Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect Severity ranking for the same image using trivy in CLI compare to the use of trivy.dev tool #3020

Closed
RoninBreizh opened this issue Oct 14, 2022 · 1 comment
Closed

Incorrect Severity ranking for the same image using trivy in CLI compare to the use of trivy.dev tool #3020

RoninBreizh opened this issue Oct 14, 2022 · 1 comment
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed.

Comments

@RoninBreizh
Copy link

Description

What did you expect to happen?

We wanted to test potential differences with both tools in terms of indepth scan but we were expecting to gather the same ranking result when is comes to highlight a vulnerability

What happened instead?

The results of the trivy.dev tool (https://trivy.dev/results/?image=tenableofficial/nessus) on the latest image provided by Tenable Nessus does return 8 vulns (3 criticals, 4 High & 1 medium).
The results of the trivy tools deployed on premise for the same image were associated to the same CVE but with a different ranking

Trivy WEB
CVE | Severity
CVE-2022-40674 | critical
CVE-2021-20231 | critical
CVE-2021-20232 | critical
CVE-2022-38177 | high
CVE-2022-38178 | high
CVE-2021-3580 | high
CVE-2021-33560 | high
CVE-2021-40528 | medium

Trivy CLI
CVE | Severity
CVE-2022-40674 | high
CVE-2021-20231 | medium
CVE-2021-20232 | medium
CVE-2022-38177 | high
CVE-2022-38178 | high
CVE-2021-3580 | medium
CVE-2021-33560 | medium
CVE-2021-40528 | high

In the detailed output we can see that there are several ranking sources:

  • NVD (CVSS3 and|or CVSS2) & RedHat (CVSS 3)
    In the report diplayed, the ranking seems to be managed differently depending on the information provided.
    It's not always the highest ranking which is diplayed.
    However the vulnerabilities database downloaded feels correct

Output of run with -debug:

{
"SchemaVersion": 2,
"ArtifactName": "nessus",
"ArtifactType": "filesystem",
"Metadata": {
"OS": {
"Family": "oracle",
"Name": "8.6"
},
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "nessus (oracle 8.6)",
"Class": "os-pkgs",
"Type": "oracle",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2022-38177",
"PkgName": "bind-export-libs",
"InstalledVersion": "32:9.11.36-3.el8",
"FixedVersion": "32:9.11.36-3.el8_6.1",
"Layer": {},
"SeveritySource": "oracle-oval",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-38177",
"DataSource": {
"ID": "oracle-oval",
"Name": "Oracle Linux OVAL definitions",
"URL": "https://linux.oracle.com/security/oval/"
},
"Title": "bind: memory leak in ECDSA DNSSEC verification code",
"Description": "By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.",
"Severity": "HIGH",
"CweIDs": [
"CWE-347"
],
"CVSS": {
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"http://www.openwall.com/lists/oss-security/2022/09/21/3",
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38177.json",
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38178.json",
"https://access.redhat.com/security/cve/CVE-2022-38177",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38177",
"https://kb.isc.org/docs/cve-2022-38177",
"https://linux.oracle.com/cve/CVE-2022-38177.html",
"https://linux.oracle.com/errata/ELSA-2022-6781.html",
"https://lists.debian.org/debian-lts-announce/2022/10/msg00007.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CV4GQWBPF7Y52J2FA24U6UMHQAOXZEF7/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRHB6J4Z7BKH4HPEKG5D35QGRD6ANNMT/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZJQNUASODNVAWZV6STKG5SD6XIJ446S/",
"https://nvd.nist.gov/vuln/detail/CVE-2022-38177",
"https://ubuntu.com/security/notices/USN-5626-1",
"https://ubuntu.com/security/notices/USN-5626-2",
"https://www.debian.org/security/2022/dsa-5235"
],
"PublishedDate": "2022-09-21T11:15:00Z",
"LastModifiedDate": "2022-10-06T20:15:00Z"
},
{
"VulnerabilityID": "CVE-2022-38178",
"PkgName": "bind-export-libs",
"InstalledVersion": "32:9.11.36-3.el8",
"FixedVersion": "32:9.11.36-3.el8_6.1",
"Layer": {},
"SeveritySource": "oracle-oval",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-38178",
"DataSource": {
"ID": "oracle-oval",
"Name": "Oracle Linux OVAL definitions",
"URL": "https://linux.oracle.com/security/oval/"
},
"Title": "bind: memory leaks in EdDSA DNSSEC verification code",
"Description": "By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.",
"Severity": "HIGH",
"CweIDs": [
"CWE-347"
],
"CVSS": {
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"http://www.openwall.com/lists/oss-security/2022/09/21/3",
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38177.json",
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38178.json",
"https://access.redhat.com/security/cve/CVE-2022-38178",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38178",
"https://kb.isc.org/docs/cve-2022-38178",
"https://linux.oracle.com/cve/CVE-2022-38178.html",
"https://linux.oracle.com/errata/ELSA-2022-6781.html",
"https://lists.debian.org/debian-lts-announce/2022/10/msg00007.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CV4GQWBPF7Y52J2FA24U6UMHQAOXZEF7/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRHB6J4Z7BKH4HPEKG5D35QGRD6ANNMT/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZJQNUASODNVAWZV6STKG5SD6XIJ446S/",
"https://nvd.nist.gov/vuln/detail/CVE-2022-38178",
"https://ubuntu.com/security/notices/USN-5626-1",
"https://www.debian.org/security/2022/dsa-5235"
],
"PublishedDate": "2022-09-21T11:15:00Z",
"LastModifiedDate": "2022-10-06T20:15:00Z"
},
{
"VulnerabilityID": "CVE-2022-40674",
"PkgName": "expat",
"InstalledVersion": "2.2.5-8.0.1.el8_6.2",
"FixedVersion": "2.2.5-8.0.1.el8_6.3",
"Layer": {},
"SeveritySource": "oracle-oval",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-40674",
"DataSource": {
"ID": "oracle-oval",
"Name": "Oracle Linux OVAL definitions",
"URL": "https://linux.oracle.com/security/oval/"
},
"Title": "expat: a use-after-free in the doContent function in xmlparse.c",
