No CPE for 3.0.11 and 3.0.12 #3083
Comments
|
Hi @frankvanbever, thanks for reporting this, I think it's very important issue. Actually I haven't heard about this registration possibility, but now I'm going to check how does it work. I think on behalf of the team I can say we definitely want to continue maintaining of the NIST database. I need some time to review the registration process (eg. the vendor has changed meanwhile). Thanks again. |
arnout
pushed a commit
to buildroot/buildroot
that referenced
this issue
Feb 21, 2024
The project has been transferred from Trustwave (SpiderLabs) to OWASP, hence the change in URLs. The upstream CPE vendor ID will likely also change in the future but the upstream is still working on this [1]. - Fixes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1019 [1] owasp-modsecurity/ModSecurity#3083 Signed-off-by: Frank Vanbever <frank.vanbever@mind.be> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
airween
added
2.x
|
Just for the record: I contacted with NIST about this issue. |
|
Thank you |
|
NIST responded, they has created the two CPE's: Please check those above, if you think everything is fine, feel free to close the issue here. |
arnout
pushed a commit
to buildroot/buildroot
that referenced
this issue
Mar 16, 2024
The project has been transferred from Trustwave (SpiderLabs) to OWASP, hence the change in URLs. The upstream CPE vendor ID will likely also change in the future but the upstream is still working on this [1]. - Fixes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1019 [1] owasp-modsecurity/ModSecurity#3083 Signed-off-by: Frank Vanbever <frank.vanbever@mind.be> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit d4b065e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
arnout
pushed a commit
to buildroot/buildroot
that referenced
this issue
Mar 16, 2024
The project has been transferred from Trustwave (SpiderLabs) to OWASP, hence the change in URLs. The upstream CPE vendor ID will likely also change in the future but the upstream is still working on this [1]. - Fixes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1019 [1] owasp-modsecurity/ModSecurity#3083 Signed-off-by: Frank Vanbever <frank.vanbever@mind.be> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit d4b065e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am the package maintainer of ModSecurity in Buildroot. Buildroot has automated tracking of CVEs which it does by checking the CPE for the corresponding release. It seems that for both 3.0.11 and 3.0.12 no CPE was registered. The newest CPE I can find in the NIST database is cpe:2.3:a:trustwave:modsecurity:3.0.10:::::::*
This has effectively broken the CVE reporting infrastructure for ModSecurity in Buildroot, causing us to miss CVE-2024-1019.
Will the creation of CPEs resume in the future for future versions or will this be deprecated?
The text was updated successfully, but these errors were encountered: