Hello,
I have a question about version_value "-" , how should it be interpreted ?
for example in a CVE in the json official Database from NIST I found this section :
"vendor_name" : "name",
"product" : {
"product_data" : [ {
"product_name" : "name",
"version" : {
"version_data" : [ {
"version_value" : "-",
"version_affected" : "="
}, {
"version_value" : "0.1",
"version_affected" : "="
}, {
"version_value" : "0.2",
"version_affected" : "="
}, {
"version_value" : "0.3",
"version_affected" : "="
}, {
"version_value" : "0.4",
"version_affected" : "="
}, {
"version_value" : "0.5",
"version_affected" : "="
}
does the '-' mean that also versions < 0.1 are affected ? if it does, why doesn't the CVE use the <= in "version_affected " field instead ?
Or does the "-" mean "if you don't have a version number in your installed packages than your installed package is affected" ?
or just simply "we don't know" ?
Hello, I have a question about version_value "-" , how should it be interpreted ? for example in a CVE in the json official Database from NIST I found this section : "vendor_name" : "name", "product" : { "product_data" : [ { "product_name" : "name", "version" : { "version_data" : [ { "version_value" : "-", "version_affected" : "=" }, { "version_value" : "0.1", "version_affected" : "=" }, { "version_value" : "0.2", "version_affected" : "=" }, { "version_value" : "0.3", "version_affected" : "=" }, { "version_value" : "0.4", "version_affected" : "=" }, { "version_value" : "0.5", "version_affected" : "=" } does the '-' mean that also versions < 0.1 are affected ? if it does, why doesn't the CVE use the <= in "version_affected " field instead ? Or does the "-" mean "if you don't have a version number in your installed packages than your installed package is affected" ? or just simply "we don't know" ?
thank you