False positive: CVE-2023-37920 in SUSE Eco-system #6464

sekveaja · 2024-04-06T20:15:56Z

sekveaja
Apr 6, 2024

IDs

CVE-2023-37920

Description

Running Trivy on an image that has python3-certifi-2022.12.7-150000.1.4.noarch package installed.
The container O/S eco-system is a SLES 15 SP4.

Here is a portion of the output:

certifi (PKG-INFO) │ CVE-2023-37920 │ HIGH │ │ 2022.12.7 │ 2023.7.22 │ python-certifi: Removal of e-Tugra root certificate │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-37920 │

According to SUSE Advisory this CVE issue is not affected in SLES 15 SP4.
Therefore, it is a false positive in SLES 15 SP4 eco-system.

Here is the link from SUSE Advisory: https://www.suse.com/security/cve/CVE-2023-37920.html
SUSE Linux Enterprise Server 15 SP4 | python-certifi | Not affected.

Reproduction Steps

1.build an image with SUSE
2.Install this package python3-certifi-2022.12.7-150000.1.4.noarch

Target

Container Image

Scanner

Vulnerability

Target OS

SUSE 15 SP4

Debug Output

2024-04-06T22:11:35.848+0200    INFO    Detected OS: suse linux enterprise server
2024-04-06T22:11:35.848+0200    INFO    Detecting SUSE vulnerabilities...
2024-04-06T22:11:35.848+0200    DEBUG   SUSE: os version: 15.4
2024-04-06T22:11:35.848+0200    DEBUG   SUSE: the number of packages: 380
2024-04-06T22:11:35.852+0200    INFO    Number of language-specific files: 1
2024-04-06T22:11:35.852+0200    INFO    Detecting python-pkg vulnerabilities...
2024-04-06T22:11:35.852+0200    DEBUG   Detecting library vulnerabilities, type: python-pkg, path:
2024-04-06T22:11:35.854+0200    WARN    This OS version is no longer supported by the distribution: suse linux enterprise server 15.4
2024-04-06T22:11:35.854+0200    WARN    The vulnerability detection may be insufficient because security updates are not provided

cee/sles-binary-aetos:10.9.17.2.0.66 (suse linux enterprise server 15.4)

Total: 18 (UNKNOWN: 6, LOW: 2, MEDIUM: 2, HIGH: 8, CRITICAL: 0)

┌───────────────────┬─────────────────────┬──────────┬────────┬───────────────────────┬───────────────────────┬─────────────────────────────────             ───┐
│      Library      │    Vulnerability    │ Severity │ Status │   Installed Version   │     Fixed Version     │               Title                             │
├───────────────────┼─────────────────────┼──────────┼────────┼───────────────────────┼───────────────────────┼─────────────────────────────────             ───┤
│ glibc             │ SUSE-SU-2024:0870-1 │ UNKNOWN  │ fixed  │ 2.31-150300.63.1      │ 2.31-150300.68.1      │ Security update for glibc                       │
├───────────────────┤                     │          │        │                       │                       │                                                 │
│ glibc-extra       │                     │          │        │                       │                       │                                                 │
├───────────────────┤                     │          │        │                       │                       │                                                 │
│ glibc-lang        │                     │          │        │                       │                       │                                                 │
├───────────────────┤                     │          │        │                       │                       │                                                 │
│ glibc-locale      │                     │          │        │                       │                       │                                                 │
├───────────────────┤                     │          │        │                       │                       │                                                 │
│ glibc-locale-base │                     │          │        │                       │                       │                                                 │
├───────────────────┼─────────────────────┼──────────┤        ├───────────────────────┼───────────────────────┼─────────────────────────────────             ───┤
│ krb5              │ SUSE-SU-2024:1006-1 │ HIGH     │        │ 1.19.2-150400.3.6.1   │ 1.19.2-150400.3.9.1   │ Security update for krb5                        │
├───────────────────┼─────────────────────┼──────────┤        ├───────────────────────┼───────────────────────┼─────────────────────────────────             ───┤
│ libopenssl1_1     │ SUSE-SU-2024:0833-1 │ LOW      │        │ 1.1.1l-150400.7.60.2  │ 1.1.1l-150400.7.63.1  │ Security update for openssl-1_1                 │
├───────────────────┼─────────────────────┼──────────┤        ├───────────────────────┼───────────────────────┼─────────────────────────────────             ───┤
│ libpython3_6m1_0  │ SUSE-SU-2024:0901-1 │ HIGH     │        │ 3.6.15-150300.10.51.1 │ 3.6.15-150300.10.57.1 │ Security update for python3                     │
├───────────────────┼─────────────────────┤          │        ├───────────────────────┼───────────────────────┼─────────────────────────────────             ───┤
│ libssh-config     │ SUSE-SU-2024:0140-1 │          │        │ 0.9.6-150400.1.5      │ 0.9.8-150400.3.3.1    │ Security update for libssh                      │
├───────────────────┤                     │          │        │                       │                       │                                                 │
│ libssh4           │                     │          │        │                       │                       │                                                 │
├───────────────────┼─────────────────────┼──────────┤        ├───────────────────────┼───────────────────────┼─────────────────────────────────             ───┤
│ openssl-1_1       │ SUSE-SU-2024:0833-1 │ LOW      │        │ 1.1.1l-150400.7.60.2  │ 1.1.1l-150400.7.63.1  │ Security update for openssl-1_1                 │
├───────────────────┼─────────────────────┼──────────┤        ├───────────────────────┼───────────────────────┼─────────────────────────────────             ───┤
│ pam               │ SUSE-SU-2024:0136-1 │ MEDIUM   │        │ 1.3.0-150000.6.61.1   │ 1.3.0-150000.6.66.1   │ Security update for pam                         │
├───────────────────┼─────────────────────┼──────────┤        ├───────────────────────┼───────────────────────┼─────────────────────────────────             ───┤
│ python3           │ SUSE-SU-2024:0901-1 │ HIGH     │        │ 3.6.15-150300.10.51.1 │ 3.6.15-150300.10.57.1 │ Security update for python3                     │
├───────────────────┤                     │          │        │                       │                       │                                                 │
│ python3-base      │                     │          │        │                       │                       │                                                 │
├───────────────────┤                     │          │        │                       │                       │                                                 │
│ python3-curses    │                     │          │        │                       │                       │                                                 │
├───────────────────┤                     │          │        │                       │                       │                                                 │
│ python3-dbm       │                     │          │        │                       │                       │                                                 │
├───────────────────┼─────────────────────┼──────────┤        ├───────────────────────┼───────────────────────┼─────────────────────────────────             ───┤
│ sudo              │ SUSE-SU-2024:0877-1 │ MEDIUM   │        │ 1.9.9-150400.4.26.1   │ 1.9.9-150400.4.36.1   │ Security update for sudo                        │
├───────────────────┼─────────────────────┼──────────┤        ├───────────────────────┼───────────────────────┼─────────────────────────────────             ───┤
│ suse-build-key    │ SUSE-SU-2024:0444-1 │ UNKNOWN  │        │ 12.0-150000.8.37.1    │ 12.0-150000.8.40.1    │ Security update for suse-build-k             ey │
└───────────────────┴─────────────────────┴──────────┴────────┴───────────────────────┴───────────────────────┴─────────────────────────────────             ───┘
2024-04-06T22:11:35.921+0200    INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the pac             kage file.

