NVD Version Limits: Version End Including

Yesterday we explored the Version End Excluding which is one of the most common version limit declarations. The other method of declaring an up limit to a version check. Example for this is Adobe’s Photoshop with vulnerability CVE-2023-44330 and the text of an configuration example is below.

CVE-2023-44330

{

 "operator": "AND",

 "nodes": [

  {

   "operator": "OR",

   "negate": false,

   "cpeMatch": [

    {

     "vulnerable": true,

     "criteria": "cpe:2.3:a:adobe:photoshop:*:*:*:*:*:*:*:*",

     "versionEndIncluding": "24.7.1",

     "matchCriteriaId": "F6792846-8164-4C67-A210-1244E503BE88"

    }

   ]

  },

  {

   "operator": "OR",

   "negate": false,

   "cpeMatch": [

    {

     "vulnerable": false,

     "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*",

     "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"

    },

    {

     "vulnerable": false,

     "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",

     "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"

    }

   ]

  }

 ]

}

In this example yo know you have version 24.7.1 as a vulnerable and anything later than that shouldn’t be considered vulnerable. The big challenge with this is you don’t know the next version to update to. This makes building guidance more difficult.

Two cases you may want to use a versionEndIncluding are you don’t know when the version will come out and what the exact version that fixes it will be or if you don’t intend to fix this family of the software.

Occasionally you see this type used with hot fixes as vendors won’t increment the version for the vulnerability patch. This will be discussed in a latter post around Apple’s Operating Systems and some SaaS SBOM components.
 
Thanks for reading!