CVE-2022-3715 reported as LOW when it's actually HIGH #4835

huornlmj · 2023-07-17T17:08:06Z

huornlmj
Jul 17, 2023

IDs

CVE-2022-3715

Description

Reported as HIGH (CVSS 3.1 7.8) at https://ubuntu.com/security/CVE-2022-3715 and also HIGH with in the JSON output (details below)

$ trivy version
Version: 0.42.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-07-17 12:12:06.570634022 +0000 UTC
  NextUpdate: 2023-07-17 18:12:06.570633722 +0000 UTC
  DownloadedAt: 2023-07-17 15:49:31.933341695 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-05-04 00:53:26.2635229 +0000 UTC
  NextUpdate: 2023-05-07 00:53:26.2635224 +0000 UTC
  DownloadedAt: 2023-05-04 18:45:43.232524302 +0000 UTC
Policy Bundle:
  Digest: sha256:829832357626da2677955e3b427191212978ba20012b6eaa03229ca28569ae43
  DownloadedAt: 2023-07-14 11:09:36.334369682 +0000 UTC

$ docker images | grep 22.04
ubuntu                                        22.04              5a81c4b8502e   2 weeks ago     77.8MB

$ trivy image ubuntu:22.04
ubuntu:22.04 (ubuntu 22.04)

Total: 16 (UNKNOWN: 0, LOW: 10, MEDIUM: 6, HIGH: 0, CRITICAL: 0)

┌─────────────┬────────────────┬──────────┬──────────────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│   Library   │ Vulnerability  │ Severity │    Installed Version     │ Fixed Version │                            Title                            │
├─────────────┼────────────────┼──────────┼──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ bash        │ CVE-2022-3715  │ LOW      │ 5.1-6ubuntu1             │               │ a heap-buffer-overflow in valid_parameter_transform         │
│             │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2022-3715                   │
├─────────────┼────────────────┤          ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤

"VulnerabilityID": "CVE-2022-3715",
          "PkgID": "[email protected]",
          "PkgName": "bash",
          "InstalledVersion": "5.1-6ubuntu1",
          "Layer": {
            "DiffID": "sha256:59c56aee1fb4dbaeb334aef06088b49902105d1ea0c15a9e5a2a9ce560fa4c5d"
          },
          "SeveritySource": "ubuntu",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-3715",
          "DataSource": {
            "ID": "ubuntu",
            "Name": "Ubuntu CVE Tracker",
            "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
          },
          "Title": "a heap-buffer-overflow in valid_parameter_transform",
          "Description": "A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.",
          "Severity": "LOW",
          "CweIDs": [
            "CWE-787"
          ],
          "CVSS": {
            "nvd": {
              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "V3Score": 7.8
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
              "V3Score": 6.6
            }
          },

Reproduction Steps

1. Scan the above hashed version of ubuntu:22.04 docker image.
2. Observe the CVE-2022-3715 is listed as present and LOW.
3. Visit https://ubuntu.com/security/CVE-2022-3715 and observe that the issue is HIGH.

Target

Container Image

Scanner

Vulnerability

Target OS

Ubuntu:22.04

Debug Output

$ trivy image ubuntu:22.04 --debug
2023-07-17T18:07:41.527+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-07-17T18:07:41.529+0100    DEBUG   cache dir:  /home/jason/.cache/trivy
2023-07-17T18:07:41.529+0100    DEBUG   DB update was skipped because the local DB is the latest
2023-07-17T18:07:41.529+0100    DEBUG   DB Schema: 2, UpdatedAt: 2023-07-17 12:12:06.570634022 +0000 UTC, NextUpdate: 2023-07-17 18:12:06.570633722 +0000 UTC, DownloadedAt: 2023-07-17 15:49:31.933341695 +0000 UTC
2023-07-17T18:07:41.530+0100    INFO    Vulnerability scanning is enabled
2023-07-17T18:07:41.530+0100    DEBUG   Vulnerability type:  [os library]
2023-07-17T18:07:41.530+0100    INFO    Secret scanning is enabled
2023-07-17T18:07:41.530+0100    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-07-17T18:07:41.530+0100    INFO    Please see also https://aquasecurity.github.io/trivy/v0.42/docs/secret/scanning/#recommendation for faster secret detection
2023-07-17T18:07:41.532+0100    DEBUG   No secret config detected: trivy-secret.yaml
2023-07-17T18:07:41.532+0100    DEBUG   Image ID: sha256:5a81c4b8502e4979e75bd8f91343b95b0d695ab67f241dbed0d1530a35bde1eb
2023-07-17T18:07:41.532+0100    DEBUG   Diff IDs: [sha256:59c56aee1fb4dbaeb334aef06088b49902105d1ea0c15a9e5a2a9ce560fa4c5d]
2023-07-17T18:07:41.532+0100    DEBUG   Base Layers: []
2023-07-17T18:07:41.539+0100    INFO    Detected OS: ubuntu
2023-07-17T18:07:41.539+0100    INFO    Detecting Ubuntu vulnerabilities...
2023-07-17T18:07:41.539+0100    DEBUG   ubuntu: os version: 22.04
2023-07-17T18:07:41.539+0100    DEBUG   ubuntu: the number of packages: 101
2023-07-17T18:07:41.541+0100    INFO    Number of language-specific files: 0

ubuntu:22.04 (ubuntu 22.04)

Total: 16 (UNKNOWN: 0, LOW: 10, MEDIUM: 6, HIGH: 0, CRITICAL: 0)

┌─────────────┬────────────────┬──────────┬──────────────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│   Library   │ Vulnerability  │ Severity │    Installed Version     │ Fixed Version │                            Title                            │
├─────────────┼────────────────┼──────────┼──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ bash        │ CVE-2022-3715  │ LOW      │ 5.1-6ubuntu1             │               │ a heap-buffer-overflow in valid_parameter_transform         │
│             │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2022-3715                   │
├─────────────┼────────────────┤          ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ coreutils   │ CVE-2016-2781  │          │ 8.32-4.1ubuntu1          │               │ coreutils: Non-privileged session can escape to the parent  │
│             │                │          │                          │               │ session in chroot                                           │
│             │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2016-2781                   │
├─────────────┼────────────────┤          ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ gpgv        │ CVE-2022-3219  │          │ 2.2.27-3ubuntu2.1        │               │ denial of service issue (resource consumption) using        │
│             │                │          │                          │               │ compressed packets                                          │
│             │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2022-3219                   │
├─────────────┼────────────────┤          ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libc-bin    │ CVE-2016-20013 │          │ 2.35-0ubuntu3.1          │               │ sha256crypt and sha512crypt through 0.6 allow attackers to  │
│             │                │          │                          │               │ cause a denial of...                                        │
│             │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2016-20013                  │
├─────────────┤                │          │                          ├───────────────┤                                                             │
│ libc6       │                │          │                          │               │                                                             │
│             │                │          │                          │               │                                                             │
│             │                │          │                          │               │                                                             │
├─────────────┼────────────────┤          ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libpcre3    │ CVE-2017-11164 │          │ 2:8.39-13ubuntu0.22.04.1 │               │ pcre: OP_KETRMAX feature in the match function in           │
│             │                │          │                          │               │ pcre_exec.c                                                 │
│             │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2017-11164                  │
├─────────────┼────────────────┤          ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libssl3     │ CVE-2023-2975  │          │ 3.0.2-0ubuntu1.10        │               │ Issue summary: The AES-SIV cipher implementation contains a │
│             │                │          │                          │               │ bug that c ......                                           │
│             │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2023-2975                   │
├─────────────┼────────────────┼──────────┼──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libsystemd0 │ CVE-2023-31437 │ MEDIUM   │ 249.11-0ubuntu3.9        │               │ An issue was discovered in systemd 253. An attacker can     │
│             │                │          │                          │               │ modify a...                                                 │
│             │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2023-31437                  │
│             ├────────────────┤          │                          ├───────────────┼─────────────────────────────────────────────────────────────┤
│             │ CVE-2023-31438 │          │                          │               │ An issue was discovered in systemd 253. An attacker can     │
│             │                │          │                          │               │ truncate a...                                               │
│             │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2023-31438                  │
│             ├────────────────┤          │                          ├───────────────┼─────────────────────────────────────────────────────────────┤
│             │ CVE-2023-31439 │          │                          │               │ An issue was discovered in systemd 253. An attacker can     │
│             │                │          │                          │               │ modify the...                                               │
│             │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2023-31439                  │
├─────────────┼────────────────┤          │                          ├───────────────┼─────────────────────────────────────────────────────────────┤
│ libudev1    │ CVE-2023-31437 │          │                          │               │ An issue was discovered in systemd 253. An attacker can     │
│             │                │          │                          │               │ modify a...                                                 │
│             │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2023-31437                  │
│             ├────────────────┤          │                          ├───────────────┼─────────────────────────────────────────────────────────────┤
│             │ CVE-2023-31438 │          │                          │               │ An issue was discovered in systemd 253. An attacker can     │
│             │                │          │                          │               │ truncate a...                                               │
│             │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2023-31438                  │
│             ├────────────────┤          │                          ├───────────────┼─────────────────────────────────────────────────────────────┤
│             │ CVE-2023-31439 │          │                          │               │ An issue was discovered in systemd 253. An attacker can     │
│             │                │          │                          │               │ modify the...                                               │
│             │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2023-31439                  │
├─────────────┼────────────────┼──────────┼──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libzstd1    │ CVE-2022-4899  │ LOW      │ 1.4.8+dfsg-3build1       │               │ buffer overrun in util.c                                    │
│             │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2022-4899                   │
├─────────────┼────────────────┤          ├──────────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ login       │ CVE-2023-29383 │          │ 1:4.8.1-2ubuntu2.1       │               │ Improper input validation in shadow-utils package utility   │
│             │                │          │                          │               │ chfn                                                        │
│             │                │          │                          │               │ https://avd.aquasec.com/nvd/cve-2023-29383                  │
├─────────────┤                │          │                          ├───────────────┤                                                             │
│ passwd      │                │          │                          │               │                                                             │
│             │                │          │                          │               │                                                             │
│             │                │          │                          │               │                                                             │
└─────────────┴────────────────┴──────────┴──────────────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

Version

$ trivy version
Version: 0.42.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-07-17 12:12:06.570634022 +0000 UTC
  NextUpdate: 2023-07-17 18:12:06.570633722 +0000 UTC
  DownloadedAt: 2023-07-17 15:49:31.933341695 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-05-04 00:53:26.2635229 +0000 UTC
  NextUpdate: 2023-05-07 00:53:26.2635224 +0000 UTC
  DownloadedAt: 2023-05-04 18:45:43.232524302 +0000 UTC
Policy Bundle:
  Digest: sha256:829832357626da2677955e3b427191212978ba20012b6eaa03229ca28569ae43
  DownloadedAt: 2023-07-14 11:09:36.334369682 +0000 UTC

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

DmitriyLewen · 2023-07-18T04:07:08Z

DmitriyLewen
Jul 18, 2023
Maintainer

Hello @huornlmj
Thanks for your report.

Looks like it is just mistake in Priority field - https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2022-3715#n16.
Unfortunately Ubuntu doesn't have simple option to correct their advisories.

For those rare cases, Trivy supports modules. You can create new module to update severity for this CVE.

Regards, Dmitriy

3 replies

huornlmj Jul 18, 2023
Author

I would suggest that Trivy not use the reported 'Priority' to report the 'Severity' as they are two different and and as shown, non-interchangeable values. Is there a way to run Trivy with the option to use the CVSS value in the table report?

DmitriyLewen Jul 18, 2023
Maintainer

unfortunately this option is not available right now.

knqyf263 Jul 19, 2023
Maintainer

There is a discussion here.
#3395

@huornlmj You can leave a comment there.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2022-3715 reported as LOW when it's actually HIGH #4835

{{title}}

Replies: 1 comment 3 replies

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

CVE-2022-3715 reported as LOW when it's actually HIGH #4835

huornlmj Jul 17, 2023

IDs

Description

Reproduction Steps

Target

Scanner

Target OS

Debug Output

Version

Checklist

Replies: 1 comment · 3 replies

DmitriyLewen Jul 18, 2023 Maintainer

huornlmj Jul 18, 2023 Author

DmitriyLewen Jul 18, 2023 Maintainer

knqyf263 Jul 19, 2023 Maintainer

huornlmj
Jul 17, 2023

Replies: 1 comment 3 replies

DmitriyLewen
Jul 18, 2023
Maintainer

huornlmj Jul 18, 2023
Author

DmitriyLewen Jul 18, 2023
Maintainer

knqyf263 Jul 19, 2023
Maintainer