This is a known issue. NIST’s NVD is populated by a team of analysts who review incoming CVEs from MITRE and attempt to link those CVEs authoritatively to the affected CPEs. This process causes new CPEs to be generated by the NVD analysts and submitted for inclusion in the CPE Dictionary—but the pipe is filled far faster than the CPE review team is able to drain it (i.e., vet the CPEs and enter them into the official dictionary). This results in a situation in which some CVEs in the NVD refer to CPEs that aren’t yet in the dictionary; rather, they’re submitted and under review. NIST is aware and working to improve synchronization between the two data feeds.
Brant A. Cheikes The MITRE Corporation 202 Burlington Road, M/S K302 Bedford, MA 01730-1420 Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352
From: Miller, Ryan D. Sent: Thursday, September 01, 2011 12:45 PM To: CPE Subject: CVE and CPE synchronization
Hello CPE/CVE expert(s),
Our project is working to integrate with the CVE list to provide a user of a prototype we’re building a sort of “security scorecard” based in part on the products on a system. We ran across the situation below, which is (we think) essentially that CVEs are listed against a correctly formed CPE tag, but one which is not registered in the “official” CPE listing.
Can CVE’s be written against unregistered--but correctly formatted—CPEs, or perhaps this is just an issue with the lists not always keeping in sync?
Thank you in advance for your help,
From: Clapis, Joe Sent: Thursday, September 01, 2011 12:27 PM Subject: CVE
We discovered an interesting… issue with CVEs today.