CVE shows as High vulnerability but REDHAT says not affected?

[kmeekva]

We are running RedHat 8

The package python3-urllib3-1.24.2-5.el8.noarch is installed.

Scout is showing 3 vulnerabilities for this package:

=============
0C 1H 2M 0L urllib3 1.24.2
pkg:pypi/urllib3@1.24.2

✗ HIGH CVE-2021-33503
  https://scout.docker.com/v/CVE-2021-33503
  Affected range : <1.26.5
  Fixed version  : 1.26.5

✗ MEDIUM CVE-2020-26137 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')]
  https://scout.docker.com/v/CVE-2020-26137
  Affected range : <1.25.9
  Fixed version  : 1.25.9
  CVSS Score     : 6.5
  CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

✗ MEDIUM CVE-2019-11236 [Improper Neutralization of CRLF Sequences ('CRLF Injection')]
  https://scout.docker.com/v/CVE-2019-11236
  Affected range : <=1.24.2
  Fixed version  : 1.24.3
  CVSS Score     : 6.1
  CVSS Vector    : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

=================

For the first one -- https://scout.docker.com/v/CVE-2021-33503 Redhat website says the first is Not Affected

For the 2nd one https://access.redhat.com/security/cve/CVE-2020-26137
Redhat says it is addressed in the version we have installed: https://access.redhat.com/errata/RHSA-2021:1631
( if you click on updated packages it shows python-urllib3-1.24.2-5.el8.src.rpm as being updted.

For the 3rd one https://scout.docker.com/vulnerabilities/id/CVE-2019-11236
It says < <1.24.2-2.el8 is vulnerable -- we have python3-urllib3-1.24.2-5.el8.noarch which is greater -- and is the patched version.

Not sure why these are showing as vulnerabilities when we have patched version from redhat.

Could be something to do with the "version" shown in scout finding only has the point release and not the - redhat modified version that contains the backport of the fixes.

e.g SCOUT thinks we have pkg:pypi/urllib3@1.24.2 but we have 1.24.2-5

[cdupuis]

@kmeekva, thanks for raising this.

Would it be possible to get a pointer to a public image to verify those issues against? I’m happy to take a look.

Alternatively a Dockerfile to create an image with this problem would be equally helpful.

Thanks again.

[cdupuis]

I've tried with the following Dockerfile trying to set up a test case.

FROM redhat/ubi8

RUN yum -y install python3-urllib3; yum clean all

The resulting image now contains urllib3 in various locations:

    {
      "type": "pypi",
      "name": "urllib3",
      "version": "1.24.2",
      "purl": "pkg:pypi/urllib3@1.24.2",
      "author": "Andrey Petrov",
      "licenses": [
        "MIT"
      ],
      "locations": [
        {
          "path": "/usr/lib/python3.6/site-packages/urllib3-1.24.2-py3.6.egg-info/PKG-INFO",
          "ordinal": 23,
          "digest": "sha256:1224788fbfdbcd73e4119977a18662b9317e717e809949e7d88d06aa43dd1004",
          "diff_id": "sha256:7cd83e46b22234ac775ed33e7b0c18d697f2e124681fd0592e859d2ee17fbcd4"
        },
        {
          "path": "/usr/lib/python3.6/site-packages/urllib3-1.24.2-py3.6.egg-info/top_level.txt",
          "ordinal": 23,
          "digest": "sha256:1224788fbfdbcd73e4119977a18662b9317e717e809949e7d88d06aa43dd1004",
          "diff_id": "sha256:7cd83e46b22234ac775ed33e7b0c18d697f2e124681fd0592e859d2ee17fbcd4"
        }
      ]
    },

and

{
      "type": "rpm",
      "namespace": "redhatlinux",
      "name": "python-urllib3",
      "version": "1.24.2-5.el8",
      "purl": "pkg:rpm/redhatlinux/python-urllib3@1.24.2-5.el8?os_name=redhatlinux\u0026os_version=8",
      "licenses": [
        "MIT"
      ],
      "size": 620045,
      "locations": [
        {
          "path": "/var/lib/rpm/Packages",
          "ordinal": 23,
          "digest": "sha256:1224788fbfdbcd73e4119977a18662b9317e717e809949e7d88d06aa43dd1004",
          "diff_id": "sha256:7cd83e46b22234ac775ed33e7b0c18d697f2e124681fd0592e859d2ee17fbcd4"
        }
      ]
    },

The CVEs are reported are against pkg:pypi/urllib3@1.24.2 which is indeed installed in the image. I think this CVE report is correct?

[cdupuis]

Please feel free to re-open in case this is still an issue.

[kmeekva]

RedHat claims that their "fix" for this CVE is included with the -5 version of this package.

See the updated packages tab on this page. https://access.redhat.com/errata/RHSA-2021:1631

Because RH 8 is a long term support release they often back port fixes keeping the older version numbered release installed -- they add a -## to the package name that contains the fixes.

In this case their version -5 is supposed to include the fix for this CVE, but the system is still running the 1.24.2 version -- but with their fixes backported.

So the older package:
python3-urllib3-1.24.2**-4**.el8.noarch
would be vulnerable -- but the current "patched" version is:
python3-urllib3-1.24.2**-5**.el8.noarch

It looks like their "fixed" RPM does include the files that are triggering your hit.

yum provides /usr/lib/python3.6/site-packages/urllib3-1.24.2-py3.6.egg-info/PKG-INFO

python3-urllib3-1.24.2-5.el8.noarch : Python3 HTTP library with thread-safe connection
Matched from:
Filename : /usr/lib/python3.6/site-packages/urllib3-1.24.2-py3.6.egg-info/PKG-INFO

python3-urllib3-1.24.2-5.el8.noarch : Python3 HTTP library with thread-safe connection pooling and file post
Repo : ubi-8-baseos-rpms
Matched from:
Filename : /usr/lib/python3.6/site-packages/urllib3-1.24.2-py3.6.egg-info/PKG-INFO

@cdupuis Not sure how to re-open this?