You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SUSE Linux Enterprise Server 15 SP5 openssl Not affected
SUSE Linux Enterprise Server 15 SP5 openssl-1_0_0 Released
SUSE Linux Enterprise Server 15 SP5 openssl-1_1 Already fixed
SUSE Linux Enterprise Server 15 SP5 openssl-3 Already fixed
Conclusion: Issue with CVE-2023-0286 is related to Openssl according to NVD.
As for SUSE advisory, this CVE is already fixed.
Grype is pointing to an artifact that is related to cryptography where cryptography may include an older
version of Openssl.
There is something that Grype doesn't take account in this case, the dependency.
Cryptography requires Openssl but most OS provider is already patched, upgraded, fixed in their newest
release or minor release.
It is good to flag, however, it is definitely a false positive for an ecosystem that already has the fixes of
Openssl.
How to reproduce it (as minimally and precisely as possible):
Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends python3-cryptography=3.3.2-150400.23.1.x86_64
ENTRYPOINT [""]
CMD ["bash"]
sekveaja
changed the title
False positive: GHSA-x4qr-2fvf-3mr5 (CVE-2023-0286) in SLES 15.5 Ecosystem but trigger by cryptography
False positive: GHSA-x4qr-2fvf-3mr5 (CVE-2023-0286), GHSA-jfhm-5ghh-2f97 (CVE-2023-49083) in SLES 15.5 Ecosystem but trigger by cryptography
Jun 25, 2024
What happened:
Scan on image that has python3-cryptography-3.3.2-150400.23.1.x86_64 installed.
It generates high vulnerability:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
cryptography 3.3.2 39.0.1 python GHSA-x4qr-2fvf-3mr5 High
cryptography 3.3.2 42.0.0 python GHSA-3ww4-gg4f-jr7f High
cryptography 3.3.2 39.0.1 python GHSA-w7pp-m8wf-vj6r Medium
cryptography 3.3.2 41.0.6 python GHSA-jfhm-5ghh-2f97 Medium
cryptography 3.3.2 42.0.2 python GHSA-9v9h-cgj8-h64p Medium
cryptography 3.3.2 41.0.4 python GHSA-v8gr-m533-ghj9 Low
cryptography 3.3.2 41.0.3 python GHSA-jm77-qphf-c4w8 Low
cryptography 3.3.2 41.0.0 python GHSA-5cpq-8wj7-hf2v Low
JSON format:
"vulnerability": {
"id": "GHSA-x4qr-2fvf-3mr5",
"dataSource": "GHSA-x4qr-2fvf-3mr5",
"namespace": "github:language:python",
"severity": "High",
"urls": [
"https://github.com/advisories/GHSA-x4qr-2fvf-3mr5"
],
"description": "Vulnerable OpenSSL included in cryptography wheels",
:
:
"relatedVulnerabilities": [
{
"id": "CVE-2023-0286",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-0286",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [
"https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt",
"https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig",
:
:
"artifact": {
"id": "38aca2c4012b270d",
"name": "cryptography",
"version": "3.3.2",
"type": "python",
"locations": [
{
"path": "/usr/lib64/python3.6/site-packages/cryptography-3.3.2-py3.6.egg-info/PKG-INFO",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
},
What you expected to happen:
According to SUSE Advisory CVE-2023-0286
Patch for this CVE is already fixed.
See with this link: https://www.suse.com/security/cve/CVE-2023-0286.html
SUSE Linux Enterprise Server 15 SP5 openssl Not affected
SUSE Linux Enterprise Server 15 SP5 openssl-1_0_0 Released
SUSE Linux Enterprise Server 15 SP5 openssl-1_1 Already fixed
SUSE Linux Enterprise Server 15 SP5 openssl-3 Already fixed
Conclusion: Issue with CVE-2023-0286 is related to Openssl according to NVD.
As for SUSE advisory, this CVE is already fixed.
Grype is pointing to an artifact that is related to cryptography where cryptography may include an older
version of Openssl.
There is something that Grype doesn't take account in this case, the dependency.
Cryptography requires Openssl but most OS provider is already patched, upgraded, fixed in their newest
release or minor release.
It is good to flag, however, it is definitely a false positive for an ecosystem that already has the fixes of
Openssl.
How to reproduce it (as minimally and precisely as possible):
FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends python3-cryptography=3.3.2-150400.23.1.x86_64
ENTRYPOINT [""]
CMD ["bash"]
$ docker build -t "suse15.5_python3-cryptography:v1" .
$ grype --distro sles:15.5 suse15.5_python3-cryptography:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
cryptography 3.3.2 39.0.1 python GHSA-x4qr-2fvf-3mr5 High
cryptography 3.3.2 42.0.0 python GHSA-3ww4-gg4f-jr7f High
cryptography 3.3.2 39.0.1 python GHSA-w7pp-m8wf-vj6r Medium
cryptography 3.3.2 41.0.6 python GHSA-jfhm-5ghh-2f97 Medium
cryptography 3.3.2 42.0.2 python GHSA-9v9h-cgj8-h64p Medium
cryptography 3.3.2 41.0.4 python GHSA-v8gr-m533-ghj9 Low
cryptography 3.3.2 41.0.3 python GHSA-jm77-qphf-c4w8 Low
cryptography 3.3.2 41.0.0 python GHSA-5cpq-8wj7-hf2v Low
Environment:
$ grype --version
grype 0.78.0
In container image eco-system:
bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered: