Did I miss that CVEs are allocated for supply chain compromises nowadays?

Reply to Did I miss that CVEs are allocated for supply chain compromises nowadays? on Thu, 28 May 2026 09:11:54 GMT

thepwnicorn@infosec.exchange — Thu, 28 May 2026 09:11:54 GMT

@GossiTheDog @campuscodi you're not wrong, but it seems CVEs are the go to mechanism for any security issue of software dependencies.

Reply to Did I miss that CVEs are allocated for supply chain compromises nowadays? on Thu, 28 May 2026 08:43:24 GMT

gossithedog@cyberplace.social — Thu, 28 May 2026 08:43:24 GMT

@campuscodi it's pretty odd. They're not vulnerabilities... if you were affected, it'd be an incident - not an upgrade. CISA need to build a better system and process.

Reply to Did I miss that CVEs are allocated for supply chain compromises nowadays? on Wed, 27 May 2026 22:08:43 GMT

campuscodi@mastodon.social — Wed, 27 May 2026 22:08:43 GMT

@GossiTheDog It's because of this, prolly. They've been added to the KEV so CISA can force agencies to clean out artifacts/compromised systems

https://mastodon.social/@campuscodi/116648324167478081

Reply to Did I miss that CVEs are allocated for supply chain compromises nowadays? on Wed, 27 May 2026 21:04:10 GMT

bontchev@infosec.exchange — Wed, 27 May 2026 21:04:10 GMT

@GossiTheDog Weelll... If a particular version of a product has been Trojanized due to a supply-chain attack, it could be argued that this version contains a vulnerability now, no? And vulnerabilities are assigned CVEs.

Reply to Did I miss that CVEs are allocated for supply chain compromises nowadays? on Wed, 27 May 2026 20:07:52 GMT

res260@infosec.exchange — Wed, 27 May 2026 20:07:52 GMT

@GossiTheDog Yeah its weird but it started last year from what I can tell.

Guess malware is a vulnerability now

Reply to Did I miss that CVEs are allocated for supply chain compromises nowadays? on Wed, 27 May 2026 20:06:07 GMT

thepwnicorn@infosec.exchange — Wed, 27 May 2026 20:06:07 GMT

@GossiTheDog the XZ backdoor for instance also got a CVE (CVE-2024-3094).

Reply to Did I miss that CVEs are allocated for supply chain compromises nowadays? on Wed, 27 May 2026 19:44:12 GMT

thepwnicorn@infosec.exchange — Wed, 27 May 2026 19:44:12 GMT

@GossiTheDog they could of course also contribute to OSSF's malicious package DB instead. If it is a package like tanstack.

Reply to Did I miss that CVEs are allocated for supply chain compromises nowadays? on Wed, 27 May 2026 19:42:17 GMT

thepwnicorn@infosec.exchange — Wed, 27 May 2026 19:42:17 GMT

@GossiTheDog makes sense though if the package/software version is compromised? Whether the vulnerability stems from a bug or deliberately placed malware or backdoor, they are all vulnerabilities of some sort.

Reply to Did I miss that CVEs are allocated for supply chain compromises nowadays? on Wed, 27 May 2026 19:28:46 GMT

merospit@infosec.exchange — Wed, 27 May 2026 19:28:46 GMT

@GossiTheDog Makes sense to me.

CVE are regularly used to actually block deployment pipelines, which is a useful function for mitigating supply chain vulnerabilities.

More generally, I wouldn't want to be forced to distinguish between active and passive threats and then not be able to label the active threats in a standard way.

Reply to Did I miss that CVEs are allocated for supply chain compromises nowadays? on Wed, 27 May 2026 18:55:23 GMT

wdormann@infosec.exchange — Wed, 27 May 2026 18:55:23 GMT

@GossiTheDog
A CNA that is of organization type "Researcher" can issue CVEs for anything not explicitly in another CNA's scope.
Kaspersky is one such CNA.

Reply to Did I miss that CVEs are allocated for supply chain compromises nowadays? on Wed, 27 May 2026 18:40:02 GMT

vathpela@infosec.exchange — Wed, 27 May 2026 18:40:02 GMT

@GossiTheDog yeah, and a whole bunch of Open Source projects have had to become CNAs to keep others from issuing bullshit CVEs. Hence https://daniel.haxx.se/blog/2024/01/16/curl-is-a-cna/ and http://www.kroah.com/log/blog/2024/02/13/linux-is-a-cna/ . Between that and NVD issuing CVSS scores that don't match what SMEs evaluate the same bugs as, and for that matter CVSS just being kind of bad in several ways, the whole scheme is starting to reek.

Reply to Did I miss that CVEs are allocated for supply chain compromises nowadays? on Wed, 27 May 2026 18:21:08 GMT

pauliehedron@infosec.exchange — Wed, 27 May 2026 18:21:08 GMT

@GossiTheDog They found a way to justify AI costs?

Reply to Did I miss that CVEs are allocated for supply chain compromises nowadays? on Wed, 27 May 2026 18:18:57 GMT

caspicat@infosec.exchange — Wed, 27 May 2026 18:18:57 GMT

@GossiTheDog Yes, since 2017ish, for example

NVD - CVE-2021-4229

(nvd.nist.gov)

NVD - CVE-2017-16054

(nvd.nist.gov)

Reply to Did I miss that CVEs are allocated for supply chain compromises nowadays? on Wed, 27 May 2026 18:15:37 GMT

futuristicrobert@infosec.exchange — Wed, 27 May 2026 18:15:37 GMT

@GossiTheDog oh yes, I cannot wait for this to pollute my vulnerability tracking and discovery. Oh yes this is what we all need. Hurt us more CISA daddy!!!

Reply to Did I miss that CVEs are allocated for supply chain compromises nowadays? on Wed, 27 May 2026 18:11:14 GMT

gossithedog@cyberplace.social — Wed, 27 May 2026 18:11:14 GMT

RE: https://mastodon.social/@cisakevtracker/116647845255291135

It's not isolated, e.g.

There's a whole bunch of these now, it looks like companies are just yolo'ing out CVEs for other companies products.

Reply to Did I miss that CVEs are allocated for supply chain compromises nowadays? on Wed, 27 May 2026 18:06:37 GMT

christopherkunz@chaos.social — Wed, 27 May 2026 18:06:37 GMT

@GossiTheDog And a 9.8, no less. Because why not just roll a dice on the CVSS score!

Reply to Did I miss that CVEs are allocated for supply chain compromises nowadays? on Wed, 27 May 2026 18:05:35 GMT

nyanbinary@infosec.exchange — Wed, 27 May 2026 18:05:35 GMT

@GossiTheDog wtf, someone needs to have a word with Kaspersky...