the published CVE does not have the info about affected versions. #2986

New Issue

stof · 2023-09-06T13:32:52Z

stof commented

2023-09-06 13:32:52 +00:00

The advisory on https://cdn.sheetjs.com/advisories/CVE-2023-30533 mentions the affected version.

However, the advisory in the CVE database does not: https://www.cve.org/CVERecord?id=CVE-2023-30533

As this CVE database is used by many auditing tools, it would be great if you could update the published CVE to be accurate.

The advisory on https://cdn.sheetjs.com/advisories/CVE-2023-30533 mentions the affected version. However, the advisory in the CVE database does not: https://www.cve.org/CVERecord?id=CVE-2023-30533 As this CVE database is used by many auditing tools, it would be great if you could update the published CVE to be accurate.

sheetjs commented

2023-09-06 17:20:26 +00:00

The "affected versions" details were provided to MITRE in the original report. The website mentions the versions in the description (see the selected line in the screenshot):

SheetJS Community Edition before 0.19.3 allows Prototype Pollution via a crafted file.

It's unclear how the "Product Status" information is supplied. For example, the NVD website https://nvd.nist.gov/vuln/detail/CVE-2023-30533#range-9121715 lists the affected versions in the "Known Affected Software Configurations" table. You may need to expand the table. https://nvd.nist.gov/vuln/detail/CVE-2023-30533#range-9121715

We have reached out to MITRE asking about the missing details and linked to this issue.

If third-party auditing tools need additional metadata, please reach out to the respective vendors and ask them to reach out to us (ask them to reply to this issue or email security@sheetjs.com).

The "affected versions" details were provided to MITRE in the original report. The website mentions the versions in the description (see the selected line in the screenshot): > **SheetJS Community Edition before 0.19.3** allows Prototype Pollution via a crafted file. ![cve-org.png](/attachments/3b8c8b92-b8cc-490d-bfa9-5dca1d019267) It's unclear how the "Product Status" information is supplied. For example, the NVD website https://nvd.nist.gov/vuln/detail/CVE-2023-30533#range-9121715 lists the affected versions in the "Known Affected Software Configurations" table. You may need to expand the table. https://nvd.nist.gov/vuln/detail/CVE-2023-30533#range-9121715 ![nvd-nist-gov.png](/attachments/39066083-8205-40bd-8423-0281d239a090) We have reached out to MITRE asking about the missing details and linked to this issue. If third-party auditing tools need additional metadata, please reach out to the respective vendors and ask them to reach out to us (ask them to reply to this issue or email security@sheetjs.com).

cve-org.png

264 KiB

nvd-nist-gov.png

91 KiB

sheetjs commented

2023-09-07 09:49:23 +00:00

Received a reply from MITRE, the organization that runs cve.org:

Entering data for the Product Status table is optional at this time.
It typically varies according to the organization named in the
Assigner field. When the organization named in the Assigner field is
MITRE, or some of the other organizations that have not opted into
the Product Status table feature, it will always appear blank. We
will not be entering anything into the Product Status table for
CVE-2023-30533. At a future time, it is possible that more, or perhaps
all, organizations will opt into the Product Status table feature.

It seems that MITRE itself does not use the feature in question, which means we will be unable to update the information.

The best guess is that NVD uses information from the description to identify versions.

As the deficiency affects every CVE where the assigner is MITRE, third party security tooling should parse the descriptions to find affected version information.

Please pass this message along to any relevant vendors.

Received a reply from MITRE, the organization that runs cve.org: > Entering data for the Product Status table is optional at this time. It typically varies according to the organization named in the Assigner field. **When the organization named in the Assigner field is MITRE**, or some of the other organizations that have not opted into the Product Status table feature, **it will always appear blank**. We will not be entering anything into the Product Status table for CVE-2023-30533. At a future time, it is possible that more, or perhaps all, organizations will opt into the Product Status table feature. It seems that MITRE itself does not use the feature in question, which means we will be unable to update the information. The best guess is that NVD uses information from the description to identify versions. As the deficiency affects every CVE where the assigner is MITRE, third party security tooling *should* parse the descriptions to find affected version information. Please pass this message along to any relevant vendors.

sheetjs closed this issue

2023-09-07 09:49:24 +00:00

sheetjs referenced this issue

2023-09-19 19:30:37 +00:00

Vulnerability Patch #2992

Sign in to join this conversation.