Am I reading the CVE for CVE-2022-42889 Wrong?

Looking up the CVE entry for this (Apache Commons Text vulnrability) the GSM lists under “vulnerable products” cpe:/a:apache:commons_text:1.10.0 which is the fixed version. The vulnerable versions are 1.5 to 1.9

Is this wrong in the CVE database or should it be read differently?

This could have the same origin like discussed here previously:

It all seems a bit odd as the CVE references the CPE cpe:/a:apache:commons_text:1.10.0, which is the only unaffected version but none of the affected versions.
The v1.10 CPE reports that is doesn’t exist in the dictionary and only exists because there is a CVE referring to it. There is also no product detection NVT to detect any of the apache commons text CPEs

I was able to reproduce the problem. It seems to be related to how we convert the official NVD data in-house. I have raised an internal issue to get this fixed, and we’ll get back to you in this topic.

3 Likes

Hi, this issue should be fixed with the next feed update (around 14h CET today) and requires running greenbone-feed-sync --type SCAP.

6 Likes

Thanks, I have checked the database and that does now appear to be correct.

1 Like