I could not find CVE-2022-33980 detection included in the free gvm11 package - it looks to be only for pro customers. Is there a planning to move this detection to the free package in short term?



and welcome to this community forum.

There is currently no coverage for this specific CVE in any feed.

General notes:

  • VTs are only moved in very rare cases from the enterprise feed into the community feed
  • CVEs for such libraries like Apache Commons Configuration are usually only covered via package manager based checks
    • e.g. Debian is tracking this via, once there is a security advisory (e.g. DLA and/or DSA) published by Debian there will be a new VT covering this flaw
    • same applies for other vendors like e.g. Red Hat, SUSE, Oracle, Ubuntu and so on
    • in addition some vendors like F5 using this library might publish additional advisories, if this vendor is currently supported additional VTs might be created
    • if such a flaw is exploited actively and there are PoCs available which helps to detect such flaws in a generic way additional VTs might be created as well
1 Like