Will Dormann on Nostr: Are there workflows that rely on accurate version_affected entries in CVEs? Let's ...
Are there workflows that rely on accurate version_affected entries in CVEs?
Let's look at CVE-2024-21887 as an example.
Vendor: Here are THIRTEEN fixed product versions.
CVE: Here are TWO versions that are affected, which also happen to not be mentioned in the advisory.
🤔
Published at
2024-02-18 17:42:16Event JSON
{
"id": "9e272e312b17ef4bfb4378b3ecf0beda5120c66d088e6c9935a2257d8444126d",
"pubkey": "9c7b9756690880e06dd0ac4246c1d27e99c2f9d8beb819e2e3156dc3e2d8d3e6",
"created_at": 1708278136,
"kind": 1,
"tags": [
[
"proxy",
"https://infosec.exchange/users/wdormann/statuses/111953715983585197",
"activitypub"
]
],
"content": "Are there workflows that rely on accurate version_affected entries in CVEs?\nLet's look at CVE-2024-21887 as an example.\nVendor: Here are THIRTEEN fixed product versions.\nCVE: Here are TWO versions that are affected, which also happen to not be mentioned in the advisory.\n🤔\n\nhttps://media.infosec.exchange/infosec.exchange/media_attachments/files/111/953/713/229/455/910/original/d1266dba3d8fd9c9.png\n\nhttps://media.infosec.exchange/infosec.exchange/media_attachments/files/111/953/713/234/614/716/original/383018b69e60bbf7.png",
"sig": "7c8444698f57841a0cb460facd4b50b5bc8b84a9c8c15e832b269673886810fdb575e70c34a859085d97b75b0b1a08eea31e110a7fc62ca19404e679e4bc4935"
}
