Re: Missing CVEs in the json data

[Adi Matalon <adi.matalon@whitesourcesoftware.com>]

Thank you for your answer!

I still have another two questions:

for CVE-2021-43818 exists a page with information about the vulnerable package, lxml.

It is written that the package is vulnerable and there is no fix.

This is the download link for one of the vulnerable version:

http://security-cdn.debian.org/pool/main/l/lxml/python-lxml_3.7.1-1+deb9u3_arm64.deb

So why doesn't this cve exist in the json file?

Another example is CVE-2021-2166.

It is written that the package is vulnerable and there is no fix.

This is the download link for one of the vulnerable version:

http://security-cdn.debian.org/pool/main/m/mariadb-10.3/mariadb-server-10.3_10.3.25-0+deb10u1_i386.deb

mysql-8.0 is vulnerable and no fixed exists and still the cve doesn't exist in the json file.

On 27 Dec 2021, at 14:00, Adi Matalon <adi.matalon@whitesourcesoftware.com> wrote:

Thank you for your answer!

I still have another two questions:

for CVE-2021-43818 exists a page with information about the vulnerable package, lxml.

It is written that the package is vulnerable and there is no fix.

This is the download link for one of the vulnerable version:

http://security-cdn.debian.org/pool/main/l/lxml/python-lxml_3.7.1-1+deb9u3_arm64.deb

So why doesn't this cve exist in the json file?

Another example is CVE-2021-2166.

It is written that the package is vulnerable and there is no fix.

This is the download link for one of the vulnerable version:

http://security-cdn.debian.org/pool/main/m/mariadb-10.3/mariadb-server-10.3_10.3.25-0+deb10u1_i386.deb

mysql-8.0 is vulnerable and no fixed exists and still the cve doesn't exist in the json file.