Incorrect mapping of Applicable versions for CVE-2023-28858 & CVE-2023-28859

[sreecharanguduri]

Description

Hi Team ,

we have reported anomaly with CVEs in discussion title to be applicable for higher versions i.e with 4.x & not impacted with versions running with 2.x which is updated under https://avd.aquasec.com/nvd/2023/cve-2023-28859/ , https://avd.aquasec.com/nvd/2023/cve-2023-28858 respectively on May17th 2023 both in NVD and also AVD. Can we know when would these changes reflect in Trivy DB so that we no more see these as findings from trivy report for older versions of redis Metadata async library running with 2.10.6 , 2.25.1 (2.x) .Thanks in advance
Best
Sreecharan Guduri

Desired Behavior

Applicability is limited to higher versions 4.x and above .

Actual Behavior

Applicability is made generic even for lower versions ( in our case its 2.25.1 , 2.10.6) reported as findings.

Reproduction Steps

Execute a trivy scan and report shown as below for redis Async Medata library CVEs 

Python (python-pkg)
 
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
 
┌─────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                           │
├─────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ redis (METADATA)    │ CVE-2023-28859 │ MEDIUM   │ 2.10.6            │ 4.4.4, 4.5.4  │ redis: Async command information disclosure               │
│                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-28859                │
│                     ├────────────────┼──────────┤                   ├───────────────┼───────────────────────────────────────────────────────────┤
│                     │ CVE-2023-28858 │ LOW      │                   │ 4.5.3         │ redis: Async command information disclosure               │
│                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-28858                │
├─────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ requests (METADATA) │ CVE-2023-32681 │ MEDIUM   │ 2.25.1            │ 2.31.0        │ Unintended leak of Proxy-Authorization header in requests │
│                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-32681                │
└─────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

Python (python-pkg)
 
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
 
┌─────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                           │
├─────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ redis (METADATA)    │ CVE-2023-28859 │ MEDIUM   │ 2.10.6            │ 4.4.4, 4.5.4  │ redis: Async command information disclosure               │
│                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-28859                │
│                     ├────────────────┼──────────┤                   ├───────────────┼───────────────────────────────────────────────────────────┤
│                     │ CVE-2023-28858 │ LOW      │                   │ 4.5.3         │ redis: Async command information disclosure               │
│                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-28858                │
├─────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ requests (METADATA) │ CVE-2023-32681 │ MEDIUM   │ 2.25.1            │ 2.31.0        │ Unintended leak of Proxy-Authorization header in requests │
│                     │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-32681                │
└─────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

Operating System

ubuntu

Version

Trivy version - 0.36

Checklist

• Run trivy --reset
• Read the troubleshooting

[knqyf263]

Please open a discussion as false detection. We'd ask for some checks beforehand.