"Description": "libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.",
"Severity": "HIGH",
"CweIDs": [
"CWE-416"
],
"CVSS": {
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 9.8
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 9.8
}
},
"References": [
"https://access.redhat.com/errata/RHSA-2022:6838",
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40674.json",
"https://access.redhat.com/security/cve/CVE-2022-40674",
"https://blog.hartwork.org/posts/expat-2-4-9-released/",
"https://bugzilla.redhat.com/2130769",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40674",
"https://errata.almalinux.org/9/ALSA-2022-6838.html",
"https://github.com/advisories/GHSA-2vq2-xc55-3j5m",
"https://github.com/libexpat/libexpat/pull/629",
"https://github.com/libexpat/libexpat/pull/640",
"https://linux.oracle.com/cve/CVE-2022-40674.html",
"https://linux.oracle.com/errata/ELSA-2022-6878.html",
"https://lists.debian.org/debian-lts-announce/2022/09/msg00029.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2ZKEPGFCZ7R6DRVH3K6RBJPT42ZBEG/",
"https://nvd.nist.gov/vuln/detail/CVE-2022-40674",
"https://security.gentoo.org/glsa/202209-24",
"https://ubuntu.com/security/notices/USN-5638-1",
"https://www.debian.org/security/2022/dsa-5236"
],
"PublishedDate": "2022-09-14T11:15:00Z",
"LastModifiedDate": "2022-10-07T18:15:00Z"
},
{
"VulnerabilityID": "CVE-2021-20231",
"PkgName": "gnutls",
"InstalledVersion": "3.6.16-4.el8",
"FixedVersion": "10:3.6.16-4.0.1.el8_fips",
"Layer": {},
"SeveritySource": "oracle-oval",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-20231",
"DataSource": {
"ID": "oracle-oval",
"Name": "Oracle Linux OVAL definitions",
"URL": "https://linux.oracle.com/security/oval/"
},
"Title": "gnutls: Use after free in client key_share extension",
"Description": "A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-416"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 7.5,
"V3Score": 9.8
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"V3Score": 3.7
}
},
"References": [
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-20231.json",
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-20232.json",
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3580.json",
"https://access.redhat.com/security/cve/CVE-2021-20231",
"https://bugzilla.redhat.com/show_bug.cgi?id=1922276",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20231",
"https://linux.oracle.com/cve/CVE-2021-20231.html",
"https://linux.oracle.com/errata/ELSA-2022-9221.html",
"https://lists.apache.org/thread.html/r50661d6f0082709aad9a584431b59ec364f9974b63b07e0800230168@%3Cissues.spark.apache.org%3E",
"https://lists.apache.org/thread.html/r5d4001031e7790d8c6396c499522b4ed2aab782da87b1a14184793bb@%3Cissues.spark.apache.org%3E",
"https://lists.apache.org/thread.html/r5f88bed447742fcc5c47bf1c7be965ef450131914a6e1f85feba2779@%3Cissues.spark.apache.org%3E",
"https://lists.apache.org/thread.html/r6ac143ba6dd98bd4bf6bf010d46e56e254056459721ba18822d611f7@%3Cissues.spark.apache.org%3E",
"https://lists.apache.org/thread.html/r9cbc69e57276413788e90a6ee16c7c034ea4258d31935b70db2bd158@%3Cissues.spark.apache.org%3E",
"https://lists.apache.org/thread.html/rcd70a4c88a47a75fd2d5f3ffb7cee8c2a18c713320bd90fdcb57495f@%3Cissues.spark.apache.org%3E",
"https://lists.apache.org/thread.html/rf5e1256d870193def4a82ad89ab95e63943a313b5ff0d81aa87e4532@%3Cissues.spark.apache.org%3E",
"https://lists.apache.org/thread.html/rfd5273d72d244178441e6904a2f2b41a3268f569e8092ea0b3b2bb20@%3Cissues.spark.apache.org%3E",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OSLAE6PP33A7VYRYMYMUVB3U6B26GZER/",
"https://nvd.nist.gov/vuln/detail/CVE-2021-20231",
"https://security.netapp.com/advisory/ntap-20210416-0005/",
"https://ubuntu.com/security/notices/USN-5029-1",
"https://www.gnutls.org/security-new.html#GNUTLS-SA-2021-03-10"
],
"PublishedDate": "2021-03-12T19:15:00Z",
"LastModifiedDate": "2021-06-01T14:07:00Z"
},
{
"VulnerabilityID": "CVE-2021-20232",
"PkgName": "gnutls",
"InstalledVersion": "3.6.16-4.el8",
"FixedVersion": "10:3.6.16-4.0.1.el8_fips",
