5.1.0 accepts undefined properties under "affected" #259
Description
At the 2023-12-14 TWG meeting, the discussion suggested that, during testing of the 5.1.0 schema, any CVE Record that validated even though the record format was not "intended" would be considered a "loophole."
As far as I know, it was not intended that arbitrary properties be allowed under "affected" in a container, but records with these do validate.
minimal/plausible test case (the CNA uses the arbitrary property version even though it is a misspelling of the intended property versions)
{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-0001",
"assignerOrgId":"b3476cb9-2e3d-41a6-98d0-0f47421a65b6","state":"PUBLISHED"},
"containers":{"cna":{"providerMetadata":{"orgId":"b3476cb9-2e3d-41a6-98d0-0f47421a65b6"},
"affected":[{"vendor":"v","product":"p",
"version":[{"version":"1","status":"affected"}],
"defaultStatus":"affected"}],
"descriptions":[{"lang":"en","value":"d"}],"references":[{"url":"https://a.ai"}]}}}
possible solution:
- Find the text
Name of the organizationin the schema. - Go up four lines.
- Insert
"additionalProperties":false,
issues on the current CVE List:
- additional property of "cpe"
CVE-2022-1415
CVE-2022-1438
CVE-2022-3466
CVE-2022-3596
CVE-2022-3916
CVE-2022-3962
CVE-2022-4039
CVE-2022-4137
CVE-2022-4244
CVE-2022-4245
CVE-2022-4318
CVE-2023-0118
CVE-2023-0119
CVE-2023-0813
CVE-2023-0833
CVE-2023-0923
CVE-2023-1108
CVE-2023-1260
CVE-2023-1476
CVE-2023-1584
CVE-2023-2422
CVE-2023-2974
CVE-2023-3223
CVE-2023-3347
CVE-2023-3637
CVE-2023-38200
CVE-2023-38201
CVE-2023-3899
CVE-2023-3961
CVE-2023-3971
CVE-2023-3972
CVE-2023-4004
CVE-2023-4065
CVE-2023-4066
CVE-2023-4091
CVE-2023-4128
CVE-2023-4147
CVE-2023-4380
CVE-2023-4456
CVE-2023-4527
CVE-2023-46846
CVE-2023-46847
CVE-2023-46848
CVE-2023-4806
CVE-2023-4813
CVE-2023-4853
CVE-2023-4911
CVE-2023-5157
CVE-2023-5408
CVE-2023-5625
- additional property of "collection_url"
CVE-2022-1970
CVE-2022-3205