3.2.3 Single Product, Single Version, Multiple Vulnerabilities, Multiple
Statuses
In this use case, Example Company has fielded product GHI. The company makes statements
about each version of its product in a different VEX document. For a given version of a given
product, a particular vulnerability instance can only have a single status. However, other
instances of the same or different vulnerabilities may have different statuses.
Product GHI’s TCP/IP-Stack is based on Treck’s stack, with some custom implementation and
modifications. When Ripple20 was disclosed, Example Company’s PSIRT released a VEX
document stating that product GHI’s version 17.4 is not affected by some of the Ripple20
vulnerabilities (namely CVE-2020-11897, CVE-2020-11902, CVE-2020-11899, CVE-2020-
11905, CVE-2020-11906, CVE-2020-11913), but that it is affected by certain others (CVE-
2020-11898, CVE-2020-11907, CVE-2020-11909, CVE-2020-11910, CVE-2020-11911).
Moreover, others are still under investigation (CVE-2020-11896, CVE-2020-11900, CVE-2020-
11904, CVE-2020-11903, CVE-2020-11908) and some are fixed already (CVE-2020-11901,
CVE-2020-11912, CVE-2020-11914).
○ CSAF example
○ CycloneDX example
3.2.4 Single Product, Multiple versions, Single Vulnerability, Single Status
In this use case, Example Company has fielded product ABC and provided updates or otherwise
updated it over time, so that there are multiple versions of the software. Different types of
software or suppliers of software track versions and distributions differently.
The company makes statements about each version of its product in a single VEX document.
The new Log4j vulnerability, with associated CVE-2021-44228, has been identified in a
component of product ABC. Example Company prepares a VEX document to inform customers
that the vulnerability is exploitable (status: KNOWN_AFFECTED) in product ABC’s versions
2.4, 2.6, and all versions between and including 2.9 through version 4.1. There are 90 separate
product versions within that range, including minor versions and bug fixes.
○ CSAF example
○ CycloneDX example
NOTE: Multiple versions can be communicated in two ways within a VEX document. Each
version can be called out in enumeration (e.g., 2.9, 3.0) or a range (e.g.,
"vers:generic/>=2.9|<=4.1"). An additional example of a range could be “all versions before 2.0
are AFFECTED.” Both range and enumeration are valid approaches.