If you do anything type of work in security you will have heard of the term 0-day or CVE. A CVE is simply “..a list of publicly disclosed computer security flaws.” This means a CVE can be any security flaw in any piece of software. How hard can it be to find a vulnerability in ONE of the millions and millions of free and open source software.

The challenge for me was finding the right project to test on. I read some articles, watched some videos, and eventually came across a great turtorial from Joe Helle. His methodology led me to finding OpenMRS.

medical records foss

image

This methodology worked but there were some problems. I’d find a project, spin it up on my VM, fail, download the required dependencies, and then finally get the project running just to find out that the app is bullet-proof… But this can all be avoided with Github Filters.

Use this as a template:

language:PHP Management System in:readme,description pushed:>2024-01-01 "docker-compose.yml" OR "Dockerfile" demo

Lets break it down:

  • Language: PHP
  • Management System in:readme,description
  • pushed:>2024-01-01
  • “docker-compose.yml” OR “Dockerfile”
  • demo

With the query above, were specifying the language and management system. Management systems have a lot of logic that can be misconfigured (tenants, users, creating, reading, updating, deleting, etc). Lastly were specifying that the repo must be somewhat active (contributed to since 2024), have a docker file, and a demo website.

One of my future projects is to find a CVE for every vulnerability class and I’ll be using a variation of the Github filter above. More to come on that later….

CVE Submission

Say you find a bug and want to submit a CVE. The process can be confusing if you’ve never done it before. I’ll break it down:

  1. Notify the vendor.
  2. After confirmation of the vuln(s), submit them to MITRE.
  3. Wait for MITRE to give you a CVE ID.
  4. Receive CVE ID from MITRE.
  5. Public disclose your vulnerability (you can see my public disclosure here).
  6. Notify MITRE of your public disclosure.
  7. Wait for response back from MITRE telling you your CVE is now public.

For more information, read these links:

  • https://cve.mitre.org/docs/docs-2016/CVE_Request_Web_Form_Tip_Sheet.pdf
  • https://cve.mitre.org/CVEIDsAndHowToGetThem.pdf

I followed the processes above and got the following 4 CVE’s accepted:

Timeline:

  • 1/22/25 - Submitted 4 CVEs to MITRE
  • 2/26/25 - MITRE assigned me 4 CVE IDs
  • 2/26/25 - Publicly disclose 4 CVEs Github and notify MITRE
  • 3/11/25 - MITRE published my CVEs