Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Instead of asterisk(*), version number found in cpes field for CVE-2024-34750 #95

Closed
RamvigneshPasupathy opened this issue Aug 12, 2024 · 5 comments
Closed

Instead of asterisk(*), version number found in cpes field for CVE-2024-34750 #95

RamvigneshPasupathy opened this issue Aug 12, 2024 · 5 comments
Assignees
@jwoytek-cisa
Labels
cpe Issues around CPE strings question This issue is a request for information or needs discussion

Comments

@RamvigneshPasupathy
Copy link

🐛 Summary

Thanks for the swift response team on #94. Raising this one as a follow up issue from #94

Clarify the following plz -

I can see cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* values in the "cpes" field changed to cpe:2.3:a:apache:tomcat:9.0.0:m1:*:*:*:*:*:* like values in this fix commit - e938a17#diff-2096d6367b2e2d315cc26b29d81287e5b29e07c0221f7b9938d51a96a26d4145

I have not seen NVD CVEs with version in CPEs when the affected config holds a range of versions. Similarly, should we stick here to cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* for "cpes" field values as all three affected the cases have version ranges? 🤔
@CSMurray-CISA CSMurray-CISA added the cpe Issues around CPE strings label Aug 12, 2024
@jwoytek-cisa
Copy link
Collaborator

@RamvigneshPasupathy Thank you for the questions. I don't have an answer for you right now, but we will discuss this to see how we want to handle entries like these.

@jwoytek-cisa
Copy link
Collaborator

Looping in @amanion-cisa and @todb-cisa.

@amanion-cisa
Copy link
Collaborator

amanion-cisa commented Aug 13, 2024
edited
Loading

CPE usage is, perhaps unclear at best, particularly within current CVE Record Format (see this issue). One approach, as noted by @RamvigneshPasupathy, is to only use vendor:product in cpes and then express version ranges or other details in the affected element. Another is to use vendor:product:version:and:possibly:more when that information is known, for instance, a single version, or the start or end of a range.

@todb-cisa todb-cisa added the question This issue is a request for information or needs discussion label Aug 13, 2024
@amanion-cisa
Copy link
Collaborator

amanion-cisa commented Aug 27, 2024
edited
Loading

Overall "use of CPE in CVE" issues aside, the current CPE procedure is:

  1. Only use vendor:product in the cpes list (except see #​3 below)
  2. Express version ranges in the affected[].versions object
  3. If there is no range, and only a single vendor:product:version is affected, then list the version in the cpes list

@RamvigneshPasupathy
Copy link
Author

Thanks for the update @amanion-cisa

And, will there be a data migration done to the CVE json files complying with the above CPE procedure.

Like for CVE-2024-20311, there are two cpes list - one with 390 cpes and another with 318 cpes; there are also corresponding affected[].versions values; as there are no range values associated with this case, shall we consider the affected[].versions field itself be removed from the CVE json in this case?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jwoytek-cisa jwoytek-cisa

Labels
cpe Issues around CPE strings question This issue is a request for information or needs discussion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@RamvigneshPasupathy @CSMurray-CISA @todb-cisa @amanion-cisa @jwoytek-cisa