Vulnerable software versions detected but not reported

I have had this multiple times for different software so wonder what I’m actually missing here.

Latest example, detection of an old jira version

Version: 8.20.10
Location: /
CPE: cpe:/a:atlassian:jira:8.20.10

Concluded from version/product identification result:

Concluded from version/product identification location:
https://someserver/login.jsp

Greenbone is up to date and there are several CVEs related to this version, which I also see in the CVE DB.

But why are these not shown in the report?

Since a few years vulnerability tests (VTs) for all Atlassian products are only available in the Greenbone Enterprise Feed:

If the community feed is currently used then this would be the expected behavior.

1 Like

Thanks for the quick answer cfi.

I had this in mind but must admit I’m surprised. I mean separation of community and enterprise VTs I understand, but simple cross checks of affected CVEs from a software detection… this is something I would consider a very basic coverage regardless.

Anyway, now I know, thank you.

This is done by the so called (and previously mentioned) “VTs” which are only part of the mentioned enterprise feed so this coverage exists only if the enterprise feed is used.

1 Like