Looking up the CVE entry for this (Apache Commons Text vulnrability) the GSM lists under “vulnerable products” cpe:/a:apache:commons_text:1.10.0 which is the fixed version. The vulnerable versions are 1.5 to 1.9
Is this wrong in the CVE database or should it be read differently?
It all seems a bit odd as the CVE references the CPE cpe:/a:apache:commons_text:1.10.0, which is the only unaffected version but none of the affected versions.
The v1.10 CPE reports that is doesn’t exist in the dictionary and only exists because there is a CVE referring to it. There is also no product detection NVT to detect any of the apache commons text CPEs
I was able to reproduce the problem. It seems to be related to how we convert the official NVD data in-house. I have raised an internal issue to get this fixed, and we’ll get back to you in this topic.