Reporting Capability For CVE Records That Have Inaccurate Information on Affected Versions

[PluginVulnerabilities]

Proposed New Idea/Feature (required)

You are providing information on which versions of software are vulnerable, which would be really useful if the information was accurate. But a number of your CNAs are known to not actually figure out which versions are vulnerable, but instead claim that all previous versions before the fixed version are vulnerable, despite not knowing that and it often not being true. For example, CVE-2023-6875 has gotten some press coverage. With the press coverage claiming all versions before 2.8.8 are vulnerable. That is in line with the information provided by the CVE record. The CVE’s description of the issue says “all versions up to, and including, 2.8.7.” The version section provides the same information. But the feature at issue has only been in the software since version 2.7.0, so that couldn’t be right. Similarly, we saw a hacker this week trying to exploit a vulnerability that may be identified by you with CVE-2023-6634. The record claims that “all versions up to, and including, 4.2.5.7” are vulnerable. But the code being exploited was added in version 4.2.5.7, so if that record is related, as it appears, the version information is wrong.

There are other issues. For example, with CVE-2023-52215, the description says that the versions impacted are “n/a through 1.5.1”. The version section says that it is "affected from n/a through 1.5.1." There is not a not applicable version of the plugin.

Currently, there isn’t a mechanism to report this situation with a CVE record and therefore a method to monitor for CNAs repeatedly providing inaccurate information. Adding a mechanism for that would help to address the problem. It is possible to contact a CNA about this, but as we mentioned earlier, the CNAs are known to provide inaccurate information, so contacting them wouldn't address this.

Additional Notes (Optional)

[cfi-gb]

While it might be slightly not fully on-topic:

From my experiences the CVE descriptions are in generally / in many cases not a reliable source for info on the affected and / or fixed version of a software / product and this is not special to these specific CNAs (see general note on the CVE description specification below).

These are the cases i have seen so far which included insufficient info:

Current CVE description	Correct info	Notes
Version x.y.z and below	Only version x.y.z is affected	Same as the example given above for CVE-2023-6634
Version x.y.z and below	Only versions a.b.c through x.y.z are affected	Same as the example given above for CVE-2023-6875
Version x.y.z and below	Actually versions prior to x.y.z are affected	- Example: CVE-2021-3169 where the linked vendor advisory https://blog.fit2cloud.com/?p=1764 says JumpServer < v2.6.2 - This is another special case described in the next point - I'm trying to get the description corrected since a few months (First report to Mitre was on 25.09.23 with a follow-up one on 15.01.24 without any reaction so far)
Version x.y.z and below	Actually versions prior to a.b.c and x.y prior to x.y.z are affected	- See CVE-2021-3169 vs. https://blog.fit2cloud.com/?p=1764 where the vendor advisory lists 2.6.2, 2.5.4 and 2.4.5 as the fixed versions - See the separate general note below on this topic
Version x.y through x.y.z	Actually also previous major releases like a.b are affected	I'm seeing this often if the vendor are not evaluating the affected status of e.g. end-of-life (EOL) software and only listing their still supported version in the relevant advisory

General note

This is a general note about the specification of the CVE description which got mentioned to me by a Mitre representative:

A CVE description does not necessarily contain all the affected products or versions and is not part of CVE ID requirements. The products are documented in the CVE references.

[Reelix]

A CVE description does not necessarily contain all the affected products or versions and is not part of CVE ID requirements.

The problem is not that it's missing certain products or versions - The problem is more when it includes incorrect ones due to the assumption that the issue always existed (Even before the affected component existed).

[cfi-gb]

Yes, this is understood 👍 and was thus only added as a general note about the CVE specification.

[cfi-gb]

Additional recent examples for SuiteCRM:

• CVE-2023-3627: Says prior to 8.3.1
• CVE-2023-47643: Says Prior to version 8.4.2

but according to a customer of us (i'm not able to verify this claim due to the lack of knowledge on this product) the affected component providing / implementing Graphql has been only introduced in 8.x. If t his assumption is correct this would means that 7.x and prior are affected but this is not reflected in the CVE description.

[PluginVulnerabilities]

With CVE-2023-47643, one of the listed references is a security advisory from the developer of the software that lists the "Affected versions" as only 8.4.1. As that advisory was issued on GitHub and the CVE was issued by GitHub, GitHub is probably relying on information from the developer, but is saying something different than them.