cannot specify that a range includes at least one affected version #215
Description
https://cveawg.mitre.org/api/cve/CVE-2023-21744 includes:
"product":"Microsoft SharePoint Server Subscription Edition","versions":[{"version":"unspecified","status":"affected"}]
The original intention of the schema was not to encourage "unspecified" as a value of "version" but, in practice, this may be the best available way to represent some types of limited information.
A provider has the option of stating:
{
"version": "0",
"lessThan":"*"
"versionType":"custom",
"status":"unknown"
}
(or simply "defaultStatus":"unknown"); however, at the time that a CVE Record is first published, the provider may be certain of the affected versions for some products, whereas for other products, it is certain that at least one version is affected, but the version numbers haven't yet been investigated. It is possible that the schema could be extended so that a provider could pass along this additional fact to end users, e.g., provide a stronger signal that users of the less-investigated product should be concerned.
It is unclear how to implement this in the best way; some possibilities may be:
{
"version": "0",
"lessThan":"*",
"versionType":"custom",
"status":"partiallyAffected"
}
{
"version": "0",
"lessThan":"*",
"versionType":"custom",
"status":"hasAtLeastOneAffected"
}