Closed j-baines closed 1 month ago
This CVE appears to be withdrawn
@j-baines Thank you for the report. I've asked our analysts to take a look at the version specifiers on this one. I am going to merge this, but be aware that changes might be overwritten based on upstream updates.
This CVE is currently in disputed status, FWIW.
CVE-2023-25399 reportedly affects SciPy before 1.10.0. The
versions
array didn't properly express this. Using"lessThan":"1.10.0"
(which CISA already had) with"version":"0"
, I believe, is the preferred way to describe the affected versions.Using
"version":"1.10.0*"
is not the appropriate way to express this, and I don't think it even describes a meaningful version range. I also mentioned this form ofversion*
in https://github.com/cisagov/vulnrichment/pull/19 so this might be a wider problem that needs an issue created.