Incorrect mapping of Applicable versions for CVE-2023-28858 & CVE-2023-28859

[sreecharanguduri]

IDs

CVE-2023-28858 , CVE-2023-28859

Description

Hi Team ,

we have reported anomaly with CVEs in discussion title to be applicable for higher versions i.e with 4.x & not impacted with versions running with 2.x which is updated under https://avd.aquasec.com/nvd/2023/cve-2023-28859/ , https://avd.aquasec.com/nvd/2023/cve-2023-28858 respectively on May17th 2023 both in NVD and also AVD. Can we know when would these changes reflect in Trivy DB so that we no more see these as findings from trivy report for older versions of redis Metadata async library running with 2.10.6 , 2.25.1 (2.x) .Thanks in advance
Best
Sreecharan Guduri

Reproduction Steps

Execute a trivy scan and report shown as below for redis Async Medata library CVEs 

Python (python-pkg)
 
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
 
┌─────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                           │
├─────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ redis (METADATA)    │ CVE-2023-28859 │ MEDIUM   │ 2.10.6            │ 4.4.4, 4.5.4  │ redis: Async command information disclosure               │
│                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-28859                │
│                     ├────────────────┼──────────┤                   ├───────────────┼───────────────────────────────────────────────────────────┤
│                     │ CVE-2023-28858 │ LOW      │                   │ 4.5.3         │ redis: Async command information disclosure               │
│                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-28858                │
├─────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ requests (METADATA) │ CVE-2023-32681 │ MEDIUM   │ 2.25.1            │ 2.31.0        │ Unintended leak of Proxy-Authorization header in requests │
│                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-32681                │
└─────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

Target

Container Image

Scanner

Vulnerability

Target OS

Ubuntu 18.04

Debug Output

Execute a trivy scan and report shown as below for redis Async Medata library CVEs 

Python (python-pkg)
 
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
 
┌─────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                           │
├─────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ redis (METADATA)    │ CVE-2023-28859 │ MEDIUM   │ 2.10.6            │ 4.4.4, 4.5.4  │ redis: Async command information disclosure               │
│                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-28859                │
│                     ├────────────────┼──────────┤                   ├───────────────┼───────────────────────────────────────────────────────────┤
│                     │ CVE-2023-28858 │ LOW      │                   │ 4.5.3         │ redis: Async command information disclosure               │
│                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-28858                │
├─────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ requests (METADATA) │ CVE-2023-32681 │ MEDIUM   │ 2.25.1            │ 2.31.0        │ Unintended leak of Proxy-Authorization header in requests │
│                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-32681                │
└─────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

Version

Trivy version - 0.36

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[knqyf263]

Did you see our checklist? The data source (GitHub Security Advisories) seems to be wrong. Please report it to GitHub.
GHSA-8fww-64cx-x8p5

[knqyf263]

Not GitLab, but GitHub

[sreecharanguduri]

hi , the issue is resolved from github can we know when it would reflect in trivy ? we update trivy DB on daily basis? github/advisory-database#2335

[DmitriyLewen]

Hello @sreecharanguduri
I checked this question:
We use GitHub and OSV to find python vulnerabilities.

OSV still contains incorrect versions:
https://osv.dev/vulnerability/PYSEC-2023-45
https://osv.dev/vulnerability/PYSEC-2023-46

[sreecharanguduri]

Hello , the github advisory & google osv.dev are fixed , can you help us understand when this issue is marked not applicable or not seen as a finding in trivy pls ? is there some action needed from our side apart from trivy db update?

osv.dev : google/osv.dev#1355

github : github/advisory-database#2335

[knqyf263]

The advisories are updated every 6 hours, and the database is updated every 6 hours.

[sreecharanguduri]

Detailed explanation from Git lab attached below

Both those advisories were updated last week to reflect NVD's change stating that the vulnerability only exists since version 4.2.0:

https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/pypi/redis/CVE-2023-28858.yml#L15
https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/pypi/redis/CVE-2023-28859.yml#L14

Therefore, is you are using the redis-py library version 2.x, GitLab should no longer flag it as being vulnerable. The previously detected vulnerability will continue to exist, but its state should change to "remediated" and "no longer detected". Note that you need to rerun the Dependency Scanning pipeline to get up-to-date results.
I'll already close this issue as the requested changes have already been implemented.
Let me know how it goes.