Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False positive: GHSA-xg9f-g7g7-2323 (CVE-2023-25577) GHSA-2g68-c3qc-8985(CVE-2024-34069) python3-Werkzeug in SLES 15.5 Ecosystem #1936

Open
sekveaja opened this issue Jun 12, 2024 · 2 comments
Labels
blocked Progress is being stopped by something bug Something isn't working

Comments

@sekveaja
Copy link

What happened:

Scan on image that has python3-werkzeug-3.3.2-150400.23.1.x86_64 installed.
It generates high vulnerability:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
Werkzeug 1.0.1 2.2.3 python GHSA-xg9f-g7g7-2323 High
Werkzeug 1.0.1 3.0.3 python GHSA-2g68-c3qc-8985 High
Werkzeug 1.0.1 2.3.8 python GHSA-hrfv-mqp8-q5rw Medium
Werkzeug 1.0.1 2.2.3 python GHSA-px8h-6qxv-m22q Low

JSON format:

"vulnerability": {
"id": "GHSA-xg9f-g7g7-2323",
"dataSource": "GHSA-xg9f-g7g7-2323",
"namespace": "github:language:python",
"severity": "High",
"urls": [
"https://github.com/advisories/GHSA-xg9f-g7g7-2323"
],
"description": "High resource usage when parsing multipart form data with many fields",
:
:
"relatedVulnerabilities": [
{
"id": "CVE-2023-25577",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-25577",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [
"https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1",
"https://github.com/pallets/werkzeug/releases/tag/2.2.3",
"https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323",
:
:
"artifact": {
"id": "a9289888e4eeeaa3",
"name": "Werkzeug",
"version": "1.0.1",
"type": "python",
"locations": [
{
"path": "/usr/lib/python3.6/site-packages/Werkzeug-1.0.1-py3.6.egg-info/PKG-INFO",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
},

What you expected to happen:

According to SUSE Advisory CVE-2023-25577
Patch for this CVE is applied from version python3-werkzeug-3.3.2-150400.23.1.x86_64

See with this link: https://www.suse.com/security/cve/CVE-2023-25577.html

SUSE Linux Enterprise Server 15 SP5
python3-Werkzeug >= 1.0.1-150300.3.3.1
Patchnames:
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python-Werkzeug-1.0.1-150300.3.3.1
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python3-Werkzeug-1.0.1-150300.3.3.1

Installed version in the container: python3-werkzeug-3.3.2-150400.23.1.x86_64

rpm -qf /usr/lib/python3.6/site-packages/Werkzeug-1.0.1-py3.6.egg-info/PKG-INFO

python3-Werkzeug-1.0.1-150300.3.3.1.noarch

Conclusion: Installed version meet the minimal requirement patch from SLES 15.5 but Grype generate a vulnerability.

How to reproduce it (as minimally and precisely as possible):

  1. Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.5
ADD https://rpmfind.net/linux/opensuse/distribution/leap/15.5/repo/oss/noarch/python3-Werkzeug-1.0.1-150300.3.3.1.noarch.rpm /tmp
RUN zypper in -y --no-recommends /tmp/python3-Werkzeug-1.0.1-150300.3.3.1.noarch.rpm
ENTRYPOINT [""]
CMD ["bash"]

  1. Build an image from Dockerfile

$ docker build -t "suse15.5_python3-werkzeug:v1" .

  1. Test with Grype now

$ grype --distro sles:15.5 suse15.5_python3-werkzeug:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
Werkzeug 1.0.1 2.2.3 python GHSA-xg9f-g7g7-2323 High
Werkzeug 1.0.1 3.0.3 python GHSA-2g68-c3qc-8985 High
Werkzeug 1.0.1 2.3.8 python GHSA-hrfv-mqp8-q5rw Medium
Werkzeug 1.0.1 2.2.3 python GHSA-px8h-6qxv-m22q Low
libglib-2_0-0 2.70.5-150400.3.8.1 0:2.70.5-150400.3.11.1 rpm CVE-2024-34397 Low
libopenssl1_1 1.1.1l-150500.17.25.1 0:1.1.1l-150500.17.28.2 rpm CVE-2024-2511 Medium
libopenssl1_1-hmac 1.1.1l-150500.17.25.1 0:1.1.1l-150500.17.28.2 rpm CVE-2024-2511 Me

Anything else we need to know?:
There was a similar issue that was opened and closed but real issue has not been addressed.
#1536.

Please investigate this ticket, as it is reproducible easily.

Environment:

$ grype --version
grype 0.78.0

In container image eco-system:

bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"

@sekveaja sekveaja added the bug Something isn't working label Jun 12, 2024
@sekveaja
Copy link
Author

Adding GHSA-hrfv-mqp8-q5rw (CVE-2023-46136), reproducible with the same instruction.

@kzantow kzantow added the blocked Progress is being stopped by something label Sep 16, 2024
@kzantow
Copy link
Contributor

kzantow commented Sep 16, 2024

Blocked by anchore/vunnel#626

@kzantow kzantow moved this to Ready in OSS Sep 16, 2024
@kzantow kzantow moved this from Ready to Backlog in OSS Sep 16, 2024
@sekveaja sekveaja changed the title False positive: GHSA-xg9f-g7g7-2323 (CVE-2023-25577) python3-Werkzeug in SLES 15.5 Ecosystem False positive: GHSA-xg9f-g7g7-2323 (CVE-2023-25577) GHSA-2g68-c3qc-8985(CVE-2024-34069) python3-Werkzeug in SLES 15.5 Ecosystem Nov 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blocked Progress is being stopped by something bug Something isn't working
Projects
Status: Backlog
Development

No branches or pull requests

2 participants