The CWE-843 assigned to cve-2024-0042 is inappropriate - it should be CWE-295

[Crashedmind]

🐛 Summary

The assigned CWE-843 https://cwe.mitre.org/data/definitions/843.html seems inappropriate - especially if you consider its parent CWEs. It looks like it was assigned due to "confusion" appearing in the CVE Description and in the CWE description.

https://cwe.mitre.org/data/definitions/295.html CWE-295: Improper Certificate Validation is more appropriate

See https://www.cve.news/cve-2024-0042/ for more details on the vulnerability.

This vulnerability, CVE-2024-0042, arises from the confusion of these two distinct certificate types due to the improper use of cryptographic operations in the TBD system

To reproduce

Steps to reproduce the behavior:

See https://github.com/cisagov/vulnrichment/blob/7a8e01764e5ae28d6ef713ecf7c12b9d618c6254/2024/0xxx/CVE-2024-0042.json#L120

Add any screenshots of the problem here.

Tip: You can ask any GPT to get a list of relevant CWEs for a given CVE description e.g.

ChatGPT4o

or

Gemini

Claude

[jwoytek-cisa]

@Crashedmind thank you for the report! The data has been fixed upstream and updated.