Incorrect CPE assignments, e.g CVE-2024-21489

cisagov / vulnrichment

A repo to conduct vulnerability enrichment.

Creative Commons Zero v1.0 Universal

480 stars 37 forks source link

Incorrect CPE assignments, e.g CVE-2024-21489 #121

Closed serkanozkanssc closed 1 month ago

serkanozkanssc commented 1 month ago

I noticed various errors in CPEs assigned by CISA ADP on October 1st.

For example for CVE-2024-21489 description reads

Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function...

and the CPE is as follows:

      "vendor": "prototype_pollution",
      "product": "uplot",
      "cpes": [
          "cpe:2.3:a:prototype_pollution:uplot:*:*:*:*:*:*:*:*"
      ],

Looks like they are auto-generated but it does not seem to be working as expected.

jwoytek-cisa commented 1 month ago

@serkanozkanssc Thanks for the catch. I've notified our analysts for a review.

jwoytek-cisa commented 1 month ago

@serkanozkanssc Our analysts reviewed and updated this entry. Thank you!

[edit: mentioned an unrelated issue]

jwoytek-cisa commented 1 month ago

Ugh today is not my day with issue updates, apparently. @serkanozkanssc this is still under review. My apologies. I will update when it is actually fixed.

serkanozkanssc commented 1 month ago

No worries. Just reporting issues to help you improve the process. Thank you.

jwoytek-cisa commented 1 month ago

OK, now this one is really fixed! Updates should be pushing out to all sources within the next hour.