Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False positive: GHSA-v973-fxgf-6xhp (CVE-2022-40023) python3-Mako in SLES 15.5 Ecosystem #1923

Open
sekveaja opened this issue Jun 10, 2024 · 0 comments
Labels
bug Something isn't working false-positive

Comments

@sekveaja
Copy link

What happened:

Scan on image that has python3-Mako-1.0.7-150000.3.3.1.noarch installed.
It generates high vulnerability:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
Mako 1.0.7 1.2.2 python GHSA-v973-fxgf-6xhp High

"vulnerability": {
"id": "GHSA-v973-fxgf-6xhp",
"dataSource": "GHSA-v973-fxgf-6xhp",
"namespace": "github:language:python",
"severity": "High",
"urls": [
"https://github.com/advisories/GHSA-v973-fxgf-6xhp"
],
"description": "mako is vulnerable to Regular Expression Denial of Service",
:
"relatedVulnerabilities": [
{
"id": "CVE-2022-40023",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-40023",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [
:
:
"artifact": {
"id": "5ecd5f4b31668b60",
"name": "Mako",
"version": "1.0.7",
"type": "python",
"locations": [
{
"path": "/usr/lib/python3.6/site-packages/Mako-1.0.7-py3.6.egg-info/PKG-INFO",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
},

What you expected to happen:

According to SUSE Advisory CVE-2022-40023
Patch for this CVE is applied from version python3-Mako >= 1.0.7-150000.3.3.1

See with this link: https://www.suse.com/security/cve/CVE-2022-40023.html

SUSE Linux Enterprise Server 15 SP5
python3-Mako >= 1.0.7-150000.3.3.1
Patchnames:
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python-Mako-1.0.7-150000.3.3.1
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python3-Mako-1.0.7-150000.3.3.1

Installed version in the container: python3-Mako-1.0.7-150000.3.3.1.noarch

rpm -qf /usr/lib/python3.6/site-packages/Mako-1.0.7-py3.6.egg-info/PKG-INFO

python3-Mako-1.0.7-150000.3.3.1.noarch

Conclusion: Installed version meet the minimal requirement patch from SLES 15.5 but Grype generate a vulnerability.

How to reproduce it (as minimally and precisely as possible):

1)Create the Dockerfile with this content:

FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends python3-Mako=1.0.7-150000.3.3.1
ENTRYPOINT [""]
CMD ["bash"]

  1. Build an image from Dockerfile

$ docker build -t "suse15.5_python3-mako:v1" .

  1. Test with Grype now

$ grype --distro sles:15.5 suse15.5_python3-mako:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
Mako 1.0.7 1.2.2 python GHSA-v973-fxgf-6xhp High

Environment:
$ grype --version
grype 0.78.0

In container image eco-system:
bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"

@sekveaja sekveaja added the bug Something isn't working label Jun 10, 2024
@sekveaja sekveaja changed the title False positive: GHSA-v973-fxgf-6xhp (CVE-2022-40023) in SLES 15.5 Ecosystem False positive: GHSA-v973-fxgf-6xhp (CVE-2022-40023) python3-Mako in SLES 15.5 Ecosystem Jun 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working false-positive
Projects
Status: No status
Development

No branches or pull requests

2 participants