Data quality issue with CVE-2024-38356 & CVE-2024-38357

[tjdett]

The CVE ID

Two CVEs originating from GHSAs are affected by the same underlying issue:

• CVE-2024-38356 / GHSA-9hcv-j9pv-qmph
• CVE-2024-38357 / GHSA-w9jx-4g6g-rp7x

Describe the data quality issue observed

Some vulnerable versions (including the most recent vulnerable versions of the library) are omitted from the affected versions list of the CVEs while being correct in the GHSAs.

Additional context

Both GHSAs cover vulnerabilities that were found across three supported versions of TinyMCE, with two open-source fixed versions available:

Affected versions: <5.11.0, >=6.0.0 <6.8.4, >=7.0.0 <7.2.0 Patched versions: 5.11.0, 6.8.4, 7.2.0

There are also additional downstream software packages mentioned in the GHSA where TinyMCE is directly embedded. The GHSA definitions on OSV.dev are fine, as they rely directly on GHSA-9hcv-j9pv-qmph.json & GHSA-w9jx-4g6g-rp7x.json.

The CVE affected versions on OSV.dev appear to use the Git commit URLs provided by GitHub on the GHSA. If this worked correctly, they would omit the fix in 5.11.0 from the definition (as 5.x is now patched only under a commercial license for long-term support customers) and additional downstream software packages, but would probably work for 6.x & 7.x.

Unfortunately, for some reason while two commit URLs are present in the GHSA data, only one commit URL appears in the references section on NVD:

• https://nvd.nist.gov/vuln/detail/CVE-2024-38356
• https://nvd.nist.gov/vuln/detail/CVE-2024-38357

In both cases the commit that appears is the one for 6.x, which results in 7.0.0 onwards not appearing as vulnerable versions even though they are explicitly mentioned in the CVE text and the associated GHSA.

Suggested changes to record

Ideally the CVE would mirror the version ranges specified in the GHSA, as the GHSA is the canonical source of the affected & fixed versions. The NVD record leaves little doubt this is the case by referring to "GitHub, Inc." as the source.