Closed j-baines closed 4 months ago
@j-baines thank you for the report. I've asked our analysts to evaluate and fix the issues upstream. As with the others, I am going to merge this, but these changes might be overwritten once the upstream data is fixed.
CVE-2023-28330 is another vulnerability that the CISA ADP attributes to Linux/Linux Kernel, when it should in fact be Moodle. Additionally, the
versions
arrays are wrong. The CNA provided, as far as I can tell, a perfect versions array that describes all four vulnerable ranges. This got mistranslated in the CISA ADP, and somehow lost thelessThan
portion... which was particularly bad on the last one since that just had"version":"0"
.I also think this is a good example of https://github.com/cisagov/vulnrichment/issues/4 - the CNA actually provided a very good and concise versions array, the CISA ADP (while still a usable format) creates a much bigger set of arrays.