VMware Advisory Report - Some CVEs not reported in R7 Database website

Hello everyone in the community.

I want to know if any of you have experienced in the past that some CVEs are not reported on the Vulnerability & Exploit Database website? What is also reflected in the IVM console.

Recently (on 12/8/2022) VMware published its Advisory Report entitled “VMSA-2022-0030” (https://www.vmware.com/security/advisories/VMSA-2022-0030.html), which is made up of 4 CVE’s:

  • CVE-2022-31696 (High)
  • CVE-2022-31697 (Medium)
  • CVE-2022-31698 (Medium)
  • CVE-2022-31699 (Low)

However, only CVE-2022-31696 (https://nvd.nist.gov/vuln/detail/CVE-2022-31696) appears published on the Vulnerability & Exploit Database website [12/12/2022 published date (Vulnerability & Exploit Database)] and the IVM console.

Since December 8, 2022 I have been following up on this particular Advisory Report CVEs and as of today the remaining CVE’s have not been published nor are they available in the IVM console.

It seems strange to me that even CVEs with a MEDIUM Base Score are not yet available.

I made the decision to report this to Rapid7, to know their version. But I wanted to know if something similar has happened to you with other products that are not necessarily from VMware and what have you done in the past?

Below I share some screenshots of the validations carried out at least until December 27, 2022.