cve-portal
cve-portal copied to clipboard
CIRCL
vulnerable configurations miss the "and previous versions" information
For example, for CVE-2015-4491, https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4491 says:
Vulnerable software and versions
+ Configuration 1
* AND
* OR
* cpe:/a:gnome:gdk-pixbuf:2.31.4 and previous versions
* OR
cpe:/a:mozilla:firefox_esr:38.0
cpe:/a:mozilla:firefox_esr:38.0.1
cpe:/a:mozilla:firefox_esr:38.0.5
cpe:/a:mozilla:firefox_esr:38.1.0
cpe:/a:mozilla:firefox:39.0.3 and previous versions
cpe:/o:linux:linux_kernel
cpe:/a:google:chrome:-
+ Configuration 2
* OR
* cpe:/o:fedoraproject:fedora:21
* cpe:/o:fedoraproject:fedora:22
* cpe:/o:novell:opensuse:13.1
* cpe:/o:novell:opensuse:13.2
* cpe:/o:canonical:ubuntu_linux:12.04::~~lts~~~
* cpe:/o:canonical:ubuntu_linux:14.04::~~lts~~~
* cpe:/o:canonical:ubuntu_linux:15.04
while curl http://cve.circl.lu/api/cve/CVE-2015-4491 returns:
"vulnerable_configuration_cpe_2_2": [
"cpe:/a:gnome:gdk-pixbuf:2.31.4",
"cpe:/a:mozilla:firefox_esr:38.0",
"cpe:/a:mozilla:firefox_esr:38.0.1",
"cpe:/a:mozilla:firefox_esr:38.0.5",
"cpe:/a:mozilla:firefox_esr:38.1.0",
"cpe:/a:mozilla:firefox:39.0.3",
"cpe:/o:linux:linux_kernel",
"cpe:/a:google:chrome:-",
"cpe:/o:fedoraproject:fedora:21",
"cpe:/o:fedoraproject:fedora:22",
"cpe:/o:novell:opensuse:13.1",
"cpe:/o:novell:opensuse:13.2",
"cpe:/o:canonical:ubuntu_linux:12.04::~~lts~~~",
"cpe:/o:canonical:ubuntu_linux:14.04::~~lts~~~",
"cpe:/o:canonical:ubuntu_linux:15.04"
]
(example shows cpe 2.2 but 2.3 isn't better)
It is impossible to know that all Firefox versions prior to 39.0.3 are vulnerables ("cpe:/a:mozilla:firefox:39.0.3 and previous versions" on NVD) with your current encoding.
Best regards,
Cyrille
