You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The CVE has been fixed from version python3-urllib3 >= 1.25.10-4.3.1
SUSE Linux Enterprise Server 15 SP5
python3-urllib3 >= 1.25.10-4.3.1
Patchnames:
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python-urllib3-1.25.10-4.3.1
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python3-urllib3-1.25.10-4.3.1
Installed version version in the container:
python3-urllib3-1.25.10-150300.4.9.1.noarch
Conclusion: Installed version exceed minimum requirement patch from SLES 15.5 but Grype generate a vulnerability.
How to reproduce it (as minimally and precisely as possible):
1)Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends python3-urllib3=1.25.10-150300.4.9.1
ENTRYPOINT [""]
CMD ["bash"]
What happened:
Scan on image that has python3-urllib3-1.25.10-150300.4.9.1.noarch installed.
It generates high vulnerability:
$ grype --distro sles15.5 suse15.5_python3-urllib3:v1
urllib3 1.25.10 1.26.5 python GHSA-q2q7-5pp4-w6pg High
urllib3 1.25.10 1.26.17 python GHSA-v845-jxx5-vc9f Medium
urllib3 1.25.10 1.26.18 python GHSA-g4mx-q9vg-27p4 Medium
"vulnerability": {
"id": "GHSA-q2q7-5pp4-w6pg",
"dataSource": "GHSA-q2q7-5pp4-w6pg",
"namespace": "github:language:python",
"severity": "High",
"urls": [
"https://github.com/advisories/GHSA-q2q7-5pp4-w6pg"
:
:
"relatedVulnerabilities": [
{
"id": "CVE-2021-33503",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-33503",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [
"https://github.com/advisories/GHSA-q2q7-5pp4-w6pg",
"https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec",
:
:
"artifact": {
"id": "34d78392a0ba7992",
"name": "urllib3",
"version": "1.25.10",
"type": "python",
"locations": [
{
"path": "/usr/lib/python3.6/site-packages/urllib3-1.25.10-py3.6.egg-info/PKG-INFO",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
},
What you expected to happen:
According to SUSE Advisory:
https://www.suse.com/security/cve/CVE-2021-33503.html
The CVE has been fixed from version python3-urllib3 >= 1.25.10-4.3.1
SUSE Linux Enterprise Server 15 SP5
python3-urllib3 >= 1.25.10-4.3.1
Patchnames:
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python-urllib3-1.25.10-4.3.1
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python3-urllib3-1.25.10-4.3.1
Installed version version in the container:
python3-urllib3-1.25.10-150300.4.9.1.noarch
Conclusion: Installed version exceed minimum requirement patch from SLES 15.5 but Grype generate a vulnerability.
How to reproduce it (as minimally and precisely as possible):
1)Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends python3-urllib3=1.25.10-150300.4.9.1
ENTRYPOINT [""]
CMD ["bash"]
docker build -t "suse15.5_python3-urllib3:v1" .
$ grype --distro sles15.5 suse15.5_python3-urllib3:v1
urllib3 1.25.10 1.26.5 python GHSA-q2q7-5pp4-w6pg High
urllib3 1.25.10 1.26.17 python GHSA-v845-jxx5-vc9f Medium
urllib3 1.25.10 1.26.18 python GHSA-g4mx-q9vg-27p4 Medium
Environment:
$ grype --version
grype 0.76.0
In container image eco-system:
bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered: