No CPE for 3.0.11 and 3.0.12

[frankvanbever]

I am the package maintainer of ModSecurity in Buildroot. Buildroot has automated tracking of CVEs which it does by checking the CPE for the corresponding release. It seems that for both 3.0.11 and 3.0.12 no CPE was registered. The newest CPE I can find in the NIST database is cpe:2.3:a:trustwave:modsecurity:3.0.10:::::::*
This has effectively broken the CVE reporting infrastructure for ModSecurity in Buildroot, causing us to miss CVE-2024-1019.

Will the creation of CPEs resume in the future for future versions or will this be deprecated?

[airween]

Hi @frankvanbever,

thanks for reporting this, I think it's very important issue.

Actually I haven't heard about this registration possibility, but now I'm going to check how does it work.

I think on behalf of the team I can say we definitely want to continue maintaining of the NIST database.

I need some time to review the registration process (eg. the vendor has changed meanwhile).

Thanks again.

[airween]

Just for the record: I contacted with NIST about this issue.

[dune73]

Thank you

[airween]

NIST responded, they has created the two CPE's:

CVE-2023-38385

CVE-2024-1019

Please check those above, if you think everything is fine, feel free to close the issue here.