False positive: GHSA-v845-jxx5-vc9f (CVE-2023-43804) python3-urllib3 in SLES 15.5 Ecosystem #1952
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
Scan on image that has python3-urllib3-1.25.10-150300.4.9.1.noarch installed.
It generates vulnerability:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
urllib3 1.25.10 1.26.5 python GHSA-q2q7-5pp4-w6pg High
urllib3 1.25.10 1.26.17 python GHSA-v845-jxx5-vc9f Medium
urllib3 1.25.10 1.26.18 python GHSA-g4mx-q9vg-27p4 Medium
urllib3 1.25.10 1.26.19 python GHSA-34jh-p97f-mpxf Medium
JSON format:
"vulnerability": {
"id": "GHSA-v845-jxx5-vc9f",
"dataSource": "GHSA-v845-jxx5-vc9f",
"namespace": "github:language:python",
"severity": "Medium",
"urls": [
"https://github.com/advisories/GHSA-v845-jxx5-vc9f"
],
"description": "
CookieHTTP header isn't stripped on cross-origin redirects","cvss": [
:
:
"relatedVulnerabilities": [
{
"id": "CVE-2023-43804",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-43804",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [
"https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb",
"https://github.com/urllib3/urllib3/commit/644124ecd0b6e417c527191f866daa05a5a2056d",
"https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f",
:
:
"artifact": {
"id": "34d78392a0ba7992",
"name": "urllib3",
"version": "1.25.10",
"type": "python",
"locations": [
{
"path": "/usr/lib/python3.6/site-packages/urllib3-1.25.10-py3.6.egg-info/PKG-INFO",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
},
What you expected to happen:
According to SUSE Advisory CVE-2023-43804
Patch for this CVE is applied from version python3-urllib3-1.25.10-150300.4.9.1
See with this link: https://www.suse.com/security/cve/CVE-2023-43804.html
SUSE Linux Enterprise Server 15 SP5
python3-urllib3 >= 1.25.10-150300.4.6.1
Patchnames:
SUSE-SLE-Module-Basesystem-15-SP5-2023-4108
Installed version in the container: python3-urllib3-1.25.10-150300.4.9.1.noarch
rpm -qf /usr/lib/python3.6/site-packages/urllib3-1.25.10-py3.6.egg-info/PKG-INFO
python3-urllib3-1.25.10-150300.4.9.1.noarch
Conclusion: Installed version meet the minimal requirement patch from SLES 15.5 but Grype generate a vulnerability.
How to reproduce it (as minimally and precisely as possible):
FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends python3-urllib3=1.25.10-150300.4.9.1
ENTRYPOINT [""]
CMD ["bash"]
$ docker build -t "suse15.5_python3-urllib3:v1" .
$ grype --distro sles:15.5 suse15.5_python3-urllib3:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
urllib3 1.25.10 1.26.5 python GHSA-q2q7-5pp4-w6pg High
urllib3 1.25.10 1.26.17 python GHSA-v845-jxx5-vc9f Medium
urllib3 1.25.10 1.26.18 python GHSA-g4mx-q9vg-27p4 Medium
urllib3 1.25.10 1.26.19 python GHSA-34jh-p97f-mpxf Medium
Environment:
$ grype --version
grype 0.78.0
In container image eco-system:
bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered: