No CPE for 3.0.11 and 3.0.12

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

https://www.modsecurity.org

Apache License 2.0

7.67k stars 1.54k forks source link

No CPE for 3.0.11 and 3.0.12 #3083

Open frankvanbever opened 3 months ago

frankvanbever commented 3 months ago

I am the package maintainer of ModSecurity in Buildroot. Buildroot has automated tracking of CVEs which it does by checking the CPE for the corresponding release. It seems that for both 3.0.11 and 3.0.12 no CPE was registered. The newest CPE I can find in the NIST database is cpe:2.3:a:trustwave:modsecurity:3.0.10:::::::* This has effectively broken the CVE reporting infrastructure for ModSecurity in Buildroot, causing us to miss CVE-2024-1019.

Will the creation of CPEs resume in the future for future versions or will this be deprecated?

airween commented 3 months ago

Hi @frankvanbever,

thanks for reporting this, I think it's very important issue.

Actually I haven't heard about this registration possibility, but now I'm going to check how does it work.

I think on behalf of the team I can say we definitely want to continue maintaining of the NIST database.

I need some time to review the registration process (eg. the vendor has changed meanwhile).

Thanks again.

airween commented 2 months ago

Just for the record: I contacted with NIST about this issue.

dune73 commented 2 months ago

Thank you

airween commented 2 months ago

NIST responded, they has created the two CPE's:

CVE-2023-38385

CVE-2024-1019

Please check those above, if you think everything is fine, feel free to close the issue here.