So I’m following the CVE from google that was CVE-2023-4863 regarding webp. It was assigned a new CVE to CVE-2023-5217. So with a change like this with there be a new CVE entry in a content update or just keep referencing the old CVE?
SInce this is dealing with an entirely new library package, one would think that you would have to track it with the new CVE. But I would also like to know how this will be tracked.
As rrobertrice_ivm pointed out, this is a new library vulnerability. So we’ve released content for CVE-2023-5217 for libvpx on the 28th of September, as long as you’re on the latest content version (or a version after this date) then you should have CVE-2023-5217 to reference within InsightVM.
CVE-2023-4863 has had some interesting events around the CVEs that were released, but in this case we track libvpx separate to libwebp; they’re considered different vulnerabilities, though they are both out of bounds write (CWE-787) weaknesses.
Hopefully that clears it up, but feel free to let me know if you’ve got follow up questions!
That definitely helps and I did eventually see the content update in InsightVM.