Skip to content

MITRE's own CNA-LR records routinely fail to meet 5.1.3 and 5.1.7 (product and vulnerability type identification) #42

Description

@jgamblin

The CNA Operational Rules require, without exception, that every CVE Record identify an affected product and a vulnerability type:

  • 5.1.3: MUST identify at least one affected Product using information such as Supplier and Product names, versions, and dates.
  • 5.1.7: MUST identify the type of Vulnerability.

Across MITRE's own CNA-assigned records in cvelistV5 for 2025-2026 (5,905 records), the structured fields for these are placeholder text far more often than not:

  • 83.9% list vendor and product as literal n/a in the affected data element.
  • 83.7% list the vulnerability type (problemTypes description) as n/a.
  • 83.4% carry no CVSS or other metrics from the CNA container at all.

Every other major CNA checked (GitHub, Patchstack, VulDB, Microsoft, Adobe, Apple, Oracle, ~30 largest by volume) sits at 0% on the product and type fields. Some of those CNAs also skip CVSS themselves (Chrome and Apple are 100% no-CNA-metrics), but that's a different situation: NVD or CISA reliably backfills it as an ADP, and the required identifying fields (product, type) are still populated correctly by the CNA. MITRE's gap is in the fields the rules say MUST be present, not the optional scoring.

Example: CVE-2026-24114. MITRE's CNA container has vendor: "n/a", product: "n/a", version: "n/a", and a problem type description of "n/a". CISA, acting as ADP, later added the real CWE (CWE-120) and a CVSS 3.1 score of 7.5. The reference MITRE already had in hand (tenda.com.cn) names the vendor and product directly, so the information needed to satisfy 5.1.3 was available at the time of publication.

Anticipated counterargument, addressed directly

5.1.3 doesn't say product identification has to happen in the structured affected element specifically, and 5.2.2 explicitly allows the prose description to carry information not provided elsewhere in the record. So it's fair to ask whether MITRE is actually in violation, or just using the description field instead.

I checked. Sampled 200 random MITRE records with n/a in the structured affected field. All 200 name a real vendor and product in the prose description: D-Link DIR-853, TOTOLINK A3002R, Quest KACE Systems Management Appliance, phpMsAdmin, CKFinder, and so on. This isn't missing information, it's a consistent pipeline pattern of putting real product data in free text and leaving the structured field as a placeholder.

That distinction matters and should be explicit in the rules rather than left to interpretation. The structured affected element exists because it's what makes product identification machine-parseable for every downstream consumer (vulnerability scanners, SBOM matching, CNA scorecards, this analysis itself). A vendor name buried in a sentence doesn't serve that purpose, even though a human reading the description can find it.

Note also that 2.4.3 (the CNA-LR efficiency exemption from notifying suppliers and publishing advisories) doesn't cover this. It exempts CNA-LRs from 4.3.2 and 4.5.2.1, not 5.1.3 or 5.1.7.

Proposed changes

  1. Amend 5.1.3 to: "MUST identify at least one affected Product using the affected data element(s) of the CVE Record Format, with information such as Supplier and Product names, versions, and dates." This closes the loophole 5.2.2 leaves open by naming the structured element explicitly, rather than leaving product identification satisfiable by prose alone.
  2. Clarify 5.1.7 similarly if CNAs are found using n/a problemTypes descriptions while naming the CWE-relevant weakness only in prose.
  3. Alternatively, if the Program intends to allow placeholder structured values as a stopgap pending ADP enrichment, say so explicitly rather than leaving it as an unstated practice inconsistent with the literal text.

Methodology note: analysis script and full per-CNA breakdown available on request, happy to publish to RogoLabs if useful for the review.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions