search

cisagov / vulnrichment

A repo to conduct vulnerability enrichment.
Creative Commons Zero v1.0 Universal
406 stars 29 forks source link

CVE-2023-25399 Incorrect Version Entry #20

Closed j-baines closed 1 month ago

j-baines commented 1 month ago

CVE-2023-25399 reportedly affects SciPy before 1.10.0. The versions array didn't properly express this. Using "lessThan":"1.10.0" (which CISA already had) with "version":"0", I believe, is the preferred way to describe the affected versions.

Using "version":"1.10.0*" is not the appropriate way to express this, and I don't think it even describes a meaningful version range. I also mentioned this form of version* in https://github.com/cisagov/vulnrichment/pull/19 so this might be a wider problem that needs an issue created.

prabhu commented 1 month ago

This CVE appears to be withdrawn

https://github.com/advisories/GHSA-9jx5-6pgf-crrp

jwoytek-cisa commented 1 month ago

@j-baines Thank you for the report. I've asked our analysts to take a look at the version specifiers on this one. I am going to merge this, but be aware that changes might be overwritten based on upstream updates.

This CVE is currently in disputed status, FWIW.