New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No CPE for 3.0.11 and 3.0.12 #3083
Comments
Hi @frankvanbever, thanks for reporting this, I think it's very important issue. Actually I haven't heard about this registration possibility, but now I'm going to check how does it work. I think on behalf of the team I can say we definitely want to continue maintaining of the NIST database. I need some time to review the registration process (eg. the vendor has changed meanwhile). Thanks again. |
The project has been transferred from Trustwave (SpiderLabs) to OWASP, hence the change in URLs. The upstream CPE vendor ID will likely also change in the future but the upstream is still working on this [1]. - Fixes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1019 [1] owasp-modsecurity/ModSecurity#3083 Signed-off-by: Frank Vanbever <frank.vanbever@mind.be> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Just for the record: I contacted with NIST about this issue. |
Thank you |
NIST responded, they has created the two CPE's: Please check those above, if you think everything is fine, feel free to close the issue here. |
The project has been transferred from Trustwave (SpiderLabs) to OWASP, hence the change in URLs. The upstream CPE vendor ID will likely also change in the future but the upstream is still working on this [1]. - Fixes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1019 [1] owasp-modsecurity/ModSecurity#3083 Signed-off-by: Frank Vanbever <frank.vanbever@mind.be> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit d4b065e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The project has been transferred from Trustwave (SpiderLabs) to OWASP, hence the change in URLs. The upstream CPE vendor ID will likely also change in the future but the upstream is still working on this [1]. - Fixes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1019 [1] owasp-modsecurity/ModSecurity#3083 Signed-off-by: Frank Vanbever <frank.vanbever@mind.be> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit d4b065e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
I am the package maintainer of ModSecurity in Buildroot. Buildroot has automated tracking of CVEs which it does by checking the CPE for the corresponding release. It seems that for both 3.0.11 and 3.0.12 no CPE was registered. The newest CPE I can find in the NIST database is cpe:2.3:a:trustwave:modsecurity:3.0.10:::::::*
This has effectively broken the CVE reporting infrastructure for ModSecurity in Buildroot, causing us to miss CVE-2024-1019.
Will the creation of CPEs resume in the future for future versions or will this be deprecated?
The text was updated successfully, but these errors were encountered: