You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What happened:
A spring-boot project directory was scanned and GHSA-36p3-wjmg-h94x was detected. The description in the cyclonedx report is very terse: Remote Code Execution in Spring Framework
What you expected to happen:
The description should reflect the content available on the advisory page (e.g. Impact, Workarounds)
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
The associated CVE-2022-22965 has a better description in the DB.
In airgapped environments the reference links can't be followed easily so a verbose description in the DB can avoid disrupting triage flow.
sqlite3 ~/.cache/grype/db/5/vulnerability.db
sqlite> select description from vulnerability_metadata where id = "GHSA-36p3-wjmg-h94x" limit 1;
Remote Code Execution in Spring Framework
sqlite> select description from vulnerability_metadata where id = "CVE-2022-22965" limit 1;
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Environment:
Output of grype version: 0.55.0
The text was updated successfully, but these errors were encountered:
I think the best way forward for this is to use the --by-cve option to reorient the results in terms of CVEs (and thus the descriptions as well). That being said, I'm not seeing the results get reoriented for this GHSA for your example. It might be because the CVE is undergoing reanalysis, but I'm not certain. More digging is needed.
What happened:
A spring-boot project directory was scanned and GHSA-36p3-wjmg-h94x was detected. The description in the cyclonedx report is very terse:
Remote Code Execution in Spring Framework
What you expected to happen:
The description should reflect the content available on the advisory page (e.g. Impact, Workarounds)
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
The associated CVE-2022-22965 has a better description in the DB.
In airgapped environments the reference links can't be followed easily so a verbose description in the DB can avoid disrupting triage flow.
Environment:
grype version
: 0.55.0The text was updated successfully, but these errors were encountered: