CVE not detected but present in database #980
Comments
|
Vuls uses OVAL data to scan RHEL and CentOS7. CVE-2020-11651 is not in OVAL for Red Hat Enterprise Linux 7. https://access.redhat.com/security/cve/cve-2020-11651
According to the Red Hat page, CVE-2020-11651 does not seem to affect RHEL7. |
|
Hi, I understand that CVE-2020-1165 does not affect RHEL7 product, but it affects saltstack that can be installed on RHEL7 with saltstask redhat repository. |
|
Yes, it's difficult without that database. I don't know if the database is public. Or, try the following and let me know the results. Will CVE-2020-1165 be detected when the following command is issued? If CVE-2020-1165 can be detected above, it can be achieved by executing the above command on the server to be scanned. Additional implementation is needed though. |
Hello, I used Vuls to find the vulnerability CVE-2020-11651. However, it does not work, the version of the package and CVE is well found but nothing does not appear in the report.
Package
Package is found inside the /results/.json
"salt":{ "name":"salt", "version":"2017.7.5", "release":"1.el7", "newVersion":"", "newRelease":"", "arch":"noarch", "repository":"", "changelog":{ "contents":"", "method":"" } }, "salt-master":{ "name":"salt-master", "version":"2017.7.5", "release":"1.el7", "newVersion":"", "newRelease":"", "arch":"noarch", "repository":"", "changelog":{ "contents":"", "method":"" } }CVE
CVE can be found in the cve.sqlite3
OVAL
Result
CVE is not detected and does not appear with $ ./report.sh | grep 2020-11651
Config
[servers]
[servers.x-x-x-x]
host = "x.x.x.x"
port = "22"
user = "root"
keyPath = "/root/.ssh/id_rsa"
[exploit]
type = "sqlite3"
sqlite3Path = "/vuls/go-exploitdb.sqlite3"
[cveDict]
type = "sqlite3"
sqlite3Path = "/vuls/cve.sqlite3"
[ovalDict]
type = "sqlite3"
sqlite3Path = "/vuls/oval.sqlite3"
The text was updated successfully, but these errors were encountered: