Thought I would raise a finding here which I feel is questionable. Interested to hear other viewpoints.
This is regarding the recent MS Vulnerability, CryptAPI. The CVE reference is 2020-0601. Microsoft have patched this as part of the January 2020 roll up - In other words, lots of additional CVE's are covered in the patch.
Qualys have released 2 QID's - 91595 & 91596.
91595 relates explicitly to CVE-2020-0601 and provides results based on this specific vulnerability ONLY. This is a 1-2-1 mapping (1 QID, 1 CVE)
91596 relates to the patch and the list of CVE's which are re-mediated by deploying the patch. This is a 1-2-Many mapping where 1 QID covers multiple CVE's (Quite common)
My issue is when I search for QID 91595 I get 57 Assets.
When I search for CVE-2020-0601, I get over 120 assets.....
The 120+ assets include OS's NOT vulnerable to the CVE.
It seems that the search for CVE-2020-0601 is translating the search to QID 91596, then returning ALL the windows assets that need the January patch, even though 70 or so aren't vulnerable to CVE-2020-0601?
Surely CVE-2020-0601 should return ONLY those assets which are vulnerable and not those assets which need the same patch, despite not being vulnerable to one of the CVE's.