search

cisagov / vulnrichment

A repo to conduct vulnerability enrichment.
Creative Commons Zero v1.0 Universal
406 stars 29 forks source link

CVE-2023-6892 Incorrect CPE, Vendor, Product, and Version #24

Closed j-baines closed 1 month ago

j-baines commented 1 month ago

The CISA ADP has the wrong CPE/vendor/product for CVE-2023-6892. The vendor and product should be wpfactory and ean_for_woocommerce respectively. This is a different product from woocommerce:

  1. https://wordpress.org/plugins/ean-for-woocommerce/#description
  2. https://wordpress.org/plugins/woocommerce/

EAN for WooCommerce also has an existing CPE (see https://nvd.nist.gov/vuln/detail/CVE-2023-0062) so I swapped that in. Finally, the versions array said "*" or all versions are affected despite the CNA providing a reasonable version array. I've swapped in the CNA array.

jwoytek-cisa commented 1 month ago

@j-baines thanks again. As with the others, I've referred this to our analysts for upstream updates. I'm merging, but data may be overwritten when the upstream changes are made.