Python (python-pkg)

Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 1, CRITICAL: 0)

┌──────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────             ───────────────────┐
│         Library          │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                                          │
├──────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────             ───────────────────┤
│ Jinja2 (PKG-INFO)        │ CVE-2024-22195 │ MEDIUM   │ fixed  │ 2.11.3            │ 3.1.3         │ jinja2: HTML attribute injection when pass             ing user input as  │
│                          │                │          │        │                   │               │ keys to xmlattr...                                                        │
│                          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-22195                                │
├──────────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼───────────────────────────────────────────             ───────────────────┤
│ certifi (PKG-INFO)       │ CVE-2023-37920 │ HIGH     │        │ 2022.12.7         │ 2023.7.22     │ python-certifi: Removal of e-Tugra root ce             rtificate          │
│                          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-37920                                │
├──────────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼───────────────────────────────────────────             ───────────────────┤
│ eventlet (PKG-INFO)      │ CVE-2021-21419 │ MEDIUM   │        │ 0.30.2            │ 0.31.0        │ python-eventlet: improper handling of high             ly compressed data │
│                          │                │          │        │                   │               │ and memory allocation with excessive...                                   │
│                          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2021-21419                                │
├──────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼───────────────────────────────────────────             ───────────────────┤
│ pycryptodome (PKG-INFO)  │ CVE-2023-52323 │          │        │ 3.10.1            │ 3.19.1        │ pycryptodome: side-channel leakage for OAE             P decryption in    │
│                          │                │          │        │                   │               │ PyCryptodome and pycryptodomex                                            │
│                          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-52323                                │
├──────────────────────────┤                │          │        │                   │               │                                                                           │
│ pycryptodomex (PKG-INFO) │                │          │        │                   │               │                                                                           │

Version

Version: 0.50.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-04-06 18:10:32.313177662 +0000 UTC
  NextUpdate: 2024-04-07 00:10:32.313177382 +0000 UTC
  DownloadedAt: 2024-04-06 19:54:20.68383429 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-08-09 01:03:34.584171661 +0000 UTC
  NextUpdate: 2023-08-12 01:03:34.584171061 +0000 UTC
  DownloadedAt: 2023-08-09 19:23:58.088029381 +0000 UTC

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

DmitriyLewen · 2024-04-18T09:50:04Z

DmitriyLewen
Apr 18, 2024
Maintainer

Hello @sekveaja
Thanks for your report!

├──────────────────────────┼────────────────┼──────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────── ───────────────────┤
│ certifi (PKG-INFO) │ CVE-2023-37920 │ HIGH │ │ 2022.12.7 │ 2023.7.22 │ python-certifi: Removal of e-Tugra root ce rtificate │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-37920 │
├──────────────────────────┼────────────────┼──────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────── ───────────────────┤

Trivy doesn't seem to understand that this package was installed using rpm package (and the GitHub database is used for this package).

Can you write how you installed this package or create a test public image?

Regards, Dmitriy

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

False positive: CVE-2023-37920 in SUSE Eco-system #6464

{{title}}

Replies: 1 comment

{{title}}

Select a reply

False positive: CVE-2023-37920 in SUSE Eco-system #6464

sekveaja Apr 6, 2024

IDs

Description

Reproduction Steps

Target

Scanner

Target OS

Debug Output

Version

Checklist

Replies: 1 comment

DmitriyLewen Apr 18, 2024 Maintainer

sekveaja
Apr 6, 2024

DmitriyLewen
Apr 18, 2024
Maintainer