Not all CVE is listed
Opened this issue · 0 comments
Hello!
After I'm testing your application I was faced with an interesting issue.
I was tried to ask CVE-s for postgresql:postgresql:9.3.10. (with: /v1/cpe_with_version/postgresql:postgresql:9.3.10)
And it return some CVE-s: ["CVE-2016-5423","CVE-2016-5424","CVE-2017-12172","CVE-2017-15098","CVE-2017-7484","CVE-2017-7485","CVE-2017-7486","CVE-2017-7546","CVE-2017-7547"]
These are good, but in the JSON what the program fetched there are more CVE-s for that module, and here you can see the remaining missing CVE-s: cvedetails.com
I chceked the CVE-s and it's looks like, where there is exact version number under: configurations->nodes->{0}(just for example)->cpe_match->{0} cpe23uri the endpoint returns it.
BUT if in this node there is a "versionStartIncluding" : "9.3", "versionEndIncluding" : "11.2" (for example) this CVE is not returned. (CVE-2019-9193) This is false, you can see this on cvedetails.com
In the Mongodb here is an example for the good CVE:
{ "_id" : ObjectId("5e85cfb2aac28c4aa9e6c6de"), "id" : "CVE-2016-5424", "summary" : "PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) \" (double quote), (2) \\ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation.", "cwe" : "CWE-94", "published_at" : ISODate("2016-12-09T23:59:00Z"), "updated_at" : ISODate("2018-01-05T02:31:00Z"), "cvss" : { "access_vector" : "NETWORK", "access_complexity" : "HIGH", "authentication" : "SINGLE", "confidentiality_impact" : "PARTIAL", "integrity_impact" : "PARTIAL", "availability_impact" : "PARTIAL", "base_score" : 4.6, "vector" : "AV:N/AC:H/Au:S/C:P/I:P/A:P" }, "cvssv3" : { "attack_vector" : "NETWORK", "attack_complexity" : "HIGH", "privileges_required" : "LOW", "user_interaction" : "REQUIRED", "scope" : "UNCHANGED", "confidentiality_impact" : "HIGH", "integrity_impact" : "HIGH", "availability_impact" : "HIGH", "base_score" : 7.1, "base_severity" : "HIGH", "vector" : "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" }, "references" : [ { "href" : "http://rhn.redhat.com/errata/RHSA-2016-1781.html" }, { "href" : "http://rhn.redhat.com/errata/RHSA-2016-1820.html" }, { "href" : "http://rhn.redhat.com/errata/RHSA-2016-1821.html" }, { "href" : "http://rhn.redhat.com/errata/RHSA-2016-2606.html" }, { "href" : "http://www.debian.org/security/2016/dsa-3646" }, { "href" : "http://www.securityfocus.com/bid/92435" }, { "href" : "http://www.securitytracker.com/id/1036617" }, { "href" : "https://access.redhat.com/errata/RHSA-2017:2425" }, { "href" : "https://security.gentoo.org/glsa/201701-33" }, { "href" : "https://www.postgresql.org/about/news/1688/" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-1-23.html" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-2-18.html" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-3-14.html" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-4-9.html" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-5-4.html" } ], "cpes_affected" : [ ], "cpes" : [ "debian:debian_linux", "postgresql:postgresql" ], "cpes_with_version" : [ "debian:debian_linux:8.0", "postgresql:postgresql", "postgresql:postgresql:9.2", "postgresql:postgresql:9.2.1", "postgresql:postgresql:9.2.2", "postgresql:postgresql:9.2.3", "postgresql:postgresql:9.2.4", "postgresql:postgresql:9.2.5", "postgresql:postgresql:9.2.6", "postgresql:postgresql:9.2.7", "postgresql:postgresql:9.2.8", "postgresql:postgresql:9.2.9", "postgresql:postgresql:9.2.10", "postgresql:postgresql:9.2.11", "postgresql:postgresql:9.2.12", "postgresql:postgresql:9.2.13", "postgresql:postgresql:9.2.14", "postgresql:postgresql:9.2.15", "postgresql:postgresql:9.2.16", "postgresql:postgresql:9.2.17", "postgresql:postgresql:9.3", "postgresql:postgresql:9.3.1", "postgresql:postgresql:9.3.2", "postgresql:postgresql:9.3.3", "postgresql:postgresql:9.3.4", "postgresql:postgresql:9.3.5", "postgresql:postgresql:9.3.6", "postgresql:postgresql:9.3.7", "postgresql:postgresql:9.3.8", "postgresql:postgresql:9.3.9", "postgresql:postgresql:9.3.10", "postgresql:postgresql:9.3.11", "postgresql:postgresql:9.3.12", "postgresql:postgresql:9.3.13", "postgresql:postgresql:9.4", "postgresql:postgresql:9.4.1", "postgresql:postgresql:9.4.2", "postgresql:postgresql:9.4.3", "postgresql:postgresql:9.4.4", "postgresql:postgresql:9.4.5", "postgresql:postgresql:9.4.6", "postgresql:postgresql:9.4.7", "postgresql:postgresql:9.4.8", "postgresql:postgresql:9.5", "postgresql:postgresql:9.5.1", "postgresql:postgresql:9.5.2", "postgresql:postgresql:9.5.3" ] }
And for the bad one:
{ "_id" : ObjectId("5e85cfb2aac28c4aa9e6cc56"), "id" : "CVE-2016-7048", "summary" : "The interactive installer in PostgreSQL before 9.3.15, 9.4.x before 9.4.10, and 9.5.x before 9.5.5 might allow remote attackers to execute arbitrary code by leveraging use of HTTP to download software.", "cwe" : "CWE-284", "published_at" : ISODate("2018-08-20T21:29:00Z"), "updated_at" : ISODate("2018-10-12T20:12:00Z"), "cvss" : { "access_vector" : "NETWORK", "access_complexity" : "MEDIUM", "authentication" : "NONE", "confidentiality_impact" : "COMPLETE", "integrity_impact" : "COMPLETE", "availability_impact" : "COMPLETE", "base_score" : 9.3, "vector" : "AV:N/AC:M/Au:N/C:C/I:C/A:C" }, "cvssv3" : { "attack_vector" : "NETWORK", "attack_complexity" : "HIGH", "privileges_required" : "NONE", "user_interaction" : "NONE", "scope" : "UNCHANGED", "confidentiality_impact" : "HIGH", "integrity_impact" : "HIGH", "availability_impact" : "HIGH", "base_score" : 8.1, "base_severity" : "HIGH", "vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "references" : [ { "href" : "https://bugzilla.redhat.com/show_bug.cgi?id=1378043" }, { "href" : "https://www.postgresql.org/support/security/" } ], "cpes_affected" : [ ], "cpes" : [ "postgresql:postgresql" ], "cpes_with_version" : [ "postgresql:postgresql" ] }
Could you fix that problem? So the server should watch for this versionStartIncluding and versionEndIncluding numbers.
Thank you!