So I’m following the CVE from google that was CVE-2023-4863 regarding webp. It was assigned a new CVE to CVE-2023-5217. So with a change like this with there be a new CVE entry in a content update or just keep referencing the old CVE?

1 Like

SInce this is dealing with an entirely new library package, one would think that you would have to track it with the new CVE. But I would also like to know how this will be tracked.

Hey both!

As rrobertrice_ivm pointed out, this is a new library vulnerability. So we’ve released content for CVE-2023-5217 for libvpx on the 28th of September, as long as you’re on the latest content version (or a version after this date) then you should have CVE-2023-5217 to reference within InsightVM.

CVE-2023-4863 has had some interesting events around the CVEs that were released, but in this case we track libvpx separate to libwebp; they’re considered different vulnerabilities, though they are both out of bounds write (CWE-787) weaknesses.

Hopefully that clears it up, but feel free to let me know if you’ve got follow up questions!

1 Like

That definitely helps and I did eventually see the content update in InsightVM.

1 Like