CVE-2023-33170 false positive in net 6.0.20 app

[Ismael-Pep]

IDs

CVE-2023-33170

Description

CVE-2023-33170 is resolved in the net6.0.20, the installed version is 6.0.20 but a vulnerability (CVE-2023-33170) is reported.
GHSA-25c8-p796-jg6r reports that the 6.0.20 is patch
Other web pages where it says the vulnerability is path:
https://devblogs.microsoft.com/dotnet/july-2023-updates/
https://cve.report/CVE-2023-33170

Reproduction Steps

1. Run trivy image mcr.microsoft.com/dotnet/aspnet:6.0.20-alpine3.18

Target

Container Image

Scanner

Vulnerability

Target OS

No response

Debug Output

2023-07-14T14:58:35.010+0200    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-07-14T14:58:35.016+0200    DEBUG   cache dir:  /home/pc/.cache/trivy
2023-07-14T14:58:35.017+0200    DEBUG   DB update was skipped because the local DB is the latest
2023-07-14T14:58:35.017+0200    DEBUG   DB Schema: 2, UpdatedAt: 2023-07-14 12:12:11.791100143 +0000 UTC, NextUpdate: 2023-07-14 18:12:11.791100043 +0000 UTC, DownloadedAt: 2023-07-14 12:45:52.52459619 +0000 UTC
2023-07-14T14:58:35.017+0200    INFO    Vulnerability scanning is enabled
2023-07-14T14:58:35.017+0200    DEBUG   Vulnerability type:  [os library]
2023-07-14T14:58:35.017+0200    INFO    Secret scanning is enabled
2023-07-14T14:58:35.018+0200    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-07-14T14:58:35.018+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation for faster secret detection
2023-07-14T14:58:42.199+0200    DEBUG   No secret config detected: trivy-secret.yaml
2023-07-14T14:58:42.200+0200    DEBUG   No secret config detected: trivy-secret.yaml
2023-07-14T14:58:47.417+0200    DEBUG   Image ID: sha256:69b6d5ef83615dd1258fd36de195d3620109b87a4ee042ea537cb1fb31ab913e
2023-07-14T14:58:47.417+0200    DEBUG   Diff IDs: [sha256:78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c sha256:0a651fe4484af2137e014e160a62367b7cee393b857fb6acbade67e39119759a sha256:e9fadbe45a578c6d5cb884c4e264ad65e5c24c87618099953acb19d9ca1d640e sha256:1f7351e8c324930fd45840de7f958e1c597c1d138aba11231afc5bcbfe28763c]
2023-07-14T14:58:47.417+0200    DEBUG   Base Layers: [sha256:78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c]
2023-07-14T14:58:47.419+0200    INFO    Detected OS: alpine
2023-07-14T14:58:47.419+0200    INFO    Detecting Alpine vulnerabilities...
2023-07-14T14:58:47.419+0200    DEBUG   alpine: os version: 3.18
2023-07-14T14:58:47.419+0200    DEBUG   alpine: package repository: 3.18
2023-07-14T14:58:47.419+0200    DEBUG   alpine: the number of packages: 24
2023-07-14T14:58:47.423+0200    INFO    Number of language-specific files: 2
2023-07-14T14:58:47.424+0200    INFO    Detecting dotnet-core vulnerabilities...
2023-07-14T14:58:47.424+0200    DEBUG   Detecting library vulnerabilities, type: dotnet-core, path: usr/share/dotnet/shared/Microsoft.NETCore.App/6.0.20/Microsoft.NETCore.App.deps.json
2023-07-14T14:58:47.424+0200    DEBUG   Detecting library vulnerabilities, type: dotnet-core, path: usr/share/dotnet/shared/Microsoft.AspNetCore.App/6.0.20/Microsoft.AspNetCore.App.deps.json

mcr.microsoft.com/dotnet/aspnet:6.0-alpine3.18 (alpine 3.18.2)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/share/dotnet/shared/Microsoft.AspNetCore.App/6.0.20/Microsoft.AspNetCore.App.deps.json (dotnet-core)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────────────────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────┐
│                     Library                     │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                    Title                    │
├─────────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────┤
│ Microsoft.AspNetCore.App.Runtime.linux-musl-x64 │ CVE-2023-33170 │ HIGH     │ 6.0.20            │ 7.0.9         │ race condition in Core SignInManager<TUser> │
│                                                 │                │          │                   │               │ PasswordSignInAsync method                  │
│                                                 │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-33170  │
└─────────────────────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────┘

Version

Version: 0.43.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-07-14 12:12:11.791100143 +0000 UTC
  NextUpdate: 2023-07-14 18:12:11.791100043 +0000 UTC
  DownloadedAt: 2023-07-14 12:45:52.52459619 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[HughSayer]

Hi, I raised this issue yesterday, please see the response here: #4818

Thanks,

Hugh

[dondeetan]

I have the same issue