"Layer": {},
"SeveritySource": "oracle-oval",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-20232",
"DataSource": {
"ID": "oracle-oval",
"Name": "Oracle Linux OVAL definitions",
"URL": "https://linux.oracle.com/security/oval/"
},
"Title": "gnutls: Use after free in client_send_params in lib/ext/pre_shared_key.c",
"Description": "A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-416"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 7.5,
"V3Score": 9.8
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"V3Score": 3.7
}
},
"References": [
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-20231.json",
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-20232.json",
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3580.json",
"https://access.redhat.com/security/cve/CVE-2021-20232",
"https://bugzilla.redhat.com/show_bug.cgi?id=1922275",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20232",
"https://linux.oracle.com/cve/CVE-2021-20232.html",
"https://linux.oracle.com/errata/ELSA-2022-9221.html",
"https://lists.apache.org/thread.html/r50661d6f0082709aad9a584431b59ec364f9974b63b07e0800230168@%3Cissues.spark.apache.org%3E",
"https://lists.apache.org/thread.html/r5d4001031e7790d8c6396c499522b4ed2aab782da87b1a14184793bb@%3Cissues.spark.apache.org%3E",
"https://lists.apache.org/thread.html/r5f88bed447742fcc5c47bf1c7be965ef450131914a6e1f85feba2779@%3Cissues.spark.apache.org%3E",
"https://lists.apache.org/thread.html/r6ac143ba6dd98bd4bf6bf010d46e56e254056459721ba18822d611f7@%3Cissues.spark.apache.org%3E",
"https://lists.apache.org/thread.html/r9cbc69e57276413788e90a6ee16c7c034ea4258d31935b70db2bd158@%3Cissues.spark.apache.org%3E",
"https://lists.apache.org/thread.html/rcd70a4c88a47a75fd2d5f3ffb7cee8c2a18c713320bd90fdcb57495f@%3Cissues.spark.apache.org%3E",
"https://lists.apache.org/thread.html/rf5e1256d870193def4a82ad89ab95e63943a313b5ff0d81aa87e4532@%3Cissues.spark.apache.org%3E",
"https://lists.apache.org/thread.html/rfd5273d72d244178441e6904a2f2b41a3268f569e8092ea0b3b2bb20@%3Cissues.spark.apache.org%3E",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OSLAE6PP33A7VYRYMYMUVB3U6B26GZER/",
"https://nvd.nist.gov/vuln/detail/CVE-2021-20232",
"https://security.netapp.com/advisory/ntap-20210416-0005/",
"https://ubuntu.com/security/notices/USN-5029-1",
"https://www.gnutls.org/security-new.html#GNUTLS-SA-2021-03-10"
],
"PublishedDate": "2021-03-12T19:15:00Z",
"LastModifiedDate": "2021-05-17T14:30:00Z"
},
{
"VulnerabilityID": "CVE-2021-3580",
"PkgName": "gnutls",
"InstalledVersion": "3.6.16-4.el8",
"FixedVersion": "10:3.6.16-4.0.1.el8_fips",
"Layer": {},
"SeveritySource": "oracle-oval",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3580",
"DataSource": {
"ID": "oracle-oval",
"Name": "Oracle Linux OVAL definitions",
"URL": "https://linux.oracle.com/security/oval/"
},
"Title": "nettle: Remote crash in RSA decryption via manipulated ciphertext",
"Description": "A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-20"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V2Score": 5,
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-20231.json",
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-20232.json",
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3580.json",
"https://access.redhat.com/security/cve/CVE-2021-3580",
"https://bugzilla.redhat.com/show_bug.cgi?id=1967983",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3580",
"https://linux.oracle.com/cve/CVE-2021-3580.html",
"https://linux.oracle.com/errata/ELSA-2022-9221.html",
"https://lists.debian.org/debian-lts-announce/2021/09/msg00008.html",
"https://nvd.nist.gov/vuln/detail/CVE-2021-3580",
"https://security.netapp.com/advisory/ntap-20211104-0006/",
"https://ubuntu.com/security/notices/USN-4990-1"
],
"PublishedDate": "2021-08-05T21:15:00Z",
"LastModifiedDate": "2021-11-26T21:06:00Z"
},
{
"VulnerabilityID": "CVE-2021-40528",
"PkgName": "libgcrypt",
"InstalledVersion": "1.8.5-7.el8_6",
"FixedVersion": "10:1.8.5-7.el8_6_fips",
"Layer": {},
"SeveritySource": "oracle-oval",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-40528",
"DataSource": {
"ID": "oracle-oval",
"Name": "Oracle Linux OVAL definitions",
"URL": "https://linux.oracle.com/security/oval/"
},
"Title": "libgcrypt: ElGamal implementation allows plaintext recovery",
"Description": "The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.",
"Severity": "HIGH",
"CweIDs": [
"CWE-327"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"V2Score": 2.6,
"V3Score": 5.9
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 5.9
}
},
"References": [
"https://access.redhat.com/errata/RHSA-2022:5311",
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-40528.json",
"https://access.redhat.com/security/cve/CVE-2021-40528",
"https://bugzilla.redhat.com/2002816",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40528",
"https://dev.gnupg.org/rCb118681ebc4c9ea4b9da79b0f9541405a64f4c13",
"https://eprint.iacr.org/2021/923",
"https://errata.almalinux.org/8/ALSA-2022-5311.html",
"https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=3462280f2e23e16adf3ed5176e0f2413d8861320",
"https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1",
"https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2",
"https://linux.oracle.com/cve/CVE-2021-40528.html",
"https://linux.oracle.com/errata/ELSA-2022-9564.html",
"https://nvd.nist.gov/vuln/detail/CVE-2021-40528",
"https://ubuntu.com/security/notices/USN-5080-1",
"https://ubuntu.com/security/notices/USN-5080-2"
],
"PublishedDate": "2021-09-06T19:15:00Z",
"LastModifiedDate": "2021-11-29T21:37:00Z"
},
{
"VulnerabilityID": "CVE-2021-33560",
"PkgName": "libgcrypt",
"InstalledVersion": "1.8.5-7.el8_6",
"FixedVersion": "10:1.8.5-6.el8_fips",
"Layer": {},
"SeveritySource": "oracle-oval",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-33560",
"DataSource": {
"ID": "oracle-oval",
"Name": "Oracle Linux OVAL definitions",
"URL": "https://linux.oracle.com/security/oval/"
},
"Title": "libgcrypt: mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm",
"Description": "Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-203"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"V2Score": 5,
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-33560.json",
"https://access.redhat.com/security/cve/CVE-2021-33560",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33560",
"https://dev.gnupg.org/T5305",
"https://dev.gnupg.org/T5328",
"https://dev.gnupg.org/T5466",
"https://dev.gnupg.org/rCe8b7f10be275bcedb5fc05ed4837a89bfd605c61",
"https://eprint.iacr.org/2021/923",
"https://errata.almalinux.org/8/ALSA-2021-4409.html",
"https://linux.oracle.com/cve/CVE-2021-33560.html",
"https://linux.oracle.com/errata/ELSA-2022-9263.html",
"https://lists.debian.org/debian-lts-announce/2021/06/msg00021.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BKKTOIGFW2SGN3DO2UHHVZ7MJSYN4AAB/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7OAPCUGPF3VLA7QAJUQSL255D4ITVTL/",
"https://nvd.nist.gov/vuln/detail/CVE-2021-33560",
"https://ubuntu.com/security/notices/USN-5080-1",
"https://ubuntu.com/security/notices/USN-5080-2",
"https://www.oracle.com/security-alerts/cpuapr2022.html",
"https://www.oracle.com/security-alerts/cpujan2022.html",
"https://www.oracle.com/security-alerts/cpujul2022.html",
"https://www.oracle.com/security-alerts/cpuoct2021.html"
],
"PublishedDate": "2021-06-08T11:15:00Z",
"LastModifiedDate": "2022-07-25T18:15:00Z"
}
]
}
]
}

Output of trivy -v:

Version: 0.32.1
Vulnerability DB:
Version: 2
UpdatedAt: 2022-10-14 06:28:01.519116717 +0000 UTC
NextUpdate: 2022-10-14 12:28:01.519116517 +0000 UTC
DownloadedAt: 2022-10-14 06:33:39.962953839 +0000 UTC

Additional details (base image name, container registry info...):

image targeted: tenableofficial/nessus@sha256:460cec9f772caa9c478791ca73c376898f03fd80921184e531afff197e456d92
@RoninBreizh RoninBreizh added the kind/bug Categorizes issue or PR as related to a bug. label Oct 14, 2022
@github-actions
Copy link

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Dec 14, 2022
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Jan 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@RoninBreizh