CPEs are not visible #88
Comments
|
Hi, very strange. I've checked on hears.patrowl.io and the CPE is correctly set: Do you have any error in logs ? |
|
I apologize for the delay in replying. This is my import JSON of CVE-2021-23988 {
"cve": {
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-23988",
"ASSIGNER": "[email protected]"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1684994%2C1686653",
"name": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1684994%2C1686653",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Vendor Advisory"
]
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2021-10/",
"name": "https://www.mozilla.org/security/advisories/mfsa2021-10/",
"refsource": "MISC",
"tags": [
"Vendor Advisory",
"Vendor Advisory"
]
},
{
"url": "https://security.gentoo.org/glsa/202104-10",
"name": "GLSA-202104-10",
"refsource": "GENTOO",
"tags": [
"Third Party Advisory",
"Third Party Advisory"
]
}
]
},
"description": {
"description_data": [
{
"lang": "en",
"value": "Mozilla developers reported memory safety bugs present in Firefox 86. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 87."
}
]
}
},
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"operator": "OR",
"children": [],
"cpe_match": [
{
"vulnerable": true,
"cpe23Uri": "cpe:",
"versionEndExcluding": "87.0",
"cpe_name": []
}
]
}
]
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "REQUIRED",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9
},
"baseMetricV2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"accessVector": "NETWORK",
"accessComplexity": "MEDIUM",
"authentication": "NONE",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8
},
"severity": "MEDIUM",
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"acInsufInfo": false,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": true
}
},
"publishedDate": "2021-03-31T14:15Z",
"lastModifiedDate": "2021-06-02T14:48Z"
}PatrowlHears is used with all default settings. |
Marius-Patrowl
added a commit
that referenced
this issue
Jan 14, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Some CPEs are not visible within the Paltrow dashboard (eg CVE-2021-23988).
By checking the import log there are no CPEs, but Patrowl still manages to categorize the CVE through "vendor: technology" (as if it were aware of the CPE).
By searching for the CVE on the NIST website, the information relating to the CPEs is correctly visible.
The text was updated successfully, but these errors were encountered: