search

cisagov / vulnrichment

A repo to conduct vulnerability enrichment.
Creative Commons Zero v1.0 Universal
462 stars 35 forks source link

CVE-2023-28330 Incorrect Product and Versions #21

Closed j-baines closed 4 months ago

j-baines commented 4 months ago

CVE-2023-28330 is another vulnerability that the CISA ADP attributes to Linux/Linux Kernel, when it should in fact be Moodle. Additionally, the versions arrays are wrong. The CNA provided, as far as I can tell, a perfect versions array that describes all four vulnerable ranges. This got mistranslated in the CISA ADP, and somehow lost the lessThan portion... which was particularly bad on the last one since that just had "version":"0".

I also think this is a good example of https://github.com/cisagov/vulnrichment/issues/4 - the CNA actually provided a very good and concise versions array, the CISA ADP (while still a usable format) creates a much bigger set of arrays.

jwoytek-cisa commented 4 months ago

@j-baines thank you for the report. I've asked our analysts to evaluate and fix the issues upstream. As with the others, I am going to merge this, but these changes might be overwritten once the upstream data is fixed.