search

cisagov / vulnrichment

A repo to conduct vulnerability enrichment.
Creative Commons Zero v1.0 Universal
462 stars 35 forks source link

CPE naming inconsistent with NVD #92

Closed serkanozkanssc closed 2 months ago

serkanozkanssc commented 2 months ago

For example https://github.com/CVEProject/cvelistV5/blob/main/cves/2024/39xxx/CVE-2024-39911.json contains 

"adp": [
            {
                "affected": [
                    {
                        "vendor": "1Panel-dev",
                        "product": "1panel",
                        "cpes": [
                            "cpe:2.3:a:1Panel-dev:1panel:*:*:*:*:*:*:*:*"
                        ],

but CPEs assigned by NVD for previous issues for the same product had a different vendor, cpe:2.3:a:fit2cloud:1panel:*:*:*:*:*:*:*:*, see https://nvd.nist.gov/vuln/detail/CVE-2023-37477 for an example.

https://github.com/1Panel-dev/1Panel contains the following copyright statement so I believe the vendor assigned by NVD was accurate. Copyright (c) 2014-2024 [FIT2CLOUD 飞致云](https://fit2cloud.com/), All rights reserved.

I had ran into multiple similar examples but I don't have a detailed list of similar issues.

jwoytek-cisa commented 2 months ago

@serkanozkanssc Thank you for the report! Our analysts updated this and found two other entries that were using this CPE, and updated those as well.