Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: CY26Q1
Affects Version/s: None
Component/s: None
Labels:
- reported-by-customer

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False

Risk Probability:
Very Likely
Risk Score:
0

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Current Behavior

The `deletions.csv` file at `https://security.access.redhat.com/data/csaf/v2/vex/deletions.csv` contains CVEs that have been deleted from the CSAF VEX repository. However, many of these deleted CVEs have active RHSAs (Red Hat Security Advisories) - meaning they affect Red Hat products and have been fixed.

When checking these CVEs:

The CSAF VEX JSON file returns 404 (deleted)
The Red Hat CVE page still exists and shows affected products
The Red Hat Security Data API returns valid data including RHSA references

Examples

CVE-2023-37788

Deleted: 2025-12-05T18:26:12+00:00
RHSA: RHSA-2024:8974 (Red Hat Advanced Cluster Management 2.12.0)
VEX file: https://security.access.redhat.com/data/csaf/v2/vex/2023/cve-2023-37788.json (returns 404)
CVE page: https://access.redhat.com/security/cve/cve-2023-37788 (still exists)

CVE-2025-22868

Deleted: 2025-12-10T09:28:10+00:00
RHSA: RHSA-2025:3503
VEX file: https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-22868.json (returns 404)
CVE page: https://access.redhat.com/security/cve/cve-2025-22868 (exists)

CVE-2023-52356

Deleted: 2025-11-24T21:03:39+00:00
RHSA: RHSA-2024:5079
VEX file: https://security.access.redhat.com/data/csaf/v2/vex/2023/cve-2023-52356.json (returns 404)
CVE page: https://access.redhat.com/security/cve/cve-2023-52356 (exists)

I found 28 examples in deletions.csv.

Steps to Reproduce

# 1. Download deletions.csv:
$ curl -s "https://security.access.redhat.com/data/csaf/v2/vex/deletions.csv" -o deletions.csv

# 2. Check if a deleted CVE has an RHSA:
$ curl -s "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-37788.json" | jq '.affected_release[0].advisory'
"RHSA-2024:8974"

# 3. Verify the VEX file is deleted:
$ curl -s -o /dev/null -w "%{http_code}" "https://security.access.redhat.com/data/csaf/v2/vex/2023/cve-2023-37788.json"
404

Expected Behavior

It looks like CVEs with active RHSAs should NOT be deleted from the CSAF VEX repository. These files contain critical vulnerability information that consumers rely on for security scanning.

Impact Statement

Consumers of Red Hat's CSAF VEX data cannot detect these vulnerabilities because the VEX files have been deleted.

Assignee:: Unassigned

Reporter:: Teppei Fukuda

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2025/12/15 2:10 PM

Updated:: 2025/12/16 3:49 PM

Details

Description

Current Behavior

Examples

CVE-2023-37788

CVE-2025-22868

CVE-2023-52356

Steps to Reproduce

Expected Behavior

Impact Statement

Attachments

Easy Agile Planning Poker

Activity

People

Dates