build process.
Any idea when this situation will be resolved?

[svaens]

The CVE entries were 2 high and 1 medium. So i adjust my build to accept these 2 high and 1 medium vulnerabilities.
By the time I did that, pushed the change, got someone to approve the change, made a new build,
it is now 3 high-level vulnerabilities, and my build fails still.

[trashgod]

I submitted PR #397 that addresses what I think prompted CVE-2024-23077 and CVE-2023-52070.

[jfree]

Thanks @trashgod I merged your PR.