Zabbix: Version 6.2.9 marks as vulnerable and they are not

[rrodriguez-cdmon]

IDs

CVE-2022-23132, CVE-2022-23133, CVE-2022-24349, CVE-2022-24917, CVE-2022-24918, CVE-2022-24919, CVE-2022-35229, CVE-2022-35230, CVE-2022-40626, CVE-2022-43515

Description

NOT SPECIFIED IN AFECTED VERSION THE CURRENT VERSION 6.2.9:
https://avd.aquasec.com/nvd/2022/cve-2022-23132/
https://avd.aquasec.com/nvd/2022/cve-2022-23133/
https://avd.aquasec.com/nvd/2022/cve-2022-24349/
https://avd.aquasec.com/nvd/2022/cve-2022-24917/
https://avd.aquasec.com/nvd/2022/cve-2022-24918/
https://avd.aquasec.com/nvd/2022/cve-2022-24919/
https://avd.aquasec.com/nvd/2022/cve-2022-35229/
https://avd.aquasec.com/nvd/2022/cve-2022-35230/
https://avd.aquasec.com/nvd/2022/cve-2022-40626/
https://avd.aquasec.com/nvd/2022/cve-2022-43515/

Reproduction Steps

# trivy rootfs / --scanners vuln --format json -q > trivy.txt
# vim trivy.txt
...
{
          "VulnerabilityID": "CVE-2022-43515",
          "PkgID": "zabbix-agent2@1:6.2.9-1+debian11",
          "PkgName": "zabbix-agent2",
          "InstalledVersion": "1:6.2.9-1+debian11",
          "Layer": {},
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-43515",
          "DataSource": {
            "ID": "debian",
            "Name": "Debian Security Tracker",
            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
          },
          "Title": "Zabbix Frontend provides a feature that allows admins to maintain the  ...",
          "Description": "Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend while it is being maintained and possible sensitive data will be prevented from being disclosed. An attacker can bypass this protection and access the instance using IP address not listed in the defined range.",
          "Severity": "CRITICAL",
          "CweIDs": [
            "CWE-863"
          ],
          "CVSS": {
            "nvd": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "V3Score": 9.8
            }
          },
          "References": [
            "https://support.zabbix.com/browse/ZBX-22050"
          ],
          "PublishedDate": "2022-12-05T19:15:00Z",
          "LastModifiedDate": "2023-02-03T21:23:00Z"
        },
...

Target

Filesystem

Scanner

Vulnerability

Target OS

Debian 11

Debug Output

2023-05-17T11:38:28.661+0200	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-05-17T11:38:28.666+0200	DEBUG	cache dir:  /root/.cache/trivy
2023-05-17T11:38:28.667+0200	DEBUG	DB update was skipped because the local DB is the latest
2023-05-17T11:38:28.667+0200	DEBUG	DB Schema: 2, UpdatedAt: 2023-05-17 06:09:28.766768241 +0000 UTC, NextUpdate: 2023-05-17 12:09:28.766768041 +0000 UTC, DownloadedAt: 2023-05-17 08:31:31.313273814 +0000 UTC
2023-05-17T11:38:28.667+0200	INFO	Vulnerability scanning is enabled
2023-05-17T11:38:28.667+0200	DEBUG	Vulnerability type:  [os library]
2023-05-17T11:38:28.667+0200	INFO	Secret scanning is enabled
2023-05-17T11:38:28.667+0200	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-05-17T11:38:28.667+0200	INFO	Please see also https://aquasecurity.github.io/trivy/v0.41/docs/secret/scanning/#recommendation for faster secret detection
2023-05-17T11:38:28.667+0200	DEBUG	No secret config detected: trivy-secret.yaml
2023-05-17T11:38:28.667+0200	DEBUG	Walk the file tree rooted at '/' in parallel
2023-05-17T11:38:28.667+0200	DEBUG	Skipping directory: sys
2023-05-17T11:39:18.676+0200	DEBUG	Skipping directory: dev
2023-05-17T11:39:22.279+0200	DEBUG	Skipping directory: proc
^C
vxadm-45:/usr/local/home/rrodri# trivy rootfs vuln --debug
2023-05-17T11:41:19.929+0200	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-05-17T11:41:19.935+0200	DEBUG	cache dir:  /root/.cache/trivy
2023-05-17T11:41:19.937+0200	DEBUG	DB update was skipped because the local DB is the latest
2023-05-17T11:41:19.937+0200	DEBUG	DB Schema: 2, UpdatedAt: 2023-05-17 06:09:28.766768241 +0000 UTC, NextUpdate: 2023-05-17 12:09:28.766768041 +0000 UTC, DownloadedAt: 2023-05-17 08:31:31.313273814 +0000 UTC
2023-05-17T11:41:19.939+0200	INFO	Vulnerability scanning is enabled
2023-05-17T11:41:19.939+0200	DEBUG	Vulnerability type:  [os library]
2023-05-17T11:41:19.939+0200	INFO	Secret scanning is enabled
2023-05-17T11:41:19.939+0200	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-05-17T11:41:19.939+0200	INFO	Please see also https://aquasecurity.github.io/trivy/v0.41/docs/secret/scanning/#recommendation for faster secret detection
...

Version

# trivy --version
Version: 0.41.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-05-17 06:09:28.766768241 +0000 UTC
  NextUpdate: 2023-05-17 12:09:28.766768041 +0000 UTC
  DownloadedAt: 2023-05-17 08:31:31.313273814 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-05-15 01:01:51.3557117 +0000 UTC
  NextUpdate: 2023-05-18 01:01:51.3557111 +0000 UTC
  DownloadedAt: 2023-05-15 05:01:57.209573235 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[knqyf263]

First, please see if they are not vulnerable.
#4421 (comment)