Trivy misdetecting ehcache 2.10.9.2 as being jackson and other Java libraries #4857

chadlwilson · 2023-07-23T05:32:01Z

chadlwilson
Jul 23, 2023

IDs

CVE-2020-36518 + others

Description

The problem here is not the underlying vulnerabilities, the problem seems to be the misclassification of ehcache 2.10.9.2 as being all these different unrelated libraries and versions:

com.fasterxml.jackson.core:jackson-databind 2.11.1
org.eclipse.jetty:jetty-http 9.4.39.v20210325
org.eclipse.jetty:jetty-io 9.4.39.v20210325
org.eclipse.jetty:jetty-server 9.4.39.v20210325
org.eclipse.jetty:jetty-util 9.4.39.v20210325
org.glassfish.jersey.core:jersey-common 2.31

This ehcache jar is not an uber-jar and does not contain any of these above libraries so it's not obvious what is causing this: https://repo1.maven.org/maven2/net/sf/ehcache/ehcache/2.10.9.2/

Any idea how to debug this further and how to tell if this is a trivy problem, or to do with data/heuristics it uses to match jars to libraries? I don't see this misdetection with other tools, so it seems something specific to the way trivy works, which is leading to quite some noise for our Helm chart on https://artifacthub.io/packages/helm/gocd/gocd?modal=security-report

$ md5sum ehcache-2.10.9.2.jar
863e690aaec2467d27d391b154d3151d  ehcache-2.10.9.2.jar
$ sha1sum ehcache-2.10.9.2.jar
642832b8def8968295e9eedb41cd8fd625786561  ehcache-2.10.9.2.jar
$ sha256sum ehcache-2.10.9.2.jar
43cdfeecb986364c55a840eff0a9242e5b3e6f69d89bd0d1db2d89ad2db33509  ehcache-2.10.9.2.jar

Example of one of the false positives, note that there are multiple layers of nesting here :-)

{
          "VulnerabilityID": "CVE-2023-26049",
          "PkgName": "org.eclipse.jetty:jetty-http",
          "PkgPath": "go-server/lib/go.jar/defaultFiles/cruise.war/WEB-INF/lib/ehcache-2.10.9.2.jar",
          "InstalledVersion": "9.4.39.v20210325",
          "FixedVersion": "9.4.51.v20230217, 10.0.14, 11.0.14",
          "Layer": {
            "DiffID": "sha256:e54203eca4d6e38525e177333724fe3a590d126c5be72a98bbe5d9e301b42646"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-26049",
          "DataSource": {
            "ID": "glad",
            "Name": "GitLab Advisory Database Community",
            "URL": "https://gitlab.com/gitlab-org/advisories-community"
          },
          "Title": "Eclipse Jetty's cookie parsing of quoted values can exfiltrate values from other cookies",
          "Description": "Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `\"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE=\"b; JSESSIONID=1337; c=d\"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.",
          "Severity": "MEDIUM",
          "CVSS": {
            "ghsa": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
              "V3Score": 2.4
            },
            "nvd": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "V3Score": 5.3
            }
          },
          "References": [
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26049",
            "https://github.com/advisories/GHSA-p26g-97m4-6q7c",
            "https://github.com/eclipse/jetty.project/pull/9339",
            "https://github.com/eclipse/jetty.project/pull/9352",
            "https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217",
            "https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-26049",
            "https://security.netapp.com/advisory/ntap-20230526-0001/",
            "https://www.rfc-editor.org/rfc/rfc2965",
            "https://www.rfc-editor.org/rfc/rfc6265"
          ],
          "PublishedDate": "2023-04-18T21:15:00Z",
          "LastModifiedDate": "2023-05-26T20:15:00Z"
        },

Reproduction Steps

1. `trivy image gocd/gocd-server:v23.2.0 --debug --format json`
2. Search for ehcache-2.10.9.2 in output

Target

Container Image

Scanner

Vulnerability

Target OS

Alpine 3.18.2

Debug Output

$ trivy image gocd/gocd-server:v23.2.0 --debug
2023-07-23T13:09:38.303+0800	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-07-23T13:09:38.315+0800	DEBUG	cache dir:  /Users/chad/Library/Caches/trivy
2023-07-23T13:09:38.315+0800	DEBUG	DB update was skipped because the local DB was downloaded during the last hour
2023-07-23T13:09:38.316+0800	DEBUG	DB Schema: 2, UpdatedAt: 2023-07-20 12:11:37.696263932 +0000 UTC, NextUpdate: 2023-07-20 18:11:37.696263532 +0000 UTC, DownloadedAt: 2023-07-23 05:01:25.277084 +0000 UTC
2023-07-23T13:09:38.316+0800	INFO	Vulnerability scanning is enabled
2023-07-23T13:09:38.316+0800	DEBUG	Vulnerability type:  [os library]
2023-07-23T13:09:38.316+0800	INFO	Secret scanning is enabled
2023-07-23T13:09:38.316+0800	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-07-23T13:09:38.316+0800	INFO	Please see also https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation for faster secret detection
2023-07-23T13:09:38.329+0800	DEBUG	No secret config detected: trivy-secret.yaml
2023-07-23T13:09:38.329+0800	DEBUG	No secret config detected: trivy-secret.yaml
2023-07-23T13:09:38.329+0800	DEBUG	Image ID: sha256:fbfe3730911abf9d01e56d88f2246f597a5f4052afafeee8cff9c5a0008f4a7f
2023-07-23T13:09:38.329+0800	DEBUG	Diff IDs: [sha256:78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c sha256:f9d6ced47eb3a984274ef84777868809434526358480b418c1fb3b2d10bc07be sha256:441d090afe1d40506dc79c381bd466671b043a528e4eb9167cdf742f12f89f70 sha256:e7dce2fd751724fcd61347f4894312ce18c978fba4c13b5a95d6804837bac088 sha256:e54203eca4d6e38525e177333724fe3a590d126c5be72a98bbe5d9e301b42646 sha256:8b15e63967200dc6f4c43461299bc97c2a7c5d94bcd4ef0dc3e60e567f6024fb sha256:3599bc1a81532fa62a008bffb855a4eaaf9ae0644e1fe51a610db526610f4eef sha256:a0c2763ba1497d35e67e97c3b1eb6ae45d9c97b8dec05b9a1c3556755191aba0]
2023-07-23T13:09:38.329+0800	DEBUG	Base Layers: [sha256:78a822fe2a2d2c84f3de4a403188c45f623017d6a4521d23047c9fbb0801794c]
2023-07-23T13:09:38.332+0800	INFO	Detected OS: alpine
2023-07-23T13:09:38.332+0800	INFO	Detecting Alpine vulnerabilities...
2023-07-23T13:09:38.332+0800	DEBUG	alpine: os version: 3.18
2023-07-23T13:09:38.332+0800	DEBUG	alpine: package repository: 3.18
2023-07-23T13:09:38.332+0800	DEBUG	alpine: the number of packages: 63
2023-07-23T13:09:38.337+0800	INFO	Number of language-specific files: 1
2023-07-23T13:09:38.337+0800	INFO	Detecting jar vulnerabilities...
2023-07-23T13:09:38.337+0800	DEBUG	Detecting library vulnerabilities, type: jar, path:

gocd/gocd-server:v23.2.0 (alpine 3.18.2)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

2023-07-23T13:09:38.350+0800	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Java (jar)

Total: 46 (UNKNOWN: 1, LOW: 3, MEDIUM: 24, HIGH: 8, CRITICAL: 10)

