Understanding the affected range for CVE-2022-34169 #122
Description
Good day,
I would like to understand how a CVE have their affected key created or updated?
For example, CVE-2022-34169 in [1] denotes only 'Apache Xalan' is affected, while OpenJDK advisory [2] explicit says that this CVE also affects their product versions including 18.0.1, 17.0.3, 15.0.7, 13.0.11, 11.0.15, 8u332, and 7u341.
NVD follows OpenJDK's affected range and includes these versions in their documentation [3]. Oracle has also included this CVE in their advisory [4].
How should one interpret this MITRE advisory? Should vendors/products using the Apache Xalan library individually notify MITRE to update the 'affected' field, or is this outside the scope of this database?
Refs:
[1] - https://github.com/CVEProject/cvelistV5/blob/main/cves/2022/34xxx/CVE-2022-34169.json
[2 ] - https://openjdk.org/groups/vulnerability/advisories/2022-07-19
[3] - https://nvd.nist.gov/vuln/detail/cve-2022-34169
[4] - https://www.oracle.com/security-alerts/cpujul2022.html