#StackBounty: #cve CVE fields vulnerable_products vs whats in configuration

Bounty: 50

I would like to understand better the structure of the CVE.

(For example) in CVE-2018-19081, vulnerable_products mention product Opticam i5. like so:

"vulnerable_products": [
    "cpe:2.3:o:opticam:i5_application_firmware:2.21.1.128:*:*:*:*:*:*:*",
    "cpe:2.3:o:opticam:i5_system_firmware:1.5.2.11:*:*:*:*:*:*:*"
],

but the configuration nodes also mention product Foscam c2. like so:

"children": [
                {
                    "operator": "OR",
                    "cpe_match": [
                        {
                            "cpe23Uri": "cpe:2.3:o:foscam:c2_application_firmware:2.72.1.32:*:*:*:*:*:*:*",
                            "vulnerable": true
                        },
                        {
                            "cpe23Uri": "cpe:2.3:o:foscam:c2_system_firmware:1.11.1.8:*:*:*:*:*:*:*",
                            "vulnerable": true
                        }
                    ]
                },
                {
                    "operator": "OR",
                    "cpe_match": [
                        {
                            "cpe23Uri": "cpe:2.3:h:foscam:c2:-:*:*:*:*:*:*:*",
                            "vulnerable": false
                        }
                    ]
                }
            ]

So why is c2 not mentioned in vunerable_products and why is it mentioned in the configuration?

I’ve seen many CVEs that their configuration mentions products that are missing from the field vulnerable_products.
What is the purpose of the configuration if not to specify the vulnerable products?


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.