There has been a number of bogus security reports filed against popular open-source software projects. These reports have claimed to find critical vulnerabilities in software like cURL and PostgreSQL, but upon closer inspection, they have all turned out to be false.
The reports appear to have been filed by automated tools that scan commit messages for keywords like “buffer overflow” and “denial of service.” These tools then automatically generate CVEs (Common Vulnerabilities and Exposures) without actually verifying whether the vulnerabilities exist.
It was alleged that PostgreSQL 12.2 was susceptible to a denial of service attack through repeated SIGHUP signals. It was tagged
CVE-2020-21469, with a CVSS score of 9.8. However, a closer examination revealed that ordinary users lack the ability to send SIGHUP signals or terminate PostgreSQL processes. This “flaw” could be leveraged by a superuser or a user with specific privileges, making it a non-issue for the vast majority.
The result is a flood of junk CVEs that are wasting the time of security teams and open-source maintainers. In some cases, these reports have even caused unnecessary panic and confusion.
The sources for this piece include an article in OpenSourceWatch.