the published CVE does not have the info about affected versions. #2986
Labels
No Label
DBF
Dates
Defined Names
Features
Formula
HTML
Images
Infrastructure
Integration
International
ODS
Operations
Performance
PivotTables
Pro
Protection
Read Bug
SSF
SYLK
Style
Write Bug
good first issue
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: sheetjs/sheetjs#2986
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
The advisory on https://cdn.sheetjs.com/advisories/CVE-2023-30533 mentions the affected version.
However, the advisory in the CVE database does not: https://www.cve.org/CVERecord?id=CVE-2023-30533
As this CVE database is used by many auditing tools, it would be great if you could update the published CVE to be accurate.
The "affected versions" details were provided to MITRE in the original report. The website mentions the versions in the description (see the selected line in the screenshot):
It's unclear how the "Product Status" information is supplied. For example, the NVD website https://nvd.nist.gov/vuln/detail/CVE-2023-30533#range-9121715 lists the affected versions in the "Known Affected Software Configurations" table. You may need to expand the table. https://nvd.nist.gov/vuln/detail/CVE-2023-30533#range-9121715
We have reached out to MITRE asking about the missing details and linked to this issue.
If third-party auditing tools need additional metadata, please reach out to the respective vendors and ask them to reach out to us (ask them to reply to this issue or email security@sheetjs.com).
Received a reply from MITRE, the organization that runs cve.org:
It seems that MITRE itself does not use the feature in question, which means we will be unable to update the information.
The best guess is that NVD uses information from the description to identify versions.
As the deficiency affects every CVE where the assigner is MITRE, third party security tooling should parse the descriptions to find affected version information.
Please pass this message along to any relevant vendors.