Affected Range Examples
Use these examples when vendor ranges, package versions, distro backports, scanner plugins, and fixed-version language do not line up cleanly.
Examples
The upstream version string remains vulnerable-looking, but the distro advisory says the fix was backported. Good evidence includes distro package release, advisory reference, host package output, and scanner plugin context.
A scanner or CPE match hits the product family, but the vulnerable optional feature is absent. Good evidence includes installed component list, configuration proof, service owner confirmation, and review trigger.
The vendor fix requires a major upgrade or appliance firmware path. Good evidence includes supported upgrade path, rollback plan, vendor support statement, and temporary control decision.
The customer may not patch the platform, but still needs tenant validation. Good evidence includes provider advisory, tenant configuration state, customer-owned integrations, and monitoring responsibility.
A new plugin detects a broader range than the earlier advisory. Good evidence includes plugin version, advisory revision date, affected range text, and a retest after owner validation.
The repository shows a fixed base image, but running workloads still use old layers. Good evidence includes image digest, deployment timestamp, running pod/task version, and redeploy proof.
Copy Starters
Can you confirm whether the installed package includes a vendor or distro backport for this CVE? Please attach package release output, advisory link, and scanner plugin context.
Is the vulnerable component or feature installed and enabled on this asset group? Please include configuration proof and the owner who can revalidate if the feature changes.
Which part of this advisory is provider-managed and which tenant configuration remains customer-owned? Please include provider notice, tenant state, and required monitoring or config changes.
Recommended route: compare range language, collect owner proof, then choose affected, not affected, patch, mitigation, or vendor follow-up.