Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-scan seems to not be able to handle “Running on/with” constraint #2258

Open
FairFight24 opened this issue Jul 13, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@FairFight24
Copy link

Expected behavior

CVE-2015-8960 is showing up when CVE-scanning, for a lot of scans.
I would expect CVE-2015-8960 not to show up, when the only CPE matching CPE is cpe:/a:ietf:transport_layer_security:1.2.

Actual behavior

The CVE shows up, even though there is not any other matching CPEs.
It seems like the CPE scanner does not honor “Running on/with” constraints.
https://nvd.nist.gov/vuln/detail/CVE-2015-8960
image

Steps to reproduce

  1. Start a scan of a target that uses TLS 1.2
  2. After the scan is finished, start a CVE-scan
  3. The results should now show CVE-2015-8960 as being present, even though it is not running with any of the other mentioned CPEs.

GVM versions

gsa:
22.09.0

gvm:
23.2.0

openvas-scanner:
23.0.1

gvm-libs:
22.8.0

Environment

Operating system:
Linux localhost 6.1.0-22-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.94-1 (2024-06-21) x86_64 GNU/Linux

Installation method / source:
source installation

@FairFight24 FairFight24 added the bug Something isn't working label Jul 13, 2024
@bigahuna
Copy link

Same here, there are lots of false alarms for the 9 year old CVE-2015-8960 on up to date Rocky9 and Debian 12 machines.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants