Incorrect CPE data for CVE-2024-29205 #122
Comments
|
@tarraschk Thank you for the report! Our analysts reviewed and updated this data, and updates have pushed out everywhere. |
|
@jwoytek-cisa Hello, I think there might be new problems introduced with latest modifications. For example, for CVE-2024-29205 https://github.com/cisagov/vulnrichment/blob/develop/2024/29xxx/CVE-2024-29205.json Vulnrichment data says here: From my understanding, it implies that 22.3R1.2 should be both vulnerable (as per I know that the Ivanti versioning semantic is quite hard to use, so please feel free to use the CPE data provided in #122 (comment) or to tell me how I can help. |
|
@tarraschk Hello! The JSON excerpt that you posted is actually from the CNA, not Vulnrichment. The Vulnrichment data in the ADP container was updated to more closely follow the information provided by the CNA in the record, which appears to be trying to call out single specific versions. As you mention, though, it is a little unclear how that should be interpreted, and does not seem to follow the information provided in their advisory. In this case, I would recommend contacting the CNA first to report the apparent discrepancy in the data that they provide. I will also raise this issue for some additional discussion on our end, and will leave this open for a bit. |
|
Hello @jwoytek-cisa oh yeah you're right, my bad sorry. However, it seems that this part of the JSON comes from Vulnrichment data: https://github.com/cisagov/vulnrichment/blob/develop/2024/29xxx/CVE-2024-29205.json#L47-L113 "affected": [
{
"cpes": [
"cpe:2.3:a:ivanti:connect_secure:*:*:*:*:*:*:*:*"
],
"vendor": "ivanti",
"product": "connect_secure",
"versions": [
{
"status": "affected",
"version": "9.1R18.5"
},
{
"status": "affected",
"version": "22.6R2.3"
},
{
"status": "affected",
"version": "9.1R17.4"
},
{
"status": "affected",
"version": "22.2R3"
},
{
"status": "affected",
"version": "22.5R2.4"
},
{
"status": "affected",
"version": "9.1R14.6"
},
{
"status": "affected",
"version": "9.1R15.4"
},
{
"status": "affected",
"version": "22.2R4.2"
},
{
"status": "affected",
"version": "22.4R1.2"
},
{
"status": "affected",
"version": "22.6R1.2"
},
{
"status": "affected",
"version": "22.1R6.2"
},
{
"status": "affected",
"version": "22.3R1.2"
},
{
"status": "affected",
"version": "22.4R2.4"
},
{
"status": "affected",
"version": "22.5R1.3"
}
],
"defaultStatus": "unaffected"
},If so, there is still an issue in the data, as versions 22.1R6.2, 22.2R3, 22.2R4.2, 22.3R1.2, 22.4R1.2, 22.4R2.4, 22.5R1.3, 22.5R2.4, 22.6R2.3, 9.1R14.6, 9.1R15.4, 9.1R16.4, 9.1R17.4 and 9.1R18.5 actually fix the vulnerability (source) and they are marked as |
|
This is why I have raised this internally for some additional discussion. Our analysts were trying to more closely match the data provided by the CNA, but the meaning interpreted from that data does not seem to align with the data in their advisory. It would still be a good idea to report the potential discrepancy to the CNA. Meanwhile, we will be talking about this on our end, too. Stay tuned. |
|
The vulnrichment policy is to only add analysis (enrichment), and not to contradict any information provided by the CNA. (This doesn't mean the CNA information is correct, and concerns with CNA information should be directed to the CNA.) Due to the design of the current CVE Record Format, in order to add CPE information, the CISA vulnrichment ADP must also provide information in the |
|
And FYI I agree that the |
|
Understood, I'll write to HackerOne, we will see if they actually consider updating their data :). I hope this issue still helped the vulnrichment project! |
|
Thanks, and yes it is helpful, and we're expecting the change to the CVE Record Format to help avoid this sort of confusion (CNA vs. ADP) in the near future. |
/Hello,
I am opening this issue to signal errors in the JSON data for CVE-2024-29205
Describe the bug
CPE data for CVE-2024-29205 says that version 9.0 and less than 10.0 are affected.
This is incorrect, as per Ivanti data versions that fix this CVE are 9.1R14.6, 9.1R15.4, 9.1R16.4, 9.1R17.4 and 9.1R18.5 for 9.X branches.
Expected behavior
Ivanti provides this data for CVE-2024-29205:
https://forums.ivanti.com/s/article/New-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
As there are multiple branches of Ivanti Pulse Connect supported (see here for details), correct CPE data could be for example:
{ "cpes": [ "cpe:2.3:a:ivanti:connect_secure:9.1R14:*:*:*:*:*:*:*" ], "vendor": "ivanti", "product": "connect_secure", "versions": [ { "status": "affected", "version": "9.1R14.0", "lessThan": "9.1R14.6", "versionType": "custom" } ], "defaultStatus": "unknown" }, { "cpes": [ "cpe:2.3:a:ivanti:connect_secure:9.1R15:*:*:*:*:*:*:*" ], "vendor": "ivanti", "product": "connect_secure", "versions": [ { "status": "affected", "version": "9.1R15.0", "lessThan": "9.1R15.4", "versionType": "custom" } ], "defaultStatus": "unknown" }, { "cpes": [ "cpe:2.3:a:ivanti:connect_secure:9.1R16:*:*:*:*:*:*:*" ], "vendor": "ivanti", "product": "connect_secure", "versions": [ { "status": "affected", "version": "9.1R16.0", "lessThan": "9.1R16.4", "versionType": "custom" } ], "defaultStatus": "unknown" }, { "cpes": [ "cpe:2.3:a:ivanti:connect_secure:9.1R17:*:*:*:*:*:*:*" ], "vendor": "ivanti", "product": "connect_secure", "versions": [ { "status": "affected", "version": "9.1R17.0", "lessThan": "9.1R17.4", "versionType": "custom" } ], "defaultStatus": "unknown" }, { "cpes": [ "cpe:2.3:a:ivanti:connect_secure:9.1R18:*:*:*:*:*:*:*" ], "vendor": "ivanti", "product": "connect_secure", "versions": [ { "status": "affected", "version": "9.1R18.0", "lessThan": "9.1R18.5", "versionType": "custom" } ], "defaultStatus": "unknown" }, { "cpes": [ "cpe:2.3:a:ivanti:connect_secure:22.1:*:*:*:*:*:*:*" ], "vendor": "ivanti", "product": "connect_secure", "versions": [ { "status": "affected", "version": "22.1", "lessThan": "22.1R6.2", "versionType": "custom" } ], "defaultStatus": "unknown" }, { "cpes": [ "cpe:2.3:a:ivanti:connect_secure:22.2:*:*:*:*:*:*:*" ], "vendor": "ivanti", "product": "connect_secure", "versions": [ { "status": "affected", "version": "22.2", "lessThan": "22.2R3", "versionType": "custom" } ], "defaultStatus": "unknown" }, { "cpes": [ "cpe:2.3:a:ivanti:connect_secure:22.2:*:*:*:*:*:*:*" ], "vendor": "ivanti", "product": "connect_secure", "versions": [ { "status": "affected", "version": "22.2R4.0", "lessThan": "22.2R4.2", "versionType": "custom" } ], "defaultStatus": "unknown" }, { "cpes": [ "cpe:2.3:a:ivanti:connect_secure:22.3:*:*:*:*:*:*:*" ], "vendor": "ivanti", "product": "connect_secure", "versions": [ { "status": "affected", "version": "22.3", "lessThan": "22.3R1.2", "versionType": "custom" } ], "defaultStatus": "unknown" }, { "cpes": [ "cpe:2.3:a:ivanti:connect_secure:22.4:*:*:*:*:*:*:*" ], "vendor": "ivanti", "product": "connect_secure", "versions": [ { "status": "affected", "version": "22.4", "lessThan": "22.4R1.2", "versionType": "custom" } ], "defaultStatus": "unknown" }, { "cpes": [ "cpe:2.3:a:ivanti:connect_secure:22.4:*:*:*:*:*:*:*" ], "vendor": "ivanti", "product": "connect_secure", "versions": [ { "status": "affected", "version": "22.4R2.0", "lessThan": "22.4R2.4", "versionType": "custom" } ], "defaultStatus": "unknown" }, { "cpes": [ "cpe:2.3:a:ivanti:connect_secure:22.5:*:*:*:*:*:*:*" ], "vendor": "ivanti", "product": "connect_secure", "versions": [ { "status": "affected", "version": "22.5", "lessThan": "22.5R1.3", "versionType": "custom" } ], "defaultStatus": "unknown" }, { "cpes": [ "cpe:2.3:a:ivanti:connect_secure:22.5:*:*:*:*:*:*:*" ], "vendor": "ivanti", "product": "connect_secure", "versions": [ { "status": "affected", "version": "22.5R2.0", "lessThan": "22.5R2.4", "versionType": "custom" } ], "defaultStatus": "unknown" }, { "cpes": [ "cpe:2.3:a:ivanti:connect_secure:22.6:*:*:*:*:*:*:*" ], "vendor": "ivanti", "product": "connect_secure", "versions": [ { "status": "affected", "version": "22.6", "lessThan": "22.6R2.3", "versionType": "custom" } ], "defaultStatus": "unknown" }Screenshots
Error in actual CPE data:
Correct data according to Ivanti:
Additional context
This issue is also linked to other CVE like these ones, which are also documented by Vulnrichment with incorrect CPE values:
Feel free to ask if you need further details, or if you would like me to prepare a Pull Request
Maxime ALAY-EDDINE
The text was updated successfully, but these errors were encountered: