Grype doesn't detect CVE-2021-43798 #534
Comments
|
Hey @awoodsprim I was able to recreate this locally with the information you provided. I validated that Thanks for the report! |
|
So digging into this a bit more I think I'm starting to understand the mismatch. Here are the current CPE that match for the vulnerability in the vulnerability database: Can fetch the DB from here: [
"cpe:2.3:a:grafana:grafana:8.0.0:beta1:*:*:*:*:*:*",
"cpe:2.3:a:grafana:grafana:8.0.0:beta2:*:*:*:*:*:*",
"cpe:2.3:a:grafana:grafana:8.0.0:beta3:*:*:*:*:*:*",
"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe:2.3:a:grafana:grafana:8.3.0:*:*:*:*:*:*:*"
]If you examine the sbom generated when scanning I'm trying to see if there is a misalignment between the cpe to match being under |
|
I think we just need a "binary" Grafana detector for this. Thanks for the report. |
What happened:
Attempted to scan both the Grafana 8.2.2 Enterprise and Grafana 8.2.2 OSS releases and neither flagged this CVE. Verified that the CVE was present by using the blog post about it.
What you expected to happen:
Grype was able to detect and report on this CVE from the docker image.
How to reproduce it (as minimally and precisely as possible):
mkdir ${PWD}/work
docker pull grafana/grafana-enterprise:8.2.2
docker save -o ${PWD}/work/grafana.tar grafana/grafana-enterprise:8.2.2
docker run --rm -v ${PWD}/work:/work anchore/grype /work/grafana.tar
Anything else we need to know?:
https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/
https://j0vsec.com/post/cve-2021-43798/
Environment:
Output of
grype version:Application: grype
Version: 0.27.0
Syft Version: v0.32.0
BuildDate: 2021-12-08T22:17:50Z
GitCommit: e621867
GitTreeState: clean
Platform: linux/amd64
GoVersion: go1.16.10
Compiler: gc
Supported DB Schema: 3
OS Windows 10 WSL 2 Environment on Ubuntu:
lsb_release -a:
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal
The text was updated successfully, but these errors were encountered: