What about rejected CVE's?

I have noticed that some rejected CVE’s are returned falsely from greenbone reports.

An example is, if yo run the plugin “2019/ubuntu/gb_ubuntu_USN_3997_1.nasl”, it founds some CVEs but also CVE-2019-18511, if succesful. But this CVE is already rejected. (https://nvd.nist.gov/vuln/detail/CVE-2019-18511)

I don’t know if there are more CVEs of this kind, but for this case, Ubuntu security corrected the related advisory although CVE-2019-18511 is still in description. (https://usn.ubuntu.com/3997-1/)

Maybe running the nvt generation scripts for the advisories again and again periodically may help.

There is currently no process to handle CVEs in REJECT or DISPUTED state so these CVEs are mostly kept in the related VTs without deleting them.

In the special case of “CVE-2019-18511” / USN-3997 i guess the text has a typo and it should refer to CVE-2018-18511 instead, see e.g. the correct Debian Advisory at e.g. https://www.debian.org/security/2019/dsa-4451 or the correct references in the Ubuntu USN.

This single LSC can (and will) be fixed quite easily in that specific LSC, thanks for letting us know. You might also want to contact the Ubuntu Security Team to get the USN advisory fixed / corrected.

1 Like