Question about the configurations tab for a CVE

image1771×874 79.3 KB

Take CVE-2021-41773 (above for example). It’s description is

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration “require all denied”, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.

So Configuration 1 makes sense, it impacts cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*

But there are 3 more configurations for Oracle, Fedora and Netapp products. Is that correct?

NVD (where the base CVE data in Vulmatch comes from) uses CPEs (Common Platform Enumerations) to answer the question:

“Which products are affected if they include this vulnerable component?”

If a vendor:

• bundles Apache,
• embeds it in an appliance,
• or ships it as part of an OS or middleware stack,

Then their product can get a CPE entry tied to the CVE as a configuration.

…and yes, this is confusing because way more vendors will bundle Apache Server that are not listed.

It’s a weakness of CVE/CPE modelling:

• CVEs are component-level
• CPEs are product-level
• NVD flattens them into one list without strong parent/child relationships

Arguably these three entries should not be included OR all products using this version of Apache Server should be included. Right now it’s somewhere in the middle.