CVE-2023-33170 (.Net vulnerability) indicated for .Net 6.0.20, but referenced data source indicates this version is fixed

[HughSayer]

IDs

CVE-2023-33170

Description

Hi,
I recieved this error for .Net 6.0.19, but on updating to the fixed version 6.0.20, the test indicates only "fixed" version is for .Net 7.0.9

output:
{
"Target": "db613f3a9265 (alpine 3.18.2)",
"Class": "os-pkgs",
"Type": "alpine"
},
{
"Target": "usr/share/dotnet/shared/Microsoft.AspNetCore.App/6.0.20/Microsoft.AspNetCore.App.deps.json",
"Class": "lang-pkgs",
"Type": "dotnet-core",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2023-33170",
"PkgName": "Microsoft.AspNetCore.App.Runtime.linux-musl-x64",
"InstalledVersion": "6.0.20",
"FixedVersion": "7.0.9",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-33170",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Nuget",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anuget"
},
"Title": "race condition in Core SignInManager\u003cTUser\u003e PasswordSignInAsync method",
"Description": "ASP.NET and Visual Studio Security Feature Bypass Vulnerability",
"Severity": "HIGH",
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 8.1
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 8.1
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 8.1
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2023-33170",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33170",
"https://devblogs.microsoft.com/dotnet/july-2023-updates/",
"https://github.com/advisories/GHSA-25c8-p796-jg6r",
"https://github.com/dotnet/announcements/issues/264",
"https://github.com/dotnet/aspnetcore/issues/49334",
"https://github.com/dotnet/aspnetcore/security/advisories/GHSA-25c8-p796-jg6r",
"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33170",
"https://nvd.nist.gov/vuln/detail/CVE-2023-33170",
"https://ubuntu.com/security/notices/USN-6217-1",
"https://www.cve.org/CVERecord?id=CVE-2023-33170"
],
"PublishedDate": "2023-07-11T18:15:00Z",
"LastModifiedDate": "2023-07-11T18:15:00Z"
}
]
}

Reproduction Steps

1.Use base image mcr.microsoft.com/dotnet/aspnet:6.0-alpine3.18
2.Build application (.Net 6 application)
3.Run scan within Docker file
4.See error

