We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What happened:
Scan on image that has python3-Flask-1.0.4-150400.7.64.noarch installed. It generates high vulnerability:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY Flask 1.0.4 2.2.5 python GHSA-m2qf-hxjv-5gpq High Jinja2 2.10.1 3.1.4 python GHSA-h75v-3vvj-5mfj Medium Jinja2 2.10.1 3.1.3 python GHSA-h5c8-rqwp-cp95 Medium
"vulnerability": { "id": "GHSA-m2qf-hxjv-5gpq", "dataSource": "GHSA-m2qf-hxjv-5gpq", "namespace": "github:language:python", "severity": "High", "urls": [ "https://github.com/advisories/GHSA-m2qf-hxjv-5gpq" ], "description": "Flask vulnerable to possible disclosure of permanent session cookie : : "relatedVulnerabilities": [ { "id": "CVE-2023-30861", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-30861", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b", "https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965", "https://github.com/pallets/flask/releases/tag/2.2.5", : : "artifact": { "id": "43f7396ee5913efd", "name": "Flask", "version": "1.0.4", "type": "python", "locations": [ { "path": "/usr/lib/python3.6/site-packages/Flask-1.0.4-py3.6.egg-info/PKG-INFO", "layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86" },
What you expected to happen:
According to SUSE Advisory CVE-2023-30861 Patch for this CVE is applied from version python3-Flask-1.0.4-150400.7.64.noarch
See with this link: https://www.suse.com/security/cve/CVE-2023-30861.html
SUSE Linux Enterprise Server 15 SP5 python3-Flask >= 1.0.4-150400.3.3.1 Patchnames: SUSE-SLE-Module-Basesystem-15-SP5-2023-2263
Installed version in the container: python3-flask-3.3.2-150400.23.1.x86_64
python3-Flask-1.0.4-150400.7.64.noarch
Conclusion: Installed version is more than the minimal requirement patch from SLES 15.5 but Grype generate a vulnerability.
How to reproduce it (as minimally and precisely as possible):
FROM registry.suse.com/suse/sle15:15.5 RUN zypper in -y --no-recommends python3-Flask=1.0.4-150400.7.64 ENTRYPOINT [""] CMD ["bash"]
$ docker build -t "suse15.5_python3-flask:v1" .
$ grype --distro sles:15.5 suse15.5_python3-flask:v1
Environment:
$ grype --version grype 0.78.0
bash-4.4$ cat /etc/release NAME="SLES" VERSION="15-SP5" VERSION_ID="15.5" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp5" DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered:
No branches or pull requests
What happened:
Scan on image that has python3-Flask-1.0.4-150400.7.64.noarch installed.
It generates high vulnerability:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
Flask 1.0.4 2.2.5 python GHSA-m2qf-hxjv-5gpq High
Jinja2 2.10.1 3.1.4 python GHSA-h75v-3vvj-5mfj Medium
Jinja2 2.10.1 3.1.3 python GHSA-h5c8-rqwp-cp95 Medium
JSON format:
"vulnerability": {
"id": "GHSA-m2qf-hxjv-5gpq",
"dataSource": "GHSA-m2qf-hxjv-5gpq",
"namespace": "github:language:python",
"severity": "High",
"urls": [
"https://github.com/advisories/GHSA-m2qf-hxjv-5gpq"
],
"description": "Flask vulnerable to possible disclosure of permanent session cookie
:
:
"relatedVulnerabilities": [
{
"id": "CVE-2023-30861",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-30861",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [
"https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b",
"https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965",
"https://github.com/pallets/flask/releases/tag/2.2.5",
:
:
"artifact": {
"id": "43f7396ee5913efd",
"name": "Flask",
"version": "1.0.4",
"type": "python",
"locations": [
{
"path": "/usr/lib/python3.6/site-packages/Flask-1.0.4-py3.6.egg-info/PKG-INFO",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
},
What you expected to happen:
According to SUSE Advisory CVE-2023-30861
Patch for this CVE is applied from version python3-Flask-1.0.4-150400.7.64.noarch
See with this link: https://www.suse.com/security/cve/CVE-2023-30861.html
SUSE Linux Enterprise Server 15 SP5
python3-Flask >= 1.0.4-150400.3.3.1
Patchnames:
SUSE-SLE-Module-Basesystem-15-SP5-2023-2263
Installed version in the container: python3-flask-3.3.2-150400.23.1.x86_64
rpm -qf /usr/lib/python3.6/site-packages/Flask-1.0.4-py3.6.egg-info/PKG-INFO
python3-Flask-1.0.4-150400.7.64.noarch
Conclusion: Installed version is more than the minimal requirement patch from SLES 15.5 but Grype generate a vulnerability.
How to reproduce it (as minimally and precisely as possible):
FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends python3-Flask=1.0.4-150400.7.64
ENTRYPOINT [""]
CMD ["bash"]
$ docker build -t "suse15.5_python3-flask:v1" .
$ grype --distro sles:15.5 suse15.5_python3-flask:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
Flask 1.0.4 2.2.5 python GHSA-m2qf-hxjv-5gpq High
Jinja2 2.10.1 3.1.4 python GHSA-h75v-3vvj-5mfj Medium
Jinja2 2.10.1 3.1.3 python GHSA-h5c8-rqwp-cp95 Medium
Environment:
$ grype --version
grype 0.78.0
In container image eco-system:
bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered: