Aruba CVE CVE-2024-31468 CPE does not express the different versions impacted properly

[patrickmgarrity]

Aruba CVE CVE-2024-31468 CPE does not express the different versions impacted properly. I would recommend checking other CVE's from this CNA to validate if the problem is broader across all CVEs.

Found here: https://github.com/cisagov/vulnrichment/blob/adf3de55261c34aa178ae9660e4fb8215dcb4f9d/2024/31xxx/CVE-2024-31468.json#L104

Example of another Aruba CVE expressing multiple versions: https://nvd.nist.gov/vuln/detail/cve-2023-22752

The information is clarified in their product advisory...

Affected Products

HPE Aruba Networking

• Aruba Access Points running InstantOS and ArubaOS 10

Affected Software Versions:

• ArubaOS 10.5.x.x: 10.5.1.0 and below
• ArubaOS 10.4.x.x: 10.4.1.0 and below
• InstantOS 8.11.x.x: 8.11.2.1 and below
• InstantOS 8.10.x.x: 8.10.0.10 and below
• InstantOS 8.6.x.x: 8.6.0.23 and below

The following software versions that are End of Maintenance are affected by these vulnerabilities and are not addressed by this advisory:

• ArubaOS 10.3.x.x: all
• InstantOS 8.9.x.x: all
• InstantOS 8.8.x.x: all
• InstantOS 8.7.x.x: all
• InstantOS 8.5.x.x: all
• InstantOS 8.4.x.x: all
• InstantOS 6.5.x.x: all
• InstantOS 6.4.x.x: all

[jwoytek-cisa]

@patrickmgarrity Thank you! I've passed this up to our analysts to evaluate. We may not have been supporting arrays of version specifiers when this was first published, which restricted the way we could represent versions in this arrangement. We will make needed updates upstream and will republish. I will hold this open until that is complete.