Target

Container Image

Scanner

Vulnerability

Target OS

Alpine 3.18

Debug Output

2023-07-13T11:42:55.3197804Z  ---> Running in db613f3a9265
2023-07-13T11:42:55.3198816Z 2023-07-13T11:42:50.852Z	INFO	Need to update DB
2023-07-13T11:42:55.3199332Z 2023-07-13T11:42:50.852Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2023-07-13T11:42:55.3199846Z 2023-07-13T11:42:50.852Z	INFO	Downloading DB...
2023-07-13T11:42:55.3200325Z 2023-07-13T11:42:53.083Z	INFO	Vulnerability scanning is enabled
2023-07-13T11:42:55.3200815Z 2023-07-13T11:42:53.083Z	INFO	Secret scanning is enabled
2023-07-13T11:42:55.3201409Z 2023-07-13T11:42:53.083Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-07-13T11:42:55.3202184Z 2023-07-13T11:42:53.083Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation for faster secret detection
2023-07-13T11:42:55.3202594Z 
2023-07-13T11:42:55.3285697Z 2023-07-13T11:42:53.684Z	INFO	Detected OS: alpine
2023-07-13T11:42:55.3286468Z 2023-07-13T11:42:53.684Z	INFO	Detecting Alpine vulnerabilities...
2023-07-13T11:42:55.3288204Z 2023-07-13T11:42:53.686Z	INFO	Number of language-specific files: 6
2023-07-13T11:42:55.3288667Z 2023-07-13T11:42:53.686Z	INFO	Detecting dotnet-core vulnerabilities...
2023-07-13T11:42:55.3288975Z {
2023-07-13T11:42:55.3289210Z   "SchemaVersion": 2,
2023-07-13T11:42:55.3289497Z   "ArtifactName": "db613f3a9265",
2023-07-13T11:42:55.3289783Z   "ArtifactType": "filesystem",
2023-07-13T11:42:55.3290054Z   "Metadata": {
2023-07-13T11:42:55.3290282Z     "OS": {
2023-07-13T11:42:55.3290533Z       "Family": "alpine",
2023-07-13T11:42:55.3290775Z       "Name": "3.18.2"
2023-07-13T11:42:55.3291001Z     },
2023-07-13T11:42:55.3291233Z     "ImageConfig": {
2023-07-13T11:42:55.3291473Z       "architecture": "",
2023-07-13T11:42:55.3291772Z       "created": "0001-01-01T00:00:00Z",
2023-07-13T11:42:55.3292054Z       "os": "",
2023-07-13T11:42:55.3292282Z       "rootfs": {
2023-07-13T11:42:55.3292500Z         "type": "",
2023-07-13T11:42:55.3292742Z         "diff_ids": null
2023-07-13T11:42:55.3292979Z       },
2023-07-13T11:42:55.3293204Z       "config": {}
2023-07-13T11:42:55.3293406Z     }
2023-07-13T11:42:55.3293611Z   },
2023-07-13T11:42:55.3293831Z   "Results": [
2023-07-13T11:42:55.3294032Z     {
2023-07-13T11:42:55.3294305Z       "Target": "db613f3a9265 (alpine 3.18.2)",
2023-07-13T11:42:55.3294603Z       "Class": "os-pkgs",
2023-07-13T11:42:55.3294856Z       "Type": "alpine"
2023-07-13T11:42:55.3295068Z     },
2023-07-13T11:42:55.3295270Z     {
2023-07-13T11:42:55.3295662Z       "Target": "usr/share/dotnet/shared/Microsoft.AspNetCore.App/6.0.20/Microsoft.AspNetCore.App.deps.json",
2023-07-13T11:42:55.3296055Z       "Class": "lang-pkgs",
2023-07-13T11:42:55.3296325Z       "Type": "dotnet-core",
2023-07-13T11:42:55.3296592Z       "Vulnerabilities": [
2023-07-13T11:42:55.3296825Z         {
2023-07-13T11:42:55.3297083Z           "VulnerabilityID": "CVE-2023-33170",
2023-07-13T11:42:55.3297459Z           "PkgName": "Microsoft.AspNetCore.App.Runtime.linux-musl-x64",
2023-07-13T11:42:55.3297825Z           "InstalledVersion": "6.0.20",
2023-07-13T11:42:55.3298119Z           "FixedVersion": "7.0.9",
2023-07-13T11:42:55.3298365Z           "Layer": {},
2023-07-13T11:42:55.3298627Z           "SeveritySource": "ghsa",
2023-07-13T11:42:55.3298979Z           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-33170",
2023-07-13T11:42:55.3299306Z           "DataSource": {
2023-07-13T11:42:55.3299538Z             "ID": "ghsa",
2023-07-13T11:42:55.3300481Z             "Name": "GitHub Security Advisory Nuget",
2023-07-13T11:42:55.3300900Z             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anuget"
2023-07-13T11:42:55.3301229Z           },
2023-07-13T11:42:55.3301609Z           "Title": "race condition in Core SignInManager\u003cTUser\u003e PasswordSignInAsync method",
2023-07-13T11:42:55.3302107Z           "Description": "ASP.NET and Visual Studio Security Feature Bypass Vulnerability",
2023-07-13T11:42:55.3302475Z           "Severity": "HIGH",
2023-07-13T11:42:55.3302716Z           "CVSS": {
2023-07-13T11:42:55.3302948Z             "ghsa": {
2023-07-13T11:42:55.3303288Z               "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
2023-07-13T11:42:55.3303630Z               "V3Score": 8.1
2023-07-13T11:42:55.3303849Z             },
2023-07-13T11:42:55.3304072Z             "nvd": {
2023-07-13T11:42:55.3304403Z               "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
2023-07-13T11:42:55.3304743Z               "V3Score": 8.1
2023-07-13T11:42:55.3304963Z             },
2023-07-13T11:42:55.3305188Z             "redhat": {
2023-07-13T11:42:55.3305520Z               "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
2023-07-13T11:42:55.3305840Z               "V3Score": 8.1
2023-07-13T11:42:55.3306071Z             }
2023-07-13T11:42:55.3306285Z           },
2023-07-13T11:42:55.3306515Z           "References": [
2023-07-13T11:42:55.3306830Z             "https://access.redhat.com/security/cve/CVE-2023-33170",
2023-07-13T11:42:55.3307374Z             "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33170",
2023-07-13T11:42:55.3307797Z             "https://devblogs.microsoft.com/dotnet/july-2023-updates/",
2023-07-13T11:42:55.3308197Z             "https://github.com/advisories/GHSA-25c8-p796-jg6r",
2023-07-13T11:42:55.3308685Z             "https://github.com/dotnet/announcements/issues/264",
2023-07-13T11:42:55.3309069Z             "https://github.com/dotnet/aspnetcore/issues/49334",
2023-07-13T11:42:55.3309507Z             "https://github.com/dotnet/aspnetcore/security/advisories/GHSA-25c8-p796-jg6r",
2023-07-13T11:42:55.3309978Z             "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33170",
2023-07-13T11:42:55.3310419Z             "https://nvd.nist.gov/vuln/detail/CVE-2023-33170",
2023-07-13T11:42:55.3310799Z             "https://ubuntu.com/security/notices/USN-6217-1",
2023-07-13T11:42:55.3311177Z             "https://www.cve.org/CVERecord?id=CVE-2023-33170"
2023-07-13T11:42:55.3311473Z           ],
2023-07-13T11:42:55.3311755Z           "PublishedDate": "2023-07-11T18:15:00Z",
2023-07-13T11:42:55.3312128Z           "LastModifiedDate": "2023-07-11T18:15:00Z"
2023-07-13T11:42:55.3312415Z         }
2023-07-13T11:42:55.3312621Z       ]
2023-07-13T11:42:55.3312810Z     }
2023-07-13T11:42:55.3313012Z   ]
2023-07-13T11:42:55.3313208Z }

Version

latest: Pulling from aquasec/trivy

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @HughSayer
Thanks for your report!

GitHub advisory database doesn't contain 6.0.20 fixed version for Microsoft.AspNetCore.App.Runtime.linux-musl-x64.
I created github/advisory-database#2496 to fix this.

Regards, Dmitry

[HughSayer]

Hi @DmitriyLewen,
Thanks for the fix, I'll wait until it has been approved on their side to try it out.

Regards,
Hugh

[DmitriyLewen]

Advisory has been updated.
After update vuln-list and Trivy-db, Trivy will not find this CVE.