Closed CMcNCytidel closed 1 month ago
rhelmke
commented
1 month ago Hey,
the cached data for CVE-2024-8033 is identical to the NVD API response. I assume that your script expects the cpeMatch attribute in configurations? After all, it is required by the current official CVE schema.
Unfortunately, as you can see in our schema validation workflow, the NVD API isn't especially good in enforcing this schema.
I fear that this is a NIST problem. Or do you assume other corruptions?
CMcNCytidel
commented
1 month ago This is the only CVE json file that fails so possibly is NVD, it looks like there's a double embedding happening
"configurations": [ { "operator": "AND", "nodes": [ { "operator": "OR", "negate": false }, { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:::::::*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA" } ] } ] } ],
I just adjusted my script to handle the edge case only for this particular CVE , I believe you are correct about it being a NIST issue. Just thought I'd raise it as it appears to not follow the schema alright
rhelmke
commented
1 month ago Yeah it's quite strange that there's an empty configuration node. That does not appear reasonable. It was introduced four days ago (commit 607e009) as the CVE state transitioned from "Awaiting Analysis" to "Analyzed". Seems that the evaluators introduced this issue.
But thanks for the info either ways! Glad that this repo is of use to you :-). Does anything speak against closing this issue?
Hey Folks,
A parsing script of mine failed on the following https://github.com/fkie-cad/nvd-json-data-feeds/blob/main/CVE-2024/CVE-2024-80xx/CVE-2024-8033.json
The CPE data "configurations" section looks corrupted (this is the only fail I had).
Keep up the great work folks <3