Uploaded image for project: 'Security Data'
  1. Security Data
  2. SECDATA-1134

CVE-2025-7783 Inconsistencies: Incorrect in OVAL & Missing from OSV

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • osv, oval
    • False
    • Hide

      None

      Show
      None
    • False
    • Moderate
    • Very Likely
    • 0

      Current Behavior

      CVE-2025-7783 is listed via this web page and in this vex data which seems to be the canonical source. The package `mosjs60` is marked as not affected.

      However, in the OVAL 8 unpatched file[1], `mozjs60` is marked as affected which contradicts the data web/vex data sources. Additionally, CVE-2025-7783 is not in osv.dev (link) which seems to be the place upstream data sources should search for data.
       
      [1] https://security.access.redhat.com/data/oval/v2/RHEL8/rhel-8-including-unpatched.oval.xml.bz2

      Expected Behavior

      Not affected data is the same for both VEX and OVAL data sources, and CVE-2025-7783 shows up in osv.dev (may be an issue upstream with osv.dev?).
       
      Steps to reproduce

      •  
        See links above.
         

      Impact Statement

      Our vulnerability reporting is inaccurate while the data discrepancies exist. We would like to migrate to OSV but need to verify data accuracy compared to our existing OVAL integration.
       

              jsvoboda@redhat.com Jakub Svoboda
              rhdsmnd Ron Desmond (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: