vulnrichment icon indicating copy to clipboard operation
vulnrichment copied to clipboard

Published 20 hours ago verified publisher icon cisagov

Removed Architecture from CVE-2024-5245 Version

Open j-baines opened this issue 9 months ago • 0 comments

Looking at CVE-2024-5245, I saw the CISA ADP had, what I thought to be, a questionable version string.

        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:netgear:prosafe_network_management_system:1.7.0.34:*:*:*:*:*:*:*"
            ],
            "vendor": "netgear",
            "product": "prosafe_network_management_system",
            "versions": [
              {
                "status": "affected",
                "version": "1.7.0.34 x64"
              }
            ],
            "defaultStatus": "unknown"
          }
        ],

Likely x64 should not be in the version string. If we look at the vendor advisory they only list 1.7.0.34. The reporting CNA, ZDI, makes no mention of a specific architecture in their advisory (nor version - thanks ZDI), but considering the vulnerability appears to be default creds, I assume architecture doesn't really come into play.

The product does come in Win32 and Win64 variants, but I think if we believed only the Win64 version to be vulnerable that would be reflected in the CPE and not the version string.

j-baines avatar May 24 '24 21:05 j-baines