NIST CVE database has CVE-2022-23639 misrecorded?

[hgomersall]

I'm not sure this is your issue directly, but there seems to be a problem with how CVE-2022-23639 that was fixed here is referring to crossbeam, such that Black Duck is flagging Crossbeam 0.8.4 which clearly is post the fix.

Reading the "Known Affected Software Configurations", it clearly suggests that it's crossbeam that is the problem rather than crossbeam-utils, but I'm not very familiar with CVE records. In any case, something is not quite right with how the vulnerability is being reported.

[taiki-e]

If tool reports a vulnerability to crossbeam crate instead of crossbeam-utils crate, it is a bug in their tool. Please file a bug report against that tool.

[hgomersall]

It looks like a bug in the database, or am I missing something?

[taiki-e]

I guess it's a bug in your vulnerability report tool.

[hgomersall]

This string: cpe:2.3:a:crossbeam_project:crossbeam:*:*:*:*:*:rust:*:* makes no distinction between crossbeam and crossbeam-utils, so it's hard to see how it can get this right.

Similarly, the CVE record also references crossbeam as the product: https://www.cve.org/CVERecord?id=CVE-2022-23639

[taiki-e]

Sigh. GitHub again. They've done strange things about our report before, but it seems that was not the only problem.

[taiki-e]

Filed github/advisory-database#5064.

[hgomersall]

Great, thanks!