Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

5.1.0 accepts "version" wildcarding #337

Open
ElectricNroff opened this issue Aug 29, 2024 · 0 comments
Open

5.1.0 accepts "version" wildcarding #337

ElectricNroff opened this issue Aug 29, 2024 · 0 comments
Labels
bug Something isn't working section:affected_product Schema location is affected or product

Comments

@ElectricNroff
Copy link

ElectricNroff commented Aug 29, 2024

Some data providers use * wildcarding within this field:

"version": {
"description": "The single version being described, or the version at the start of the range. By convention, typically 0 denotes the earliest possible version.",
"$ref": "#/definitions/version"

About 100 to 200 CVE Records are affected, beyond those affected by the #323 issue. It's possible that not all strings defined by:
"version": {
"description": "A single version of a product, as expressed in its own version numbering scheme.",
"type": "string",
"minLength": 1,
"maxLength": 1024
},

should be accepted, and that there should instead be a pattern that excludes * in some contexts.

This apparently occurs most often for the PHP CNA, e.g.,

CVE-2024-5585
...
            {
              "lessThan": "8.1.29",
              "status": "affected",
              "version": "8.1.*",
              "versionType": "semver"
            },
CVE-2023-3247
...
            {
              "lessThan": "8.0.29",
              "status": "affected",
              "version": "8.0.*",
              "versionType": "semver"
            },

but can occur for others:

GitHub_M
CVE-2020-26269
...
            {
              "status": "affected",
              "version": ".4.0rc*"
            }

(typo of 2.4.0rc*)

icscert
CVE-2023-1934
...
            {
              "status": "affected",
              "version": "2.*"
            }
schneider
CVE-2022-0222
...
            {
              "version": "BMXP34*",
              "status": "affected",
              "lessThan": "V3.40",
              "versionType": "custom"
            }

There are some instances that were carried over from JSON 4 data, e.g.,

palo_alto
CVE-2022-0027
...
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "Cortex XSOAR",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "affected",
              "version": "6.1.*"
            },
...
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "[email protected]",
          "DATE_PUBLIC": "2022-05-11T16:00:00.000Z",
          "ID": "CVE-2022-0027",
...
                          {
                            "version_affected": "=",
                            "version_name": "6.1",
                            "version_value": "6.1.*"
                          },

(Also, there are many instances where "version" includes * only because of the ...[truncated*] that was added by the JSON 4 to 5 upconversion, e.g., https://github.com/CVEProject/cvelistV5/blob/63f427c6747499216ccd89d92d1cd7306ab65994/cves/2020/11xxx/CVE-2020-11309.json#L11 and more than 200 others from Qualcomm.)

Finally, it may be legitimate to have a * in "version" if versionType cpe comes into active use, e.g.,

cisa-cg
CVE-2023-45197
...
            {
              "lessThan": "cpe:2.3:a:adminerevo:adminerevo:4.8.3:*:*:*:*:*:*:*",
              "status": "affected",
              "version": "cpe:2.3:a:adminerevo:adminerevo:0:*:*:*:*:*:*:*",
              "versionType": "cpe"
            }
@jayjacobs jayjacobs added bug Something isn't working section:affected_product Schema location is affected or product labels Oct 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working section:affected_product Schema location is affected or product
Projects
None yet
Development

No branches or pull requests

2 participants