Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive: GHSA-h4m5-qpfp-3mpv (CVE-2021-42771) in SLES 15.5 #1906

Open
sekveaja opened this issue Jun 3, 2024 · 0 comments
Open

False positive: GHSA-h4m5-qpfp-3mpv (CVE-2021-42771) in SLES 15.5 #1906

sekveaja opened this issue Jun 3, 2024 · 0 comments
Labels
bug Something isn't working false-positive

Comments

@sekveaja
Copy link

sekveaja commented Jun 3, 2024

What happened:

Scan on image that has apache2-mod_wsgi-4.7.1-150400.3.9.4.x86_64 installed.
It generates high vulnerability:

$ grype --distro sles:15.5 suse15.5_apache2-mod_wsgi:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
mod-wsgi 4.7.1 4.9.3 python GHSA-7527-8855-9cf8 High

JSON format:

"vulnerability": {
"id": "GHSA-7527-8855-9cf8",
"dataSource": "GHSA-7527-8855-9cf8",
"namespace": "github:language:python",
"severity": "High",
"urls": [
"https://github.com/advisories/GHSA-7527-8855-9cf8"
],
"description": "Incorrect header handling in mod-wsgi",
:
:
"relatedVulnerabilities": [
{
"id": "CVE-2022-2255",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-2255",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [
"https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941",
:
:
"artifact": {
"id": "94262fb26b41b74e",
"name": "mod-wsgi",
"version": "4.7.1",
"type": "python",
"locations": [
{
"path": "/usr/lib64/python3.6/site-packages/mod_wsgi-4.7.1-py3.6.egg-info/PKG-INFO",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"

What you expected to happen:

According to SUSE Advisory CVE-2022-2255
Patch for this CVE is applied from version apache2-mod_wsgi >= 4.7.1-150400.3.3.1

https://www.suse.com/security/cve/CVE-2022-2255.html

    SUSE Linux Enterprise Server 15 SP5
    
    apache2-mod_wsgi >= 4.7.1-150400.3.3.1
    apache2-mod_wsgi-python3 >= 4.5.18-150000.4.6.1
    Patchnames:
    SUSE Linux Enterprise Module for Public Cloud 15 SP5 GA apache2-mod_wsgi-4.7.1-150400.3.3.1
    SUSE Linux Enterprise Module for Server Applications 15 SP5 GA apache2-mod_wsgi-python3-4.5.18-150000.4.6.1

Installed version in the container: apache2-mod_wsgi-4.7.1-150400.**3.9.4.**x86_64

rpm -qf /usr/lib64/python3.6/site-packages/mod_wsgi-4.7.1-py3.6.egg-info/PKG-INFO

apache2-mod_wsgi-4.7.1-150400.3.9.4.x86_64

Conclusion: Installed version is greater than minimum requirement patch from SLES 15.5 but Grype generate a vulnerability.

How to reproduce it (as minimally and precisely as possible):

1)Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends apache2-mod_wsgi=4.7.1-150400.3.9.4
ENTRYPOINT [""]
CMD ["bash"]

  1. Build an image from Dockerfile

$ docker build -t "suse15.5_apache2-mod_wsgi:v1" .

  1. Test with Grype now

$ grype --distro sles:15.5 suse15.5_apache2-mod_wsgi:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
mod-wsgi 4.7.1 4.9.3 python GHSA-7527-8855-9cf8 High

Environment:

$ grype --version
grype 0.78.0

In container image eco-system:
bash-4.4$ cat /etc/release

NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
@sekveaja sekveaja added the bug Something isn't working label Jun 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working false-positive
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wagoodman @sekveaja