CVE-2024-38095 - nuget (powershell)

[joewragg]

IDs

CVE-2024-38095

Description

(nuget)

Total: 1 (HIGH: 1, CRITICAL: 0)
┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ System.Formats.Asn1 │ CVE-2024-38095 │ HIGH │ fixed │ 6.0.0 │ 6.0.1, 8.0.1 │ dotnet: DoS when parsing X.509 Content and ObjectIdentifiers │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-38095 │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

I think this is detecting nuget powershell but I am using powershell 7.4.5

According to this: PowerShell/Announcements#64 it was fixed in powershell 7.4.4

Reproduction Steps

Trivy scan my docker image with powershell 7.4.5 installed:

Snippet from my dockerfile:

FROM ubuntu:24.04
# Install powershell
ARG PS_VERSION=7.4.5
RUN if [ "$(dpkg --print-architecture)" = "arm64" ]; then \
    curl -L -o /tmp/powershell.tar.gz https://github.com/PowerShell/PowerShell/releases/download/v${PS_VERSION}/powershell-${PS_VERSION}-linux-$(dpkg --print-architecture).tar.gz; \
    else \
    curl -L -o /tmp/powershell.tar.gz https://github.com/PowerShell/PowerShell/releases/download/v${PS_VERSION}/powershell-${PS_VERSION}-linux-x64.tar.gz; \
    fi
RUN mkdir -p /opt/microsoft/powershell/7
RUN tar zxf /tmp/powershell.tar.gz -C /opt/microsoft/powershell/7
RUN chmod +x /opt/microsoft/powershell/7/pwsh
RUN ln -s /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh

### Target

Container Image

### Scanner

Vulnerability

### Target OS

ubuntu:24.04

### Debug Output

```bash
Running trivy scan
2024-09-13T11:53:32Z	DEBUG	No plugins loaded
2024-09-13T11:53:32Z	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-09-13T11:53:32Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2024-09-13T11:53:32Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2024-09-13T11:53:32Z	DEBUG	Parsed severities	severities=[CRITICAL HIGH]
2024-09-13T11:53:32Z	DEBUG	Ignore statuses	statuses=[0 1 2 4 5 6 7]
2024-09-13T11:53:32Z	DEBUG	There is no valid metadata file	err="unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory"
2024-09-13T11:53:32Z	INFO	[db] Need to update DB
2024-09-13T11:53:32Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-13T11:53:32Z	DEBUG	No metadata file
53.13 MiB / 53.13 MiB [----------------------------------------------------------->] 100.00% ? p/s ?53.13 MiB / 53.13 MiB [----------------------------------------------------------->] 100.00% ? p/s ?53.13 MiB / 53.13 MiB [----------------------------------------------------------->] 100.00% ? p/s ?53.13 MiB / 53.13 MiB [----------------------------------------------------------->] 100.00% ? p/s ?53.13 MiB / 53.13 MiB [----------------------------------------------------------->] 100.00% ? p/s ?53.13 MiB / 53.13 MiB [----------------------------------------------------------->] 100.00% ? p/s ?53.13 MiB / 53.13 MiB [----------------------------------------------------------->] 100.00% ? p/s ?53.13 MiB / 53.13 MiB [----------------------------------------------------------->] 100.00% ? p/s ?53.13 MiB / 53.13 MiB [-------------------------------------------------] 100.00% 36.38 MiB p/s 1.7s2024-09-13T11:53:34Z	DEBUG	Updating database metadata...
2024-09-13T11:53:34Z	DEBUG	DB info	schema=2 updated_at=2024-09-13T06:12:38.129777981Z next_update=2024-09-13T12:12:38.1297777Z downloaded_at=2024-09-13T11:53:34.770597988Z
2024-09-13T11:53:34Z	DEBUG	[pkg] Package types	types=[os library]
2024-09-13T11:53:34Z	DEBUG	[pkg] Package relationships	relationships=[unknown root direct indirect]
2024-09-13T11:53:34Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-13T11:53:34Z	INFO	[secret] Secret scanning is enabled
2024-09-13T11:53:34Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-13T11:53:34Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-13T11:53:34Z	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-09-13T11:53:34Z	DEBUG	Initializing scan cache...	type="fs"
2024-09-13T11:53:34Z	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-09-13T11:53:34Z	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-09-13T11:53:34Z	DEBUG	[image] Detected image ID	image_id="sha256:1b54a78283e6666d095f1f799bf04c6bff43fa885423e1eac09d9f69f9c87bc3"
2024-09-13T11:53:34Z	DEBUG	[image] Detected diff ID	diff_ids=[sha256:f36fd4bb7334b7ae3321e3229d103c4a3e7c10a263379cc6a058b977edfb46de sha256:922413ba3af0b22c18b9f17d2da5ec0480be5ba6f2809846f2b175cc0ae2bac4 sha256:1d96e5e9e46ca3977d9248e4376680df9783f32c83d56392b999abd8230342c8 sha256:b0be09ed58d362d5b217dcec1b95f946047ced1e82c79ca83f6db967760697ca sha256:d166cf07787d3992e9553a4cf6a987bacaf4acb83e2168e91e28f54cb872d083 sha256:7e864a97564235ca1a0e5220723c7ed7de785bb3ba1baf6d3fb9710b7068c5e0 sha256:0e3094e77af3fdf79322152dc2b21a706ea732cd416b0ce4636543174e3e057f sha256:738ce0955000252856d87fdbe77a3b760fa7981cb71968db4206da90421fdb0f sha256:a9fc134541070163e4847d46325822561a5bb005b52cae1cf500082902c30aad sha256:a3ad9cbfbc48ac82acc51bab0770c9541278cf8489ef2fb4004175a628c7e534 sha256:190967cd38a17d231d072a7f3ed8c938ad9a52ec44b9c953d8fb83017442fed7 sha256:e393e5e8f04b46a09cff1a4a20f6ba19bf5e7f64dc522286116cf615b1df28b5 sha256:eb9eff4420fb92e054b231d5d30a2fef3104f086098ebaba5945df35c3a1cd27 sha256:6e81008c39e7223f52e...
2024-09-13T11:53:34Z	DEBUG	[image] Detected base layers	diff_ids=[sha256:f36fd4bb7334b7ae3321e3229d103c4a3e7c10a263379cc6a058b977edfb46de]
2024-09-13T11:53:34Z	DEBUG	[image] Missing image ID in cache	image_id="sha256:1b54a78283e6666d095f1f799bf04c6bff43fa885423e1eac09d9f69f9c87bc3"
2024-09-13T11:53:34Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:f36fd4bb7334b7ae3321e3229d103c4a3e7c10a263379cc6a058b977edfb46de"
2024-09-13T11:53:34Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:d166cf07787d3992e9553a4cf6a987bacaf4acb83e2168e91e28f54cb872d083"
2024-09-13T11:53:34Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:922413ba3af0b22c18b9f17d2da5ec0480be5ba6f2809846f2b175cc0ae2bac4"
2024-09-13T11:53:34Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:1d96e5e9e46ca3977d9248e4376680df9783f32c83d56392b999abd8230342c8"
2024-09-13T11:53:34Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:b0be09ed58d362d5b217dcec1b95f946047ced1e82c79ca83f6db967760697ca"
2024-09-13T11:54:18Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:7e864a97564235ca1a0e5220723c7ed7de785bb3ba1baf6d3fb9710b7068c5e0"
2024-09-13T11:54:18Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:0e3094e77af3fdf79322152dc2b21a706ea732cd416b0ce4636543174e3e057f"
2024-09-13T11:54:18Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:738ce0955000252856d87fdbe77a3b760fa7981cb71968db4206da90421fdb0f"
2024-09-13T11:54:18Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:a9fc134541070163e4847d46325822561a5bb005b52cae1cf500082902c30aad"
2024-09-13T11:54:18Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:a3ad9cbfbc48ac82acc51bab0770c9541278cf8489ef2fb4004175a628c7e534"
2024-09-13T11:54:19Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:190967cd38a17d231d072a7f3ed8c938ad9a52ec44b9c953d8fb83017442fed7"
2024-09-13T11:54:19Z	DEBUG	[sbom] Skipping a component with an unsupported type	file_path="opt/microsoft/powershell/7/Modules/PSReadLine/_manifest/spdx_2.2/manifest.spdx.json" name="PSReadLine" version="475828" type="swid"
2024-09-13T11:54:24Z	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-13T11:54:24Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:e393e5e8f04b46a09cff1a4a20f6ba19bf5e7f64dc522286116cf615b1df28b5"
2024-09-13T11:54:24Z	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-13T11:54:24Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:eb9eff4420fb92e054b231d5d30a2fef3104f086098ebaba5945df35c3a1cd27"

Version

Version: 0.55.1

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @joewragg
Thanks for your report!

I built your image and found that it contains manifest.spdx.json file with [email protected]:

root@56ed28c2105b:/# cat opt/microsoft/powershell/7/Modules/PSReadLine/_manifest/spdx_2.2/manifest.spdx.json | grep '"name": "System.Formats.Asn1"' -A 7
      "name": "System.Formats.Asn1",
      "SPDXID": "SPDXRef-Package-D60BE9A079A339572CC368D77C4FE3CD4860E5B2846B9831B99485A3ABD77F4B",
      "downloadLocation": "NOASSERTION",
      "filesAnalyzed": false,
      "licenseConcluded": "NOASSERTION",
      "licenseDeclared": "NOASSERTION",
      "copyrightText": "NOASSERTION",
      "versionInfo": "6.0.0",

Regards, Dmitriy

[joewragg]

Maybe this was not fixed on version 7.4.5 I've replied on: PowerShell/Announcements#64

[av-commits]

I tried to understand to source of the problem:
I used the alpine image with ps version 7.5.0-preview.5 https://raw.githubusercontent.com/PowerShell/PowerShell-Docker/refs/heads/master/release/7-5/alpine320/docker/Dockerfile
The verification of the available dll showed that only newer versions where there:

/ # exiftool -AssemblyVersion -ProductVersion /opt/microsoft/powershell/7-preview/System.Formats.Asn1.dll
Assembly Version : 9.0.0.0
Product Version : 9.0.0-rc.1.24431.7+c4d7f7c6f2e2f34f07e64c6caa3bf9b2ce915cc1

/ # exiftool -AssemblyVersion -ProductVersion /opt/microsoft/powershell/7-preview/ref/System.Formats.Asn1.dll
Assembly Version : 9.0.0.0
Product Version : 9.0.0-rc.1.24431.7+c4d7f7c6f2e2f34f07e64c6caa3bf9b2ce915cc1

But /opt/microsoft/powershell/7-preview/Modules/PSReadLine/_manifest/spdx_2.2/manifest.spdx.json still reference to version 6.0.0
I don't realy know the ps/.net dependency managment but if think that is somehow a minimum version and should not be used for identify installed version.

It seams that PSReadLine modul is installed during build. An other solution is to update the dependency in https://github.com/PowerShell/PSReadLine, but until now I was not able to find out how.

[DmitriyLewen]

but if think that is somehow a minimum version and should not be used for identify installed version.

This is a special case and we can't make any rule.

For such situations, Trivy has tools for filtering or skipping vulnerabilities/files.

Also Trivy supports modules.