False positive: GHSA-h4m5-qpfp-3mpv (CVE-2021-42771) python3-Babel in SLES 15.5 #1903
Comments
|
Hi @sekveaja, thank you for all of these false positive reports, please keep them coming and sorry we haven't followed up yet. We are looking into them. Stay tuned! |
|
Hi @tgerla, |
|
Hey @sekveaja, thanks for your patience on these. I think we have figured out the root cause for a lot of these. We are currently only using a subset of the available SUSE vulnerability data, which means that Grype is unable to de-duplicate some packages and will report two findings for a single package, as you have seen. #1918 will track the work to fix this. We think that SUSE publishes the data we need, so we will need to enhance the SUSE Vunnel provider which parses the vulnerability data. I'll link your other false positives in this category here so that we can track them. Thanks! |
|
Hi @tgerla, Thanks for the input, I hope that you will nail down the issue. |
sekveaja
changed the title
What happened:
Scan on image that has python3-Babel-2.8.0-3.3.1.noarch installed.
It generates high vulnerability:
$ grype --distro sles:15.5 suse15.5_python3-babel:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
Babel 2.8.0 2.9.1 python GHSA-h4m5-qpfp-3mpv High
"vulnerability": {
"id": "GHSA-h4m5-qpfp-3mpv",
"dataSource": "GHSA-h4m5-qpfp-3mpv",
"namespace": "github:language:python",
"severity": "High",
"urls": [
"https://github.com/advisories/GHSA-h4m5-qpfp-3mpv"
],
"description": "Directory Traversal in Babel",
:
:
"relatedVulnerabilities": [
{
"id": "CVE-2021-42771",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-42771",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [
"https://github.com/python-babel/babel/pull/782",
GHSA-h4m5-qpfp-3mpv "https://lists.debian.org/debian-lts-announce/2021/10/msg00018.html",
"https://lists.debian.org/debian-lts/2021/10/msg00040.html",
"https://www.debian.org/security/2021/dsa-5018",
"https://www.tenable.com/security/research/tra-2021-14"
],
"description": "Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.",
:
"artifact": {
"id": "c5753955ec6c50e3",
"name": "Babel",
"version": "2.8.0",
"type": "python",
"locations": [
{
"path": "/usr/lib/python3.6/site-packages/Babel-2.8.0-py3.6.egg-info/PKG-INFO",
"layerID": "sha256:4bfdb8762be5511b925a34075857d0a0ba0849de7f77ab71b52e15e482cc2b86"
},
What you expected to happen:
According to SUSE Advisory CVE-2021-42771
Patch for this CVE is applied from version python3-Babel >= 2.8.0-3.3.1.
https://www.suse.com/security/cve/CVE-2021-42771.html
SUSE Linux Enterprise Server 15 SP5
SUSE Linux Enterprise Server for SAP Applications 15 SP5
python3-Babel >= 2.8.0-3.3.1
Patchnames:
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python-Babel-2.8.0-3.3.1
SUSE Linux Enterprise Module for Basesystem 15 SP5 GA python3-Babel-2.8.0-3.3.1
Installed version in the container: python3-Babel-2.8.0-3.3.1.noarch
rpm -qf /usr/lib/python3.6/site-packages/Babel-2.8.0-py3.6.egg-info/PKG-INFO
python3-Babel-2.8.0-3.3.1.noarch
Conclusion: Installed version meet the minimum requirement patch from SLES 15.5 but Grype generate a vulnerability.
How to reproduce it (as minimally and precisely as possible):
1)Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.5
RUN zypper in -y --no-recommends python3-babel=2.8.0-3.3.1
ENTRYPOINT [""]
CMD ["bash"]
docker build -t "suse15.5_python3-babel:v1" .
$ grype --distro sles:15.5 suse15.5_python3-babel:v1
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
Babel 2.8.0 2.9.1 python GHSA-h4m5-qpfp-3mpv High
Environment:
$ grype --version
grype 0.76.0
In container image eco-system:
bash-4.4$ cat /etc/release
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
The text was updated successfully, but these errors were encountered: