You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After I'm testing your application I was faced with an interesting issue.
I was tried to ask CVE-s for postgresql:postgresql:9.3.10. (with: /v1/cpe_with_version/postgresql:postgresql:9.3.10)
And it return some CVE-s: ["CVE-2016-5423","CVE-2016-5424","CVE-2017-12172","CVE-2017-15098","CVE-2017-7484","CVE-2017-7485","CVE-2017-7486","CVE-2017-7546","CVE-2017-7547"]
These are good, but in the JSON what the program fetched there are more CVE-s for that module, and here you can see the remaining missing CVE-s: cvedetails.com
I chceked the CVE-s and it's looks like, where there is exact version number under: configurations->nodes->{0}(just for example)->cpe_match->{0} cpe23uri the endpoint returns it.
BUT if in this node there is a "versionStartIncluding" : "9.3", "versionEndIncluding" : "11.2" (for example) this CVE is not returned. (CVE-2019-9193) This is false, you can see this on cvedetails.com
In the Mongodb here is an example for the good CVE: { "_id" : ObjectId("5e85cfb2aac28c4aa9e6c6de"), "id" : "CVE-2016-5424", "summary" : "PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) \" (double quote), (2) \\ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation.", "cwe" : "CWE-94", "published_at" : ISODate("2016-12-09T23:59:00Z"), "updated_at" : ISODate("2018-01-05T02:31:00Z"), "cvss" : { "access_vector" : "NETWORK", "access_complexity" : "HIGH", "authentication" : "SINGLE", "confidentiality_impact" : "PARTIAL", "integrity_impact" : "PARTIAL", "availability_impact" : "PARTIAL", "base_score" : 4.6, "vector" : "AV:N/AC:H/Au:S/C:P/I:P/A:P" }, "cvssv3" : { "attack_vector" : "NETWORK", "attack_complexity" : "HIGH", "privileges_required" : "LOW", "user_interaction" : "REQUIRED", "scope" : "UNCHANGED", "confidentiality_impact" : "HIGH", "integrity_impact" : "HIGH", "availability_impact" : "HIGH", "base_score" : 7.1, "base_severity" : "HIGH", "vector" : "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" }, "references" : [ { "href" : "http://rhn.redhat.com/errata/RHSA-2016-1781.html" }, { "href" : "http://rhn.redhat.com/errata/RHSA-2016-1820.html" }, { "href" : "http://rhn.redhat.com/errata/RHSA-2016-1821.html" }, { "href" : "http://rhn.redhat.com/errata/RHSA-2016-2606.html" }, { "href" : "http://www.debian.org/security/2016/dsa-3646" }, { "href" : "http://www.securityfocus.com/bid/92435" }, { "href" : "http://www.securitytracker.com/id/1036617" }, { "href" : "https://access.redhat.com/errata/RHSA-2017:2425" }, { "href" : "https://security.gentoo.org/glsa/201701-33" }, { "href" : "https://www.postgresql.org/about/news/1688/" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-1-23.html" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-2-18.html" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-3-14.html" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-4-9.html" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-5-4.html" } ], "cpes_affected" : [ ], "cpes" : [ "debian:debian_linux", "postgresql:postgresql" ], "cpes_with_version" : [ "debian:debian_linux:8.0", "postgresql:postgresql", "postgresql:postgresql:9.2", "postgresql:postgresql:9.2.1", "postgresql:postgresql:9.2.2", "postgresql:postgresql:9.2.3", "postgresql:postgresql:9.2.4", "postgresql:postgresql:9.2.5", "postgresql:postgresql:9.2.6", "postgresql:postgresql:9.2.7", "postgresql:postgresql:9.2.8", "postgresql:postgresql:9.2.9", "postgresql:postgresql:9.2.10", "postgresql:postgresql:9.2.11", "postgresql:postgresql:9.2.12", "postgresql:postgresql:9.2.13", "postgresql:postgresql:9.2.14", "postgresql:postgresql:9.2.15", "postgresql:postgresql:9.2.16", "postgresql:postgresql:9.2.17", "postgresql:postgresql:9.3", "postgresql:postgresql:9.3.1", "postgresql:postgresql:9.3.2", "postgresql:postgresql:9.3.3", "postgresql:postgresql:9.3.4", "postgresql:postgresql:9.3.5", "postgresql:postgresql:9.3.6", "postgresql:postgresql:9.3.7", "postgresql:postgresql:9.3.8", "postgresql:postgresql:9.3.9", "postgresql:postgresql:9.3.10", "postgresql:postgresql:9.3.11", "postgresql:postgresql:9.3.12", "postgresql:postgresql:9.3.13", "postgresql:postgresql:9.4", "postgresql:postgresql:9.4.1", "postgresql:postgresql:9.4.2", "postgresql:postgresql:9.4.3", "postgresql:postgresql:9.4.4", "postgresql:postgresql:9.4.5", "postgresql:postgresql:9.4.6", "postgresql:postgresql:9.4.7", "postgresql:postgresql:9.4.8", "postgresql:postgresql:9.5", "postgresql:postgresql:9.5.1", "postgresql:postgresql:9.5.2", "postgresql:postgresql:9.5.3" ] }
