Many CVE Records Are Listing the Wrong Versions of Software as Being Affected
A couple of weeks ago, the Bleeping Computer ran a story claiming that over 150,000 websites were vulnerable due to a vulnerability that had been in a WordPress plugin. That count was based in part in believing that all previous versions of the plugin were vulnerable:
The issue impacts all versions of the plugin up to 2.8.7
That wasn’t true.
The feature that is connected to was only added in version 2.7.0.
The author of the story was relying on information from a WordPress security provider, Wordfence, that doesn’t actually determine what versions are vulnerable. Instead, they simply claim all previous versions were vulnerable.
The author of the story, Bill Toulas, has been warned about that issue, but hasn’t cared and kept running with inaccurate information.
With another vulnerability, which we saw a hacker trying to exploit last week, Wordfence claimed all previous versions before it was fixed were vulnerable, but only a single version is vulnerable.
There is a larger problem. Wordfence is also allowed to create records in the CVE system. For these vulnerabilities, they issued CVE IDs. They also list the wrong versions as vulnerable in those CVE records. For example, the second vulnerability mentioned was given CVE ID CVE-2023-6634, which says that “all versions up to, and including, 4.2.5.7” are vulnerable, despite only 4.2.5.7 being vulnerable.
That would be a significant problem on its own. According to data compiled by Jerry Gamblin, they are one of the most prolific CVE issuers. Another one is another WordPress security provider, WPScan. The most prolific CNA is another WordPress security provider, Patchstack. Both of those providers also don’t determine which versions are vulnerable and then list in CVE’s data that all versions are vulnerable.
For example, with a recent vulnerability in the plugin PDF Invoices & Packing Slips for WooCommerce that Patchstack made a claim about it and issued a CVE ID, but haven’t filled out the corresponding CVE record yet, the vulnerability is in a feature that was added in version 3.7.2, but they say that all versions prior to version 3.7.6 are vulnerable.
Patchstack also claimed the vulnerability was fixed, when, as we warned our customers, it hasn’t been yet. When data providers are providing inaccurate information that they know to be inaccurate, as they are with the affected version information, it wouldn’t be surprising that they are not all that concerned about the accuracy of their data. So it is uncommon to find that “fixed” vulnerabilities haven’t actually been fixed. The lack of accuracy seems like it should cause CVE to restrict providers like that from access to their system.
Claiming that versions of software are vulnerable that are not can cause significant headaches for those using the software. Especially, anyone required to do a security assessment if known vulnerable software is being used, when it really isn’t vulnerable. It also can lead people to believe they have found the source of a security breach, when they haven’t. And as that story we mentioned at the top of the post shows, inaccurate news stories are also being caused by that.
We have suggested to CVE that they provide a method for reporting inaccurate affected version information.