righel
commented
7 months ago I'm not sure it is safe to assume that all prior cumulative updates are vulnerable too. In your example for CVE-2023-36439, for Exchange Server 2019, two CU are listed 12 and 13, but not 11 or previous. I hope they are reporting properly this and checking whether older CU are vulnerable too, but I cannot confirm this logic is true in all the cases.
In the example below for CVE-2023-36439, Microsoft only lists 3 affected products:
NVD also displays only 3 affected products:
I would think within a given Exchange Server version that all earlier cumulative updates would also be vulnerable. For example, with Exchange Server 2019, would RTM through CU11 also be vulnerable?
Right now the repo is not accounting for these prior builds being vulnerable and I was going to propose a solution for this, but before I do, I wanted to check with someone about whether this is actually the right logic.