Confusion between python3-Werkzeug and python311-Werkzeug GHSA-q34m-jh98-gwm2 (CVE-2024-49767) SUSE 15 SP6 and SP5 #2560
Description
What happened:
Scan on image that has python3-Werkzeug-1.0.1-150300.3.8.1.noarch and python311-Werkzeug-2.3.6-150400.6.12.1 installed.
It generates the following vulnerabilities:
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
werkzeug 1.0.1 3.0.3 python GHSA-2g68-c3qc-8985 High
werkzeug 1.0.1 2.2.3 python GHSA-xg9f-g7g7-2323 High
werkzeug 1.0.1 3.0.6 python GHSA-f9vj-2wh5-fj8j Medium
werkzeug 1.0.1 2.3.8 python GHSA-hrfv-mqp8-q5rw Medium
werkzeug 1.0.1 3.0.6 python GHSA-q34m-jh98-gwm2 Medium
werkzeug 1.0.1 2.2.3 python GHSA-px8h-6qxv-m22q Low
werkzeug 2.3.6 3.0.3 python GHSA-2g68-c3qc-8985 High
werkzeug 2.3.6 3.0.6 python GHSA-f9vj-2wh5-fj8j Medium
werkzeug 2.3.6 2.3.8 python GHSA-hrfv-mqp8-q5rw Medium
werkzeug 2.3.6 3.0.6 python GHSA-q34m-jh98-gwm2 Medium --> CVE-2024-49767
What you expected to happen:
According to SUSE Advisory CVE-2024-49767
Patch for this CVE is applied from version python311-Werkzeug >= 2.3.6-150400.6.12.1
See with this link: https://www.suse.com/security/cve/CVE-2024-49767.html
SUSE Linux Enterprise Server 15 SP5
python311-Werkzeug >= 2.3.6-150400.6.12.1
SUSE Linux Enterprise Server 15 SP6
python311-Werkzeug >= 2.3.6-150400.6.12.1
When looking into the log file, the artifact points to this PKG-INFO file:
"artifact": {
"id": "023d4d1f5df10c48",
"name": "werkzeug",
"version": "1.0.1",
"type": "python",
"locations": [
{
"path": "**/usr/lib/python3.6/site-packages/Werkzeug-1.0.1-py3.6.egg-info/PKG-INFO**",And when looking the rpm that associate to above PKG-INFO, it is from python3-Werkzeug-1.0.1-150300.3.8.1.noarch
CVE-2024-49767 is not related to python3-Werkzeug-1.0.1-150300.3.8.1.noarch.
The CVE is related to python311-Werkzeug.
python3-Werkzeug and python311-Werkzeug are two different packages.
Please take a look, why Grype has confusion between the 2 packages.
There is also false positive, if the tool compare to the right package, the installed python311-Werkzeug-2.3.6-150400.6.12.1
meet the minimum requirement from SUSE OS vendor.
How to reproduce it (as minimally and precisely as possible):
- Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.6
RUN zypper in -y --no-recommends python3-Werkzeug=1.0.1-150300.3.8.1
RUN zypper in -y --no-recommends python311-Werkzeug=2.3.6-150400.6.12.1
ENTRYPOINT [""]
CMD ["bash"]
- Build an image from Dockerfile
$ docker build --network=host -t "suse15.6_python-werkzeug:v1" .
- Test with Grype now
$ grype --distro sles:15.6 suse15.6_python-werkzeug:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
werkzeug 1.0.1 3.0.3 python GHSA-2g68-c3qc-8985 High
werkzeug 1.0.1 2.2.3 python GHSA-xg9f-g7g7-2323 High
werkzeug 1.0.1 3.0.6 python GHSA-f9vj-2wh5-fj8j Medium
werkzeug 1.0.1 2.3.8 python GHSA-hrfv-mqp8-q5rw Medium
werkzeug 1.0.1 3.0.6 python GHSA-q34m-jh98-gwm2 Medium
werkzeug 1.0.1 2.2.3 python GHSA-px8h-6qxv-m22q Low
werkzeug 2.3.6 3.0.3 python GHSA-2g68-c3qc-8985 High
werkzeug 2.3.6 3.0.6 python GHSA-f9vj-2wh5-fj8j Medium
werkzeug 2.3.6 2.3.8 python GHSA-hrfv-mqp8-q5rw Medium
werkzeug 2.3.6 3.0.6 python GHSA-q34m-jh98-gwm2 Medium (problem reproduced)
Environment:
$ grype --version
grype 0.88.0
In container image eco-system:
NAME="SLES"
VERSION="15-SP6"
VERSION_ID="15.6"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP6"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp6"
DOCUMENTATION_URL="https://documentation.suse.com/"