┌────────────────────────────────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────────────────┬────────────────────────────────────────────────────────────┐
│                          Library                           │    Vulnerability    │ Severity │ Installed Version │           Fixed Version            │                           Title                            │
├────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ com.fasterxml.jackson.core:jackson-databind (go.jar)       │ CVE-2020-36518      │ HIGH     │ 2.11.1            │ 2.12.6.1, 2.13.2.1                 │ denial of service via a large depth of nested objects      │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2020-36518                 │
│                                                            ├─────────────────────┤          │                   ├────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2021-46877      │          │                   │ 2.12.6, 2.13.1                     │ Possible DoS if using JDK serialization to serialize       │
│                                                            │                     │          │                   │                                    │ JsonNode                                                   │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2021-46877                 │
│                                                            ├─────────────────────┤          │                   ├────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2022-42003      │          │                   │ 2.12.7.1, 2.13.4.1                 │ deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS  │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2022-42003                 │
│                                                            ├─────────────────────┤          │                   ├────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2022-42004      │          │                   │ 2.12.7.1, 2.13.4                   │ use of deeply nested arrays                                │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2022-42004                 │
├────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ com.h2database:h2 (go.jar)                                 │ CVE-2021-23463      │ CRITICAL │ 1.4.200           │ 2.0.202                            │ XXE injection vulnerability                                │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2021-23463                 │
│                                                            ├─────────────────────┤          │                   ├────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2021-42392      │          │                   │ 2.0.206                            │ h2: Remote Code Execution in Console                       │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2021-42392                 │
│                                                            ├─────────────────────┤          │                   ├────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2022-23221      │          │                   │ 2.1.210                            │ Loading of custom classes from remote servers through JNDI │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2022-23221                 │
│                                                            ├─────────────────────┼──────────┤                   ├────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2022-45868      │ HIGH     │                   │ 2.2.220                            │ The web-based admin console in H2 Database Engine through  │
│                                                            │                     │          │                   │                                    │ 2.1.214 can ...                                            │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2022-45868                 │
│                                                            ├─────────────────────┼──────────┤                   ├────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│                                                            │ GHSA-h376-j262-vhq6 │ UNKNOWN  │                   │ 2.0.206                            │ Improper Neutralization of Special Elements used in an OS  │
│                                                            │                     │          │                   │                                    │ Command ('OS Command...                                    │
│                                                            │                     │          │                   │                                    │ https://github.com/advisories/GHSA-h376-j262-vhq6          │
├────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ org.bouncycastle:bcprov-jdk18on (go.jar)                   │ CVE-2023-33201      │ MEDIUM   │ 1.71              │ 1.74                               │ potential blind LDAP injection attack using a self-signed  │
│                                                            │                     │          │                   │                                    │ certificate                                                │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2023-33201                 │
├────────────────────────────────────────────────────────────┼─────────────────────┤          ├───────────────────┼────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ org.eclipse.jetty:jetty-http (go.jar)                      │ CVE-2023-26048      │          │ 9.4.39.v20210325  │ 9.4.51.v20230217, 10.0.14, 11.0.14 │ OutOfMemoryError for large multipart without filename in   │
│                                                            │                     │          │                   │                                    │ Eclipse Jetty                                              │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2023-26048                 │
│                                                            ├─────────────────────┤          │                   │                                    ├────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2023-26049      │          │                   │                                    │ Eclipse Jetty's cookie parsing of quoted values can        │
│                                                            │                     │          │                   │                                    │ exfiltrate values from other...                            │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2023-26049                 │
│                                                            ├─────────────────────┼──────────┤                   ├────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2022-2047       │ LOW      │                   │ 9.4.46.v20220331, 10.0.9, 11.0.10  │ improver hostname input handling                           │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2022-2047                  │
├────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤                   ├────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ org.eclipse.jetty:jetty-io (go.jar)                        │ CVE-2023-26048      │ MEDIUM   │                   │ 9.4.51.v20230217, 10.0.14, 11.0.14 │ OutOfMemoryError for large multipart without filename in   │
│                                                            │                     │          │                   │                                    │ Eclipse Jetty                                              │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2023-26048                 │
│                                                            ├─────────────────────┤          │                   │                                    ├────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2023-26049      │          │                   │                                    │ Eclipse Jetty's cookie parsing of quoted values can        │
│                                                            │                     │          │                   │                                    │ exfiltrate values from other...                            │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2023-26049                 │
├────────────────────────────────────────────────────────────┼─────────────────────┤          │                   │                                    ├────────────────────────────────────────────────────────────┤
│ org.eclipse.jetty:jetty-server (go.jar)                    │ CVE-2023-26048      │          │                   │                                    │ OutOfMemoryError for large multipart without filename in   │
│                                                            │                     │          │                   │                                    │ Eclipse Jetty                                              │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2023-26048                 │
│                                                            ├─────────────────────┤          │                   │                                    ├────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2023-26049      │          │                   │                                    │ Eclipse Jetty's cookie parsing of quoted values can        │
│                                                            │                     │          │                   │                                    │ exfiltrate values from other...                            │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2023-26049                 │
│                                                            ├─────────────────────┼──────────┤                   ├────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2021-34428      │ LOW      │                   │ 9.4.40.v20210413, 10.0.3, 11.0.3   │ jetty: SessionListener can prevent a session from being    │
│                                                            │                     │          │                   │                                    │ invalidated breaking logout                                │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2021-34428                 │
├────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤                   ├────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ org.eclipse.jetty:jetty-util (go.jar)                      │ CVE-2023-26048      │ MEDIUM   │                   │ 9.4.51.v20230217, 10.0.14, 11.0.14 │ OutOfMemoryError for large multipart without filename in   │
│                                                            │                     │          │                   │                                    │ Eclipse Jetty                                              │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2023-26048                 │
│                                                            ├─────────────────────┤          │                   │                                    ├────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2023-26049      │          │                   │                                    │ Eclipse Jetty's cookie parsing of quoted values can        │
│                                                            │                     │          │                   │                                    │ exfiltrate values from other...                            │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2023-26049                 │
├────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ org.eclipse.jetty:jetty-xml (go.jar)                       │ GHSA-58qw-p7qm-5rvh │ LOW      │ 9.4.51.v20230217  │                                    │ Eclipse Jetty XmlParser allows arbitrary DOCTYPE           │
│                                                            │                     │          │                   │                                    │ declarations                                               │
│                                                            │                     │          │                   │                                    │ https://github.com/advisories/GHSA-58qw-p7qm-5rvh          │
├────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ org.glassfish.jersey.core:jersey-common (go.jar)           │ CVE-2021-28168      │ MEDIUM   │ 2.31              │ 2.34, 3.0.2                        │ jersey: Local information disclosure via system temporary  │
│                                                            │                     │          │                   │                                    │ directory                                                  │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2021-28168                 │
├────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ org.hibernate:hibernate-core (go.jar)                      │ CVE-2020-25638      │ HIGH     │ 3.6.10.Final      │ 5.3.20.Final, 5.4.24.Final         │ SQL injection vulnerability when both                      │
│                                                            │                     │          │                   │                                    │ hibernate.use_sql_comments and JPQL String literals are    │
│                                                            │                     │          │                   │                                    │ used...                                                    │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2020-25638                 │
├────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ org.nanohttpd:nanohttpd (go.jar)                           │ CVE-2022-21230      │ MEDIUM   │ 2.3.1             │                                    │ Incorrect Permission Assignment for Critical Resource      │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2022-21230                 │
├────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ org.springframework.security:spring-security-core (go.jar) │ CVE-2022-22978      │ CRITICAL │ 4.2.20.RELEASE    │ 5.5.7, 5.6.4                       │ Authorization Bypass in RegexRequestMatcher                │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2022-22978                 │
│                                                            ├─────────────────────┼──────────┤                   ├────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2021-22112      │ HIGH     │                   │ 5.4.4, 5.3.9, 5.2.9                │ jenkins: Privilege escalation vulnerability in bundled     │
│                                                            │                     │          │                   │                                    │ Spring Security library                                    │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2021-22112                 │
│                                                            ├─────────────────────┼──────────┤                   ├────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2022-22976      │ MEDIUM   │                   │ 5.5.7, 5.6.4                       │ BCrypt skips salt rounds for work factor of 31             │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2022-22976                 │
├────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤                   ├────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ org.springframework.security:spring-security-web (go.jar)  │ CVE-2021-22112      │ HIGH     │                   │ 5.4.4, 5.3.9, 5.2.9                │ jenkins: Privilege escalation vulnerability in bundled     │
│                                                            │                     │          │                   │                                    │ Spring Security library                                    │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2021-22112                 │
├────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ org.springframework:spring-beans (go.jar)                  │ CVE-2022-22965      │ CRITICAL │ 4.3.30.RELEASE    │ 5.2.20, 5.3.18                     │ RCE via Data Binding on JDK 9+                             │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2022-22965                 │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            │                     │          │                   │                                    │                                                            │
├────────────────────────────────────────────────────────────┤                     │          │                   │                                    │                                                            │
│ org.springframework:spring-core (go.jar)                   │                     │          │                   │                                    │                                                            │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            ├─────────────────────┼──────────┤                   ├────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2022-22968      │ MEDIUM   │                   │ 5.2.21, 5.3.19                     │ Spring Framework: Data Binding Rules Vulnerability         │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2022-22968                 │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            ├─────────────────────┤          │                   ├────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2022-22970      │          │                   │ 5.2.22.RELEASE, 5.3.20             │ DoS via data binding to multipartFile or servlet part      │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2022-22970                 │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            ├─────────────────────┤          │                   │                                    ├────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2022-22971      │          │                   │                                    │ DoS with STOMP over WebSocket                              │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2022-22971                 │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            ├─────────────────────┤          │                   ├────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2023-20861      │          │                   │ 5.3.26, 6.0.7, 5.2.23.RELEASE      │ Spring Expression DoS Vulnerability                        │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2023-20861                 │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            ├─────────────────────┤          │                   ├────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2023-20863      │          │                   │ 5.3.27, 6.0.8, 5.2.24.RELEASE      │ Spring Expression DoS Vulnerability                        │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2023-20863                 │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            │                     │          │                   │                                    │                                                            │
├────────────────────────────────────────────────────────────┼─────────────────────┤          │                   ├────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ org.springframework:spring-expression (go.jar)             │ CVE-2022-22950      │          │                   │ 5.2.20, 5.3.16                     │ spring-expression: Denial of service via specially crafted │
│                                                            │                     │          │                   │                                    │ SpEL expression                                            │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2022-22950                 │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            │                     │          │                   │                                    │                                                            │
├────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤                   ├────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ org.springframework:spring-web (go.jar)                    │ CVE-2016-1000027    │ CRITICAL │                   │ 6.0.0                              │ spring: HttpInvokerServiceExporter readRemoteInvocation    │
│                                                            │                     │          │                   │                                    │ method untrusted java deserialization                      │
│                                                            │                     │          │                   │                                    │ https://avd.aquasec.com/nvd/cve-2016-1000027               │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            │                     │          │                   │                                    │                                                            │
│                                                            │                     │          │                   │                                    │                                                            │
└────────────────────────────────────────────────────────────┴─────────────────────┴──────────┴───────────────────┴────────────────────────────────────┴────────────────────────────────────────────────────────────┘

Version

$ trivy --version
Version: 0.43.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-07-20 12:11:37.696263932 +0000 UTC
  NextUpdate: 2023-07-20 18:11:37.696263532 +0000 UTC
  DownloadedAt: 2023-07-23 05:01:25.277084 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-07-23 00:59:33.404436467 +0000 UTC
  NextUpdate: 2023-07-26 00:59:33.404435867 +0000 UTC
  DownloadedAt: 2023-07-23 05:02:18.660014 +0000 UTC

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

chadlwilson · 2023-07-23T05:38:40Z

chadlwilson
Jul 23, 2023
Author

OK, after looking a bit further inside the jar, I discovered that ehcache-2.10.9.2 does seem to have these libraries shaded inside this jar at rest-management-private-classpath with strange .class_terracotta files rather than regular class files, and does have Maven metadata that correspond to what Trivy is detecting.

So this probably isn't a trivy problem. Hmm. Will close for now.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trivy misdetecting ehcache 2.10.9.2 as being jackson and other Java libraries #4857

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Trivy misdetecting ehcache 2.10.9.2 as being jackson and other Java libraries #4857

chadlwilson Jul 23, 2023

IDs

Description

Reproduction Steps

Target

Scanner

Target OS

Debug Output

Version

Checklist

Replies: 1 comment

chadlwilson Jul 23, 2023 Author

chadlwilson
Jul 23, 2023

chadlwilson
Jul 23, 2023
Author