I was scanning a host which has installed cpe:/a:7-zip:7-zip:9.20 (let's call it [1]), this is recognized by greenbone.
The scanner found 3 (as far as I see) CVEs which afflicts this version of 7-zip, only one though is linked under the cpe page of [1] in the web interface (gsa).
I checked the nvd.nist.gov page and the CVEs there are linked correctly. I.e., in the CVE page, in the “Known Affected Software” the cpe is present, though in a wildcard syntax. I don’t know if this is the cause of the problem.
To be more specific:
CVE-2016-2335 (this one is linked correctly in gse /cve/CVE-2016-2335, exact match is [1])
CVE-2018-10115 (this shows only cpe:/a:7-zip:7-zip:18.03 as vulnerable product, but on https://nvd.nist.gov/vuln/detail/CVE-2018-10115 there’s a pattern which matches all versions up to 18.03, correctly so)
CVE-2018-10172 (this shows only cpe:/a:7-zip:7-zip:18.01::~windows. My 9.20 7zip version is not matched as a consequence. On https://nvd.nist.gov/vuln/detail/CVE-2018-10172 you can see that there’s a long list of cpe if you click on “Show matching CPEs”, 18.01 is just the latest.
So, I don’t know, the problem seems to be that gvm is only grabbing the last entry in a list of cpe defined by wildcard?
Thanks, regards.
Expected behavior
CPE should link the correct list of CVE, even if it's defined with wildcards on nist.
And vice-versa, the CVE should have the correct list of afflicted products (CPE).
Actual behavior
Linking between CPE and CVEs is not handled correctly unless the exact version of the CPE is matched.
GVM seems to grab only the latest in a wildcard defined CPE (assumption).
Steps to reproduce
Install on a machine a software like https://www.7-zip.org/download.html (version 9.20 in my case), which has wildcard defined CPE on nist. Run an authenticated scan.
I'm opening this issue as requested from https://forum.greenbone.net/t/cpe-with-wildcard-not-being-matched/15584.
I was scanning a host which has installed cpe:/a:7-zip:7-zip:9.20 (let's call it [1]), this is recognized by greenbone. The scanner found 3 (as far as I see) CVEs which afflicts this version of 7-zip, only one though is linked under the cpe page of [1] in the web interface (gsa). I checked the nvd.nist.gov page and the CVEs there are linked correctly. I.e., in the CVE page, in the “Known Affected Software” the cpe is present, though in a wildcard syntax. I don’t know if this is the cause of the problem. To be more specific:
~windows. My 9.20 7zip version is not matched as a consequence. On https://nvd.nist.gov/vuln/detail/CVE-2018-10172 you can see that there’s a long list of cpe if you click on “Show matching CPEs”, 18.01 is just the latest.So, I don’t know, the problem seems to be that gvm is only grabbing the last entry in a list of cpe defined by wildcard?
Thanks, regards.
Expected behavior
CPE should link the correct list of CVE, even if it's defined with wildcards on nist. And vice-versa, the CVE should have the correct list of afflicted products (CPE).
Actual behavior
Linking between CPE and CVEs is not handled correctly unless the exact version of the CPE is matched. GVM seems to grab only the latest in a wildcard defined CPE (assumption).
Steps to reproduce
Install on a machine a software like https://www.7-zip.org/download.html (version 9.20 in my case), which has wildcard defined CPE on nist. Run an authenticated scan.
GVM versions
Greenbone Community Containers 22.4
Environment
Win10 as target.