CVE-2021-29063 detected in version 1.3.0 of mpmath

[creste]

IDs

CVE-2021-29063

Description

Trivy detects CVE-2021-29063 in version 1.3.0 of mpmath:

┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ mpmath  │ CVE-2021-29063 │ HIGH     │ 1.3.0             │               │ A Regular Expression Denial of Service (ReDOS) vulnerability │
│         │                │          │                   │               │ was disco ...                                                │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-29063                   │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤

The aquasec vulnerability page says the vulnerability only exists in versions up to 1.2.1. The release notes for 1.3.0 say:

Security issues:

Fixed ReDOS vulnerability in mpmathify() (GHSA-f865-m6cq-j9vx) (Vinzent Steinberg)

The datasource for trivy is the Python Packaging Advisory Database. The database correctly shows 1.2.1 as the last affected version.

Trivy should not report 1.3.0 as vulnerable.

Reproduction Steps

1. Create `requirements.txt` with `mpmath==1.3.0`.
2. Run `trivy fs --scanners vuln requirements.txt`

Target

Filesystem

Scanner

Vulnerability

Target OS

No response

Debug Output

$ trivy fs --debug --scanners vuln requirements.txt 
2023-05-30T09:45:38.368-0400	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-05-30T09:45:38.374-0400	DEBUG	cache dir:  /home/user/.cache/trivy
2023-05-30T09:45:38.374-0400	INFO	Need to update DB
2023-05-30T09:45:38.374-0400	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2023-05-30T09:45:38.374-0400	INFO	Downloading DB...
37.39 MiB / 37.39 MiB [----------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 16.88 MiB p/s 2.4s
2023-05-30T09:45:41.317-0400	DEBUG	Updating database metadata...
2023-05-30T09:45:41.317-0400	DEBUG	DB Schema: 2, UpdatedAt: 2023-05-30 12:07:59.853473827 +0000 UTC, NextUpdate: 2023-05-30 18:07:59.853472927 +0000 UTC, DownloadedAt: 2023-05-30 13:45:41.317742096 +0000 UTC
2023-05-30T09:45:41.317-0400	INFO	Vulnerability scanning is enabled
2023-05-30T09:45:41.317-0400	DEBUG	Vulnerability type:  [os library]
2023-05-30T09:45:41.318-0400	DEBUG	Walk the file tree rooted at 'requirements.txt' in parallel
2023-05-30T09:45:41.334-0400	DEBUG	OS is not detected.
2023-05-30T09:45:41.334-0400	DEBUG	Detected OS: unknown
2023-05-30T09:45:41.334-0400	INFO	Number of language-specific files: 1
2023-05-30T09:45:41.334-0400	INFO	Detecting pip vulnerabilities...
2023-05-30T09:45:41.334-0400	DEBUG	Detecting library vulnerabilities, type: pip, path: requirements.txt
2023-05-30T09:45:41.399-0400	DEBUG	Found an ignore file .trivyignore
2023-05-30T09:45:41.399-0400	DEBUG	These IDs will be ignored: ["CVE-2022-41881" "CVE-2022-24823" "CVE-2022-25647"]

requirements.txt (pip)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ mpmath  │ CVE-2021-29063 │ HIGH     │ 1.3.0             │               │ A Regular Expression Denial of Service (ReDOS) vulnerability │
│         │                │          │                   │               │ was disco ...                                                │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-29063                   │
└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Version

$ trivy --version
Version: 0.41.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-05-30 12:07:59.853473827 +0000 UTC
  NextUpdate: 2023-05-30 18:07:59.853472927 +0000 UTC
  DownloadedAt: 2023-05-30 13:45:41.317742096 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-05-22 01:03:23.3204665 +0000 UTC
  NextUpdate: 2023-05-25 01:03:23.3204662 +0000 UTC
  DownloadedAt: 2023-05-22 13:52:33.823587465 +0000 UTC
Policy Bundle:
  Digest: sha256:97988c6fc189faa28aa7fc2fc93fb2605c46d2f6ae4092a70e03697ba1d6e620
  DownloadedAt: 2023-05-25 21:53:05.848986101 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[knqyf263]

It also has ranges and is missing a fixed version.
https://github.com/pypa/advisory-database/blob/519176d279fc1c318ae7a5f3eb156f51986b970d/vulns/mpmath/PYSEC-2021-427.yaml#L9-L17

According to the OSV spec, a version is considered if it lies within any one of the ranges.

The versions field can enumerate a specific set of affected versions, and the ranges field can list ranges of affected versions, under a given defined ordering. A version is considered affected if it lies within any one of the ranges or is listed in the versions list. Pseudocode for evaluating if a given version is affected is available here.

1.3.0 satisfies >=0. I think Python advisories should be fixed.

[knqyf263]

If I'm missing something, please feel free to reopen the discussion.

[creste]

You're right. I opened an issue with the python advisory database. Thank you for pointing me in the right direction.