I’m not sure if this is the right place to post this, but I’m a bit confused about a recent vulnerability scan report I received. The report identified several vulnerabilities (CVE-2023-0567, CVE-2023-0568, and CVE-2023-0662) in my PHP version 7.4.30. However, when I looked up these CVEs on the NVD website, they are only listed as affecting PHP versions 8.0.X before 8.0.28, 8.1.X before 8.1.16, and 8.2.X before 8.2.3.
Furthermore according to PHP: Supported Versions the 7.4 branch is end of life. So I guess all EOL branches are neither checked by PHP nor will be patched and we can assume that it most likely be affected.
Yes, this applies as well to the other CVEs. In general if a vendor doesn’t explicitly state an affected version range we assume that every version below is affected too. If in doubt you need to contact the vendor directly to clarify. In this case I assume they will not bother with it as 7.4.x is EOL.
One additional (more or less important) note to the CVE description. The CVE description might not necessarily contain all affected and/or fixed versions as we received the following statement from a MITRE representative in the past:
A CVE description does not necessarily contain all the affected products or versions and is not part of CVE ID requirements. The products are documented in the CVE references.