Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect CPE assignments, e.g CVE-2024-21489 #121

Closed
serkanozkanssc opened this issue Oct 2, 2024 · 5 comments
Closed

Incorrect CPE assignments, e.g CVE-2024-21489 #121

serkanozkanssc opened this issue Oct 2, 2024 · 5 comments
Assignees
@jwoytek-cisa
Labels
bug This issue or pull request addresses broken functionality cpe Issues around CPE strings

Comments

@serkanozkanssc
Copy link

I noticed various errors in CPEs assigned by CISA ADP on October 1st.

For example for CVE-2024-21489 description reads

Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function...

and the CPE is as follows:

      "vendor": "prototype_pollution",
      "product": "uplot",
      "cpes": [
          "cpe:2.3:a:prototype_pollution:uplot:*:*:*:*:*:*:*:*"
      ],

Looks like they are auto-generated but it does not seem to be working as expected.
@serkanozkanssc serkanozkanssc added the bug This issue or pull request addresses broken functionality label Oct 2, 2024
@CSMurray-CISA CSMurray-CISA added the cpe Issues around CPE strings label Oct 4, 2024
@jwoytek-cisa
Copy link
Collaborator

@serkanozkanssc Thanks for the catch. I've notified our analysts for a review.

@jwoytek-cisa
Copy link
Collaborator

jwoytek-cisa commented Oct 4, 2024
edited
Loading

@serkanozkanssc Our analysts reviewed and updated this entry. Thank you!

[edit: mentioned an unrelated issue]

@jwoytek-cisa
Copy link
Collaborator

Ugh today is not my day with issue updates, apparently. @serkanozkanssc this is still under review. My apologies. I will update when it is actually fixed.

@jwoytek-cisa jwoytek-cisa reopened this Oct 4, 2024
@serkanozkanssc
Copy link
Author

No worries. Just reporting issues to help you improve the process. Thank you.

@jwoytek-cisa
Copy link
Collaborator

jwoytek-cisa commented Oct 7, 2024
edited
Loading

OK, now this one is really fixed! Updates should be pushing out to all sources within the next hour.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jwoytek-cisa jwoytek-cisa

Labels
bug This issue or pull request addresses broken functionality cpe Issues around CPE strings
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@CSMurray-CISA @serkanozkanssc @jwoytek-cisa