Affected Version Validation

Prove the version before you assign the work.

Use this guide when a CVE or advisory may apply, but installed versions, fixed versions, affected ranges, backports, or vendor guidance need confirmation.

Start validationExposure Checker

Version rule: do not turn a product-family match into a patch deadline until the installed version, affected range, fixed version, owner, and source of truth are clear.

Identifyproduct

Vendor, product, edition, component, package, plugin, or service role.

Confirminstalled

Observed version from inventory, owner, package manager, console, or scan.

Comparerange

Affected and fixed ranges from vendor, distro, cloud, or appliance guidance.

Recordoutcome

Affected, fixed, not affected, mitigated, exception, or needs review.

Validation Steps

A repeatable path from signal to version proof

1source

Find the authoritative guidance

Start with vendor, distro, cloud provider, appliance, or project advisory text. NVD and scanners are useful, but vendor guidance usually decides affected and fixed ranges.

Capture: advisory URL, publication date, last update, affected products, fixed versions, and workaround notes.

2product

Match the exact product shape

Check product family, edition, component, plugin, package name, platform, appliance model, cloud service, and whether the vulnerable feature is enabled.

Do not assume: similar product names, broad CPEs, or scanner plugin titles prove a match.

3installed

Confirm the installed version from a reliable source

Use package managers, endpoint inventory, cloud inventory, admin consoles, build manifests, owner confirmation, or scan evidence. Record where the version came from.

Watch: load-balanced fleets, containers, plugins, embedded libraries, and stale inventory.

4range

Compare affected and fixed ranges carefully

Check inclusive and exclusive version ranges, branch-specific fixes, minor releases, hotfixes, long-term support trains, and platform-specific exceptions.

Use: Exposure Checker for simple ranges, then confirm edge cases with vendor guidance.

5backport

Handle backports and distro packages with care

Linux distributions and vendors may backport security fixes without changing upstream version numbers. Raw upstream comparisons can falsely label systems vulnerable.

Capture: distro advisory, package release, changelog, build string, and vendor security status.

6outcome

Write a version outcome that can be reviewed

Name the asset scope, installed version, affected range, fixed version or mitigation, validation method, owner, and unresolved exceptions.

Close as: affected, fixed, not affected, mitigated, exception, or needs review.

Version Traps

Common ways validation goes wrong

CPE is too broad

A CPE can point to the right product family but still miss edition, component, feature, platform, or branch details.

Scanner result is stale

Scanners can lag behind patching, miss compensating context, or report plugin logic instead of verified installed state.

Fixed version is branch-specific

A fix may exist for one release train while another needs a different hotfix, workaround, or vendor-supported backport.

Feature is installed but disabled

Disabled or unreachable components may support monitor or not-affected decisions, but only with configuration and owner proof.

Appliance version hides components

Appliance, firmware, and managed-service versions may bundle libraries internally. Use vendor guidance over raw component matching.

One asset does not prove the fleet

Validate representative coverage and note exceptions across clusters, regions, containers, failover nodes, and business units.

Outcome Language

How to write the result without overclaiming

Affected

Installed version falls in vulnerable range

Use when installed product/version and vendor affected range agree, and no backport, feature state, or platform exception removes relevance.

Not affected

Evidence disproves relevance

Use when product mismatch, version mismatch, disabled feature, unsupported platform, or vendor-specific exception is documented.

Fixed

Version or patch proof is present

Use when fixed version, patch level, package release, or vendor-supported backport is installed and validated across scope.

Needs review

Evidence is incomplete or conflicting

Use when vendor guidance, scanner output, inventory, or owner confirmation disagree. Assign a validation owner and review date.

Copy Template

Affected-version validation note

Validation outcome: [affected / not affected / fixed / mitigated / needs review]
Product/component: [vendor, product, edition, package, plugin, appliance model]
Installed version source: [inventory, owner, package manager, console, scan]
Installed version: [version/build/package release]
Vendor affected range: [range and source URL]
Fixed version or workaround: [version/control and source URL]
Scope checked: [asset group/fleet/business service]
Exceptions: [unknowns, stale inventory, branch differences, backport notes]
Owner and review date: [team/person, date]