Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"cvss2Severity" and "cvss3Severity" in "redhat" are output in reverse #1146

Closed
ishiDACo opened this issue Jan 25, 2021 · 0 comments · Fixed by #1147
Closed

"cvss2Severity" and "cvss3Severity" in "redhat" are output in reverse #1146

ishiDACo opened this issue Jan 25, 2021 · 0 comments · Fixed by #1147
Labels
bug

Comments

@ishiDACo
Copy link
Contributor

What did you do? (required. The issue will be closed when not provided.)

I ran vuls scan against CentOS 8.2 and ran vuls report.

What did you expect to happen?

For redhat.cvss3Score, I expected to have a value of redhat.cvss3Severity.
For example, "cvss3Score": 9.8, so I expected "cvss3Severity": "Important".

        "CVE-2020-6825": {
            "cveID": "CVE-2020-6825",
            "confidences": [
                {
                    "score": 100,
                    "detectionMethod": "OvalMatch"
                }
            ],
            "affectedPackages": [
                {
                    "name": "firefox",
                    "fixedIn": "0:68.7.0-2.el8_1"
                }
            ],
            "distroAdvisories": [
                {
                    "advisoryID": "RHSA-2020:1406",
                    "severity": "Important",
                    "issued": "2020-04-08T00:00:00Z",
                    "updated": "2020-04-08T00:00:00Z",
                    "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 68.7.0 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Uninitialized memory could be read when using the WebGL copyTexSubImage method (CVE-2020-6821)\n\n* Mozilla: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7 (CVE-2020-6825)\n\n* Mozilla: Out of bounds write in GMPDecodeData when processing large images (CVE-2020-6822)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section."
                }
            ],
            "cveContents": {
                "redhat": {
                    "type": "redhat",
                    "cveID": "CVE-2020-6825",
                    "title": "RHSA-2020:1406: firefox security update (Important)",
                    "summary": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 68.7.0 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Uninitialized memory could be read when using the WebGL copyTexSubImage method (CVE-2020-6821)\n\n* Mozilla: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7 (CVE-2020-6825)\n\n* Mozilla: Out of bounds write in GMPDecodeData when processing large images (CVE-2020-6822)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
                    "cvss2Score": 0,
                    "cvss2Vector": "",
                    "cvss2Severity": "",
                    "cvss3Score": 9.8,
                    "cvss3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                    "cvss3Severity": "Important",

What happened instead?

The value of redhat.cvss3Severity is output to redhat.cvss2Severity, and the value of redhat.cvss2Severity is output to redhat.cvss3Severity.
For example, "cvss3Score": 9.8, but "cvss3Severity": "", "cvss2Severity": "Important".

        "CVE-2020-6825": {
            "cveID": "CVE-2020-6825",
            "confidences": [
                {
                    "score": 100,
                    "detectionMethod": "OvalMatch"
                }
            ],
            "affectedPackages": [
                {
                    "name": "firefox",
                    "fixedIn": "0:68.7.0-2.el8_1"
                }
            ],
            "distroAdvisories": [
                {
                    "advisoryID": "RHSA-2020:1406",
                    "severity": "Important",
                    "issued": "2020-04-08T00:00:00Z",
                    "updated": "2020-04-08T00:00:00Z",
                    "description": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 68.7.0 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Uninitialized memory could be read when using the WebGL copyTexSubImage method (CVE-2020-6821)\n\n* Mozilla: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7 (CVE-2020-6825)\n\n* Mozilla: Out of bounds write in GMPDecodeData when processing large images (CVE-2020-6822)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section."
                }
            ],
            "cveContents": {
                "redhat": {
                    "type": "redhat",
                    "cveID": "CVE-2020-6825",
                    "title": "RHSA-2020:1406: firefox security update (Important)",
                    "summary": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 68.7.0 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Uninitialized memory could be read when using the WebGL copyTexSubImage method (CVE-2020-6821)\n\n* Mozilla: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7 (CVE-2020-6825)\n\n* Mozilla: Out of bounds write in GMPDecodeData when processing large images (CVE-2020-6822)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
                    "cvss2Score": 0,
                    "cvss2Vector": "",
                    "cvss2Severity": "Important",
                    "cvss3Score": 9.8,
                    "cvss3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                    "cvss3Severity": "",

Steps to reproduce the behaviour

Please run vuls scan against CentOS 8.2 and run vuls report.

Configuration (MUST fill this out):

  • Go version (go version): n/a

  • Go environment (go env): n/a

I use docker image.

docker pull vuls/vuls

Docker version 20.10.2, build 22

Host OS is Ubuntu 18.04

Vuls target server is CentOS 8.2.2004

  • Vuls environment:

Hash : e4f1e03

vuls v0.15.3 build-20210124_001830_e4f1e03

  • config.toml:
[cveDict]
type = "sqlite3"
SQLite3Path = "/vuls/cve.sqlite3"

[ovalDict]
type = "sqlite3"
SQLite3Path = "/vuls/oval.sqlite3"

[gost]
type = "sqlite3"
SQLite3Path = "/vuls/gost.sqlite3"

[exploit]
type = "sqlite3"
SQLite3Path = "/vuls/go-exploitdb.sqlite3"

[metasploit]
type = "sqlite3"
SQLite3Path = "/vuls/go-msfdb.sqlite3"

[servers]

[servers.centos]
host               = "xxx.xxx.xxx.xxx"
port               = "yyyyy"
user               = "zzzzzz"
keyPath            = "/root/.ssh/id_rsa"
scanMode           = ["fast"]
  • command:

Run report.sh, which is included in vulsctl.

docker run --rm -i \
    -v $PWD:/vuls \
    vuls/vuls report \
    -log-dir=/vuls/log \
    -format-list \
    -config=/vuls/config.toml \
    -refresh-cve \
    $@
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(report): set severity in Red Hat OVAL to both CVSS v3 and v2 #1146 future-architect/vuls
1 participant
@ishiDACo