salt-minion: Version 3005.1 marks as vulnerable and they are not #4421
Replies: 2 comments 1 reply
-
|
They should be vulnerable as Debian 11 doesn't have patches. |
Beta Was this translation helpful? Give feedback.
-
|
But in this case we have installed the official package of the specific manufacturer for Debian, although in the official Debian repos they still do not have this version deployed, the manufacturer serves this package. https://repo.saltproject.io/salt/py3/debian/ |
Beta Was this translation helpful? Give feedback.
-
|
Oh, you're right. If it is not an official package, those vulnerabilities should not be detected. I think it is the same issue as #1886 |
Beta Was this translation helpful? Give feedback.
-
IDs
CVE-2022-22934, CVE-2022-22935, CVE-2022-22936, CVE-2022-22941, CVE-2022-22967
Description
Trivy marks salt-minion version 3005.1 as vulnerable and they do not appear as affected versions in the CVE databases:
https://avd.aquasec.com/nvd/2022/cve-2022-22934/
https://avd.aquasec.com/nvd/2022/cve-2022-22935/
https://avd.aquasec.com/nvd/2022/cve-2022-22936/
https://avd.aquasec.com/nvd/2022/cve-2022-22941/
https://avd.aquasec.com/nvd/2022/cve-2022-22967/
Reproduction Steps
Target
Filesystem
Scanner
Vulnerability
Target OS
Debian 11
Debug Output
Version
# trivy --version Version: 0.41.0 Vulnerability DB: Version: 2 UpdatedAt: 2023-05-17 06:09:28.766768241 +0000 UTC NextUpdate: 2023-05-17 12:09:28.766768041 +0000 UTC DownloadedAt: 2023-05-17 10:04:37.841778574 +0000 UTC Java DB: Version: 1 UpdatedAt: 2023-05-16 00:49:53.281401489 +0000 UTC NextUpdate: 2023-05-19 00:49:53.281400789 +0000 UTC DownloadedAt: 2023-05-16 05:01:43.334005792 +0000 UTCChecklist
-f jsonthat shows data sources and confirmed that the security advisory in data sources was correctBeta Was this translation helpful? Give feedback.
All reactions