And for the bad one: { "_id" : ObjectId("5e85cfb2aac28c4aa9e6cc56"), "id" : "CVE-2016-7048", "summary" : "The interactive installer in PostgreSQL before 9.3.15, 9.4.x before 9.4.10, and 9.5.x before 9.5.5 might allow remote attackers to execute arbitrary code by leveraging use of HTTP to download software.", "cwe" : "CWE-284", "published_at" : ISODate("2018-08-20T21:29:00Z"), "updated_at" : ISODate("2018-10-12T20:12:00Z"), "cvss" : { "access_vector" : "NETWORK", "access_complexity" : "MEDIUM", "authentication" : "NONE", "confidentiality_impact" : "COMPLETE", "integrity_impact" : "COMPLETE", "availability_impact" : "COMPLETE", "base_score" : 9.3, "vector" : "AV:N/AC:M/Au:N/C:C/I:C/A:C" }, "cvssv3" : { "attack_vector" : "NETWORK", "attack_complexity" : "HIGH", "privileges_required" : "NONE", "user_interaction" : "NONE", "scope" : "UNCHANGED", "confidentiality_impact" : "HIGH", "integrity_impact" : "HIGH", "availability_impact" : "HIGH", "base_score" : 8.1, "base_severity" : "HIGH", "vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "references" : [ { "href" : "https://bugzilla.redhat.com/show_bug.cgi?id=1378043" }, { "href" : "https://www.postgresql.org/support/security/" } ], "cpes_affected" : [ ], "cpes" : [ "postgresql:postgresql" ], "cpes_with_version" : [ "postgresql:postgresql" ] }
Could you fix that problem? So the server should watch for this versionStartIncluding and versionEndIncluding numbers.
Thank you!
The text was updated successfully, but these errors were encountered:
Hello!
After I'm testing your application I was faced with an interesting issue.
I was tried to ask CVE-s for postgresql:postgresql:9.3.10. (with: /v1/cpe_with_version/postgresql:postgresql:9.3.10)
And it return some CVE-s:
["CVE-2016-5423","CVE-2016-5424","CVE-2017-12172","CVE-2017-15098","CVE-2017-7484","CVE-2017-7485","CVE-2017-7486","CVE-2017-7546","CVE-2017-7547"]These are good, but in the JSON what the program fetched there are more CVE-s for that module, and here you can see the remaining missing CVE-s: cvedetails.com
I chceked the CVE-s and it's looks like, where there is exact version number under: configurations->nodes->{0}(just for example)->cpe_match->{0} cpe23uri the endpoint returns it.
BUT if in this node there is a "versionStartIncluding" : "9.3", "versionEndIncluding" : "11.2" (for example) this CVE is not returned. (CVE-2019-9193) This is false, you can see this on cvedetails.com
In the Mongodb here is an example for the good CVE:
{ "_id" : ObjectId("5e85cfb2aac28c4aa9e6c6de"), "id" : "CVE-2016-5424", "summary" : "PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) \" (double quote), (2) \\ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation.", "cwe" : "CWE-94", "published_at" : ISODate("2016-12-09T23:59:00Z"), "updated_at" : ISODate("2018-01-05T02:31:00Z"), "cvss" : { "access_vector" : "NETWORK", "access_complexity" : "HIGH", "authentication" : "SINGLE", "confidentiality_impact" : "PARTIAL", "integrity_impact" : "PARTIAL", "availability_impact" : "PARTIAL", "base_score" : 4.6, "vector" : "AV:N/AC:H/Au:S/C:P/I:P/A:P" }, "cvssv3" : { "attack_vector" : "NETWORK", "attack_complexity" : "HIGH", "privileges_required" : "LOW", "user_interaction" : "REQUIRED", "scope" : "UNCHANGED", "confidentiality_impact" : "HIGH", "integrity_impact" : "HIGH", "availability_impact" : "HIGH", "base_score" : 7.1, "base_severity" : "HIGH", "vector" : "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" }, "references" : [ { "href" : "http://rhn.redhat.com/errata/RHSA-2016-1781.html" }, { "href" : "http://rhn.redhat.com/errata/RHSA-2016-1820.html" }, { "href" : "http://rhn.redhat.com/errata/RHSA-2016-1821.html" }, { "href" : "http://rhn.redhat.com/errata/RHSA-2016-2606.html" }, { "href" : "http://www.debian.org/security/2016/dsa-3646" }, { "href" : "http://www.securityfocus.com/bid/92435" }, { "href" : "http://www.securitytracker.com/id/1036617" }, { "href" : "https://access.redhat.com/errata/RHSA-2017:2425" }, { "href" : "https://security.gentoo.org/glsa/201701-33" }, { "href" : "https://www.postgresql.org/about/news/1688/" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-1-23.html" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-2-18.html" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-3-14.html" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-4-9.html" }, { "href" : "https://www.postgresql.org/docs/current/static/release-9-5-4.html" } ], "cpes_affected" : [ ], "cpes" : [ "debian:debian_linux", "postgresql:postgresql" ], "cpes_with_version" : [ "debian:debian_linux:8.0", "postgresql:postgresql", "postgresql:postgresql:9.2", "postgresql:postgresql:9.2.1", "postgresql:postgresql:9.2.2", "postgresql:postgresql:9.2.3", "postgresql:postgresql:9.2.4", "postgresql:postgresql:9.2.5", "postgresql:postgresql:9.2.6", "postgresql:postgresql:9.2.7", "postgresql:postgresql:9.2.8", "postgresql:postgresql:9.2.9", "postgresql:postgresql:9.2.10", "postgresql:postgresql:9.2.11", "postgresql:postgresql:9.2.12", "postgresql:postgresql:9.2.13", "postgresql:postgresql:9.2.14", "postgresql:postgresql:9.2.15", "postgresql:postgresql:9.2.16", "postgresql:postgresql:9.2.17", "postgresql:postgresql:9.3", "postgresql:postgresql:9.3.1", "postgresql:postgresql:9.3.2", "postgresql:postgresql:9.3.3", "postgresql:postgresql:9.3.4", "postgresql:postgresql:9.3.5", "postgresql:postgresql:9.3.6", "postgresql:postgresql:9.3.7", "postgresql:postgresql:9.3.8", "postgresql:postgresql:9.3.9", "postgresql:postgresql:9.3.10", "postgresql:postgresql:9.3.11", "postgresql:postgresql:9.3.12", "postgresql:postgresql:9.3.13", "postgresql:postgresql:9.4", "postgresql:postgresql:9.4.1", "postgresql:postgresql:9.4.2", "postgresql:postgresql:9.4.3", "postgresql:postgresql:9.4.4", "postgresql:postgresql:9.4.5", "postgresql:postgresql:9.4.6", "postgresql:postgresql:9.4.7", "postgresql:postgresql:9.4.8", "postgresql:postgresql:9.5", "postgresql:postgresql:9.5.1", "postgresql:postgresql:9.5.2", "postgresql:postgresql:9.5.3" ] }And for the bad one:
{ "_id" : ObjectId("5e85cfb2aac28c4aa9e6cc56"), "id" : "CVE-2016-7048", "summary" : "The interactive installer in PostgreSQL before 9.3.15, 9.4.x before 9.4.10, and 9.5.x before 9.5.5 might allow remote attackers to execute arbitrary code by leveraging use of HTTP to download software.", "cwe" : "CWE-284", "published_at" : ISODate("2018-08-20T21:29:00Z"), "updated_at" : ISODate("2018-10-12T20:12:00Z"), "cvss" : { "access_vector" : "NETWORK", "access_complexity" : "MEDIUM", "authentication" : "NONE", "confidentiality_impact" : "COMPLETE", "integrity_impact" : "COMPLETE", "availability_impact" : "COMPLETE", "base_score" : 9.3, "vector" : "AV:N/AC:M/Au:N/C:C/I:C/A:C" }, "cvssv3" : { "attack_vector" : "NETWORK", "attack_complexity" : "HIGH", "privileges_required" : "NONE", "user_interaction" : "NONE", "scope" : "UNCHANGED", "confidentiality_impact" : "HIGH", "integrity_impact" : "HIGH", "availability_impact" : "HIGH", "base_score" : 8.1, "base_severity" : "HIGH", "vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, "references" : [ { "href" : "https://bugzilla.redhat.com/show_bug.cgi?id=1378043" }, { "href" : "https://www.postgresql.org/support/security/" } ], "cpes_affected" : [ ], "cpes" : [ "postgresql:postgresql" ], "cpes_with_version" : [ "postgresql:postgresql" ] }Could you fix that problem? So the server should watch for this versionStartIncluding and versionEndIncluding numbers.
Thank you!
The text was updated successfully, but these errors were encountered: