CVE-2023-25330 vulnerability has false positives

[zangcc]

Description

According to the reference link in the Trivy report: https://avd.aquasec.com/nvd/2023/cve-2023-25330. This report points out that Mybatis plus versions below 3.5.3.1 have SQL injection vulnerabilities. However, this vulnerability will still be reported when I upgrade to a version greater than 3.5.3.1, and Trivy still reflects the existence of this vulnerability in the report.

Desired Behavior

If Mybatis plus is greater than version 3.5.3.1, it will not be reflected in the Trivy scan report.

Actual Behavior

CVE-2023-25330 vulnerability has false positives

Reproduction Steps

1../trivy_0.48.3_macOS-64bit/trivy  image test:tag

Target

Container Image

Scanner

Vulnerability

Output Format

None

Mode

None

Debug Output

--debug

Operating System

macOS

Version

Version: 0.48.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-11-27 18:10:42.831017567 +0000 UTC
  NextUpdate: 2024-11-28 00:10:42.831017316 +0000 UTC
  DownloadedAt: 0001-01-01 00:00:00 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-01-17 00:47:27.504481066 +0000 UTC
  NextUpdate: 2024-01-20 00:47:27.504480936 +0000 UTC
  DownloadedAt: 2024-01-18 06:11:50.364551 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[zangcc]

The developer upgraded Mybatis plus to 3.5.4.1, and the Trivy report still showed the existence of this vulnerability. This situation inevitably leads to misunderstanding.

[nikpivkin]

@DmitriyLewen There is no affected field in advisory, only last_known_affected_version_range. Can this be the cause of the problem?

[DmitriyLewen]

The OSV format uses this field when the latest version is vulnerable and there is no fixed version.
This seems to be correct.

More like a mistake in the description.
Take a look https://github.com/FCncdn/MybatisPlusTenantPluginSQLInjection-POC/blob/master/Readme.en.md:

AffectedVersion: 3.x

@zangcc Do you have information that 3.5.3.2 version contains fix for CVE-2023-25330?
If yes - please suggest changes on GitHub page - https://github.com/advisories/GHSA-32qq-m9fh-f74w/improve

[zangcc]

GHSA-32qq-m9fh-f74w
https://avd.aquasec.com/nvd/2023/cve-2023-25330/
https://nvd.nist.gov/vuln/detail/CVE-2023-25330

The above vulnerability databases all indicate that vulnerabilities exist only if the version is lower than 3.5.3.1.

[DmitriyLewen]

I think databases just don't updated information.

In cases when latest version is vulnerable - databases added this version as last affected version (#5985 (comment)).
Usually databases update advisory only after patches are released (Because it's a lot of work keeping track of all new versions without patches).
But when library owner releases fix - databases try quickly update advisories.

To be sure that 3.5.3.2 (or later) version is not vulnerable - it is better to ask com.baomidou:mybatis-plus team about fix for CVE-2023-25330.
If they confirm that release contains fix for this CVE - we can write to GitHub and suggest change of affected versions.

[ba1ma0]

Hi @DmitriyLewen It seems that there is NO Vulnerability GHSA-32qq-m9fh-f74w in com.baomidou:mybatis-plus 3.5.4.1 according to Maven official but trivy found a GHSA-32qq-m9fh-f74w in com.baomidou:mybatis-plus 3.5.4.1 . I am wondering is there any mistake in trivy
https://mvnrepository.com/artifact/com.baomidou/mybatis-plus

[DmitriyLewen]

Hello @ba1ma0
Okay. If you are sure that 3.5.3.1 and later version don't affect CVE-2023-25330 - add changes in GitHub database (as i wrote earlier - we use GitHub database for java advisories) - https://github.com/advisories/GHSA-32qq-m9fh-f74w/improve