ImageMagick6 NIST CPEs are stale

[MontyCarter]

ImageMagick version

6.9.12-54 > version < 7.0.0-0

Operating system

Other (enter below)

Operating system, version and so on

N/A

Description

It seems that ImageMagick6 CPEs are no longer being added to the NIST cve database. The latest CPE is cpe:2.3:a:imagemagick:imagemagick:6.9.12-54:*:*:*:*:*:*:*, which was added on 06/30/2022 and last modified on 07/11/2022. It appears that the ImageMagick 7 CPEs are still being added: cpe:2.3:a:imagemagick:imagemagick:7.1.1-5:*:*:*:*:*:*:* was added on 03/28/23 and modified on 04/07/23.

This is problematic for tools that scan and alert for CVEs that are present in a project. For example, CVE-2023-1289 is listed as affecting cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:* for all versions up to 7.1.1-0. This means that all versions of ImageMagick6 are flagged as being affected by this CVE, despite the fact that the ImageMagick 7 fix was ported over to ImageMagick6 (via a new commit commit rather than merging the ImageMagick7 fix), and included in 6.9.12-86 … 6.9.12-78

I'm wondering if this will be the state of things moving forward or whether this was an oversight.

Steps to Reproduce

Search for imagemagick 6.9.12-55+ in the NIST CPE database.

Images

No response

[urban-warrior]

The ImageMagick team is not associated with nor does it maintain the NIST CPE database. You would need to contact the CPE maintainers to correct any deficiencies with the database.