The CPE URL cpe:/a:realnetworks:realplayer:10.0:::english (as published in a CVE by MITRE) has an invalid language field, although the specification somewhat allows arbitrary strings here.
However, the parser neither parses the language field correctly, nor does it throw an exception. Instead, it detects the string as a CPE 1.1 identifier, moves the h from the end to the part field and shifts all other fields right:
hw
[
[
part = h
vendor = a
product = realnetworks
version = realplayer
update = 10.0
edition = <EMPTY>
language = <EMPTY>
sw_edition = english
target_sw = <UNDEFINED>
target_hw = <UNDEFINED>
other = <UNDEFINED>
]
]
os
[]
app
[]
undef
[]
The CPE URL
cpe:/a:realnetworks:realplayer:10.0:::english(as published in a CVE by MITRE) has an invalid language field, although the specification somewhat allows arbitrary strings here.However, the parser neither parses the language field correctly, nor does it throw an exception. Instead, it detects the string as a CPE 1.1 identifier, moves the
hfrom the end to thepartfield and shifts all other fields right: