Skip to content

Missing vulnerable_configurations on some some CVEs #271

Description

@maxime-huyghe

Hello again,
upon updating our cve-search instance from v4 to v5, and repopulating the database, we noticed that a few thousand CPEs had gone missing from the cve-search API's /cvefor/ route due to missing vulnerable_configurations on these CVEs.

Looking at core/database_maintenance/sources_process.py l.555-600, we found that the affected CVEs were those with a version range in their NVD criteria but no matching CPEs. One such example is CVE-1999-0176 (https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-1999-0176).
This behavior is inconsistent with CVEs that have no version range (e.g. CVE-1999-0196), which still have a fallback when CPE-less in version 5, and thus still have their vulnerable_configuration and are still found by cve-search.

I've got a patch ready that restores the old behavior and adds the fallback to CVEs with versions ranges. This is not ideal but would fix this regression in the meantime.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions