_INP BFCVE Challenge
Irena Bojanova, PI & Lead, NIST Bugs Framework (BF), 2014 – ~~~~

Let’s start creating of a labeled dataset of input/output check related software security vulnerability specifications using BF’s input/output check bugs formalism (taxonomy and LL(1) formal grammar) .

There are 70 736 input/output check related CVEs (as of August 2023). To start with, we query the CVE for entries with CWEs assigned by NVD, where the CWEs also map by operation to BF Input/Output Check classes. We then order them by their severity scores according to the Common Vulnerability Scoring System (CVSS) and select maximum thirty CVEs per operation – thus reducing the count to the most severe CVEs per _INP BF operation .

First set of steps:
  1. Explore the CVEs listed below. Each one has input/output check related underlying weaknesses and was identified via the corresponding CWE2BF mappings and the CWE to CVE assignments by NVD.
  2. Identify at least one CVE for wchich you can find the Bug Report, the Code with Bug, and the Code with Fix (locate the specific GitHub repository with the Diffs). See how these are listed for the examples in BFCVE on the left.
Second set of steps:
  1. Get to know the BF Input/Output Check Bugs Model .
  2. Get to know the taxonomies of the BF Input/Output Check Classes .
  3. Get to know the BF Tool .
  4. Collaborate on creating BF descriptions of your CVEs.
    Important Note: Use the “NVD CWE” and “BF Chain(s) Indentifiable from NVD CWE” columns only as possibly useful guidance. In some cases, a listed CWE may be a wrongly assigned one by NVD, so please notify us if you encounter such. In some cases, the listed chains may be wrong or not the only possible, as the CWE information (from which they are retrieved) may be wrong or limited.
Third set of steps:
  1. Open in a text editor the .bfcve file where you saved the BF CVE description usign the BF Tool.
  2. Copy the entire content of the .bfcve file. This is your BF CVE specification in XML format.
  3. Submit the copied .bfcve content and the links to the Bug Report, the Code with Bug, and the Code with Fix here:

Submit your BF CVE pecification

_INP CVEs

CVSSBF ClassBF OperationNVD CWEBF Chain(s) Indentifiable from NVD CWE

CVE-2022-32054

10DVLSanitizeCWE-94(Missing Code/Erroneous Code, DVL Sanitize, Source Code Injection)
CVE-2023-128310DVLSanitize
CVE-2023-258310DVLSanitize

CVE-2022-30493

10DVLSanitizeCWE-89(Missing Code/Erroneous Code, DVL Sanitize, Query Injection)

CVE-2022-30329

10DVLSanitizeCWE-78(Missing Code/Erroneous Code, DVL Sanitize, Command Injection)
CVE-2022-3052510DVLSanitize
CVE-2022-3054110DVLSanitize
CVE-2022-3060310DVLSanitize
CVE-2022-3113710DVLSanitize
CVE-2022-3147910DVLSanitize
CVE-2022-3179410DVLSanitize
CVE-2022-3179510DVLSanitize
CVE-2022-3253410DVLSanitize
CVE-2022-3277310DVLSanitize
CVE-2022-3318910DVLSanitize
CVE-2022-3319210DVLSanitize
CVE-2022-3319310DVLSanitize
CVE-2022-3319410DVLSanitize
CVE-2022-3319510DVLSanitize
CVE-2022-3320410DVLSanitize
CVE-2022-3320510DVLSanitize
CVE-2022-3320610DVLSanitize
CVE-2022-3320710DVLSanitize
CVE-2023-256410DVLSanitize

CVE-2022-31311

10DVLSanitizeCWE-77(Missing Code/Erroneous Code, DVL Sanitize, Command Injection)
CVE-2022-3144610DVLSanitize
CVE-2022-3244910DVLSanitize

CVE-2023-3765

10DVLSanitizeCWE-36(Erroneous Code, DVL Sanitize, File Injection)

CVE-2023-1177

10DVLSanitizeCWE-29(Under Restrictive Policy, DVL Sanitize, File Injection)

CVE-2023-2356

10DVLSanitizeCWE-23(Under-Restrictive Policy, DVL Sanitize, File Injection)

CVE-2023-2356

10DVLSanitizeCWE-23(Under-Restrictive Policy, DVL Sanitize, File Injection)

CVE-2020-3847

10DVRVerifyCWE-20
  • (Missing Code/Erroneous Code, DVL Validate, Invalid Data)
  • (Missing Code/Eroneous Code, DVR Verify, Wrong Value/Incosnistent Value/Wrong Type)
CVE-2020-696210DVRVerify
CVE-2020-696310DVRVerify
CVE-2020-808710DVRVerify
CVE-2020-844510DVRVerify
CVE-2021-196510DVRVerify
CVE-2021-2198510DVRVerify
CVE-2021-2543710DVRVerify
CVE-2021-2660610DVRVerify
CVE-2021-2660710DVRVerify
CVE-2021-2662210DVRVerify
CVE-2021-2662410DVRVerify
CVE-2021-3297410DVRVerify
CVE-2021-3352710DVRVerify
CVE-2021-4303310DVRVerify
CVE-2021-4473410DVRVerify
CVE-2022-2408610DVRVerify
CVE-2022-2472010DVRVerify
CVE-2022-2516310DVRVerify
CVE-2022-2722810DVRVerify
CVE-2022-2949910DVRVerify
CVE-2022-2953910DVRVerify
CVE-2022-3253410DVRVerify
CVE-2020-1518110DVLValidate
CVE-2020-2464710DVLValidate
CVE-2020-2464910DVLValidate
CVE-2020-2467910DVLValidate
CVE-2020-2576510DVLValidate
CVE-2020-2578710DVLValidate
CVE-2020-384710DVLValidate
CVE-2020-696210DVLValidate
CVE-2020-696310DVLValidate
CVE-2020-808710DVLValidate
CVE-2020-844510DVLValidate
CVE-2021-196510DVLValidate
CVE-2021-2198510DVLValidate
CVE-2021-2543710DVLValidate
CVE-2021-2660610DVLValidate
CVE-2021-2660710DVLValidate
CVE-2021-2662210DVLValidate
CVE-2021-2662410DVLValidate
CVE-2021-3297410DVLValidate
CVE-2021-3352710DVLValidate
CVE-2021-4303310DVLValidate
CVE-2021-4473410DVLValidate
CVE-2022-2408610DVLValidate
CVE-2022-2472010DVLValidate
CVE-2022-2516310DVLValidate
CVE-2022-2722810DVLValidate
CVE-2022-2949910DVLValidate
CVE-2022-2953910DVLValidate
CVE-2022-3253410DVLValidate

CVE-2020-3673

10DVRVerifyCWE-129(Missing Code/Erroneous Code, DVR Verify, Wrong Value)
CVE-2021-193310DVRVerify
CVE-2021-2233310DVRVerify

CVE-2021-21950

10DVRVerifyCWE-1284(Missing Code/Erroneous Code, DVR Verify, Wrong Value/Inconsistent Value)
CVE-2021-2195110DVRVerify
CVE-2021-2196010DVRVerify
CVE-2022-2069910DVRVerify