Inconsistent vendor name used in CPE on same products... Vendor: ashlar_vellum / ashlar

[patrickmgarrity]

Inconsistent vendor name used in CPE on same vendor/products... ashlar_vellum / ashlar

This should be consistent across the CVEs.

CPE Examples: cpe:2.3:a:ashlar_vellum:cobalt:::::::: cpe:2.3:a:ashlar:cobalt::::::::

CVEs listed under this vendor: CVE-2023-44438 CVE-2023-35710 CVE-2023-35712 CVE-2023-35713 CVE-2023-35714 CVE-2023-35715 CVE-2023-44437 CVE-2023-34290 CVE-2023-34286 CVE-2023-34300 CVE-2023-34291 CVE-2023-34302 CVE-2023-34292 CVE-2023-34293 CVE-2023-34289 CVE-2023-34304 CVE-2023-34309 CVE-2023-42103 CVE-2023-34306 CVE-2023-34307 CVE-2023-34308 CVE-2023-44439 CVE-2023-35716 CVE-2023-34310 CVE-2023-34287 CVE-2023-34288 CVE-2023-34303 CVE-2023-34299 CVE-2023-34305 CVE-2023-42104 CVE-2023-42102 CVE-2023-42101 CVE-2023-44440

[jwoytek-cisa]

@patrickmgarrity Good catch. At issue here is that there is not much information in the NVD CPE dictionary for Ashlar-Vellum. In fact, it appears that there is only one entry, for Graphite 13.0.48. There are entries that have been used in NVD data previously, though, which all appear under the "ashlar" vendor name.

I've asked our analysts to review these CPEs and check to see if we can make them consistent. I'll leave this open as we track that.

[jwoytek-cisa]

These have been made consistent. The last couple of updates should be present within the next 60 minutes.