Skip to content

cannot specify that a range includes at least one affected version #215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ElectricNroff opened this issue Feb 15, 2023 · 3 comments
Open

cannot specify that a range includes at least one affected version #215

ElectricNroff opened this issue Feb 15, 2023 · 3 comments
Labels
Needs Discussion Discuss in a future QWG meeting or on mailing list section:affected_product Schema location is affected or product

Comments

@ElectricNroff
Copy link

https://cveawg.mitre.org/api/cve/CVE-2023-21744 includes:

"product":"Microsoft SharePoint Server Subscription Edition","versions":[{"version":"unspecified","status":"affected"}]

The original intention of the schema was not to encourage "unspecified" as a value of "version" but, in practice, this may be the best available way to represent some types of limited information.

A provider has the option of stating:

{
"version": "0",
"lessThan":"*"
"versionType":"custom",
"status":"unknown"
}

(or simply "defaultStatus":"unknown"); however, at the time that a CVE Record is first published, the provider may be certain of the affected versions for some products, whereas for other products, it is certain that at least one version is affected, but the version numbers haven't yet been investigated. It is possible that the schema could be extended so that a provider could pass along this additional fact to end users, e.g., provide a stronger signal that users of the less-investigated product should be concerned.

It is unclear how to implement this in the best way; some possibilities may be:

{
"version": "0",
"lessThan":"*",
"versionType":"custom",
"status":"partiallyAffected"
}

{
"version": "0",
"lessThan":"*",
"versionType":"custom",
"status":"hasAtLeastOneAffected"
}
@chandanbn
Copy link
Collaborator

CVE services to verify:

at least one "status": "affected" in a CNA container or "defaultStatus": "affected"

AI: to raise a bug against cve-services.
AI: Client side (@Vulnogram @cve-client) warning to check for this requirement.

@sei-vsarvepalli
Copy link
Contributor

Also recommended fix on - https://github.com/CERTCC/cveClient

@sei-vsarvepalli sei-vsarvepalli mentioned this issue May 1, 2023
Merged
@sei-vsarvepalli sei-vsarvepalli mentioned this issue Jul 20, 2023
Open
@ccoffin ccoffin added the Needs Discussion Discuss in a future QWG meeting or on mailing list label Nov 13, 2024
@MrMegaZone
Copy link
Collaborator

I'm not really seeing the need for this. The updated rules make it clear CVEs should only be published when there is a known vulnerable version, or it is at least believed there may be. Basically the 'Affected' data should never be 100% NOT affected. But there is no requirement to have at least one status of 'affected' - any status of affected or unknown satisfies the rules.

The vendor should always provide any concrete affected and/or unaffected versions when that determination has been made.

For everything else there are two ways to handle it:

  1. Just use the default 'unknown' for all other versions.
  2. You can specify other version ranges and explicitly state 'unknown' for them to indicate the investigation is ongoing.

My feeling is we can close this unless real demand for this is shown.

@jayjacobs jayjacobs added the section:affected_product Schema location is affected or product label Jan 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs Discussion Discuss in a future QWG meeting or on mailing list section:affected_product Schema location is affected or product
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@jayjacobs @chandanbn @ccoffin @sei-vsarvepalli @MrMegaZone @ElectricNroff