aiohttp v3.8.5 false positive

[rubur-webbeds]

IDs

CVE-2023-37276

Description

Hello,
trivy detects CVE-2023-37276 in aiohttp v3.8.5.
After checking Python Packaging Advisory Database PYSEC-2023-120, it seems like the vulnerability affects up to v3.8.4.

Reproduction Steps

1. create Dockerfile

FROM python:3.8-alpine
RUN pip install aiohttp==3.8.5

2. build docker image: docker build -t aiohttp-vuln .
3. run trivy: trivy image aiohttp-vuln

### Target

Container Image

### Scanner

Vulnerability

### Target OS

_No response_

### Debug Output

```bash
{
  "SchemaVersion": 2,
  "ArtifactName": "aiohttp-local",
  "ArtifactType": "container_image",
  "Metadata": {
    "OS": {
      "Family": "alpine",
      "Name": "3.18.2"
    },
    "ImageID": "sha256:b48ab66989ecbe2b16152e974cd81624948d6f6f8f029cee6b48087fc6838202",
    "DiffIDs": [
      "sha256:61f2871f545a9b23a9340f96b331fb660b43008a9e84a03ad8564271bce5743b",
      "sha256:179c489c61319b15708a90943b8e884d93633b94e14664cca42612036de3aecc",
      "sha256:682d4811821df5d9d01b5195fe8a31e68501448e3fd8ac1d074c246d61adeb58",
      "sha256:17cf71780b51f2c716ec023cad7b085cb4e5c10c21ec31d17079f5933e0aec1a",
      "sha256:80a1f676175c07a504c4fc3211409f632dc9c434da0a0d49aa5aebd432745e36",
      "sha256:a8e9ce8505d6d3d7c2f2f25a44625f83855e155a4dc2a75c69fa25dc2db68b8d"
    ],
    "RepoTags": [
      "aiohttp-local:latest"
    ],
    "ImageConfig": {
      "architecture": "arm64",
      "created": "2023-07-31T09:47:59.32420888Z",
      "history": [
        {
          "created": "2023-06-14T20:48:58Z",
          "created_by": "/bin/sh -c #(nop) ADD file:289c2fac17119508ced527225d445747cd177111b4a0018a6b04948ecb3b5e29 in / "
        },
        {
          "created": "2023-06-14T20:48:58Z",
          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
          "empty_layer": true
        },
        {
          "created": "2023-06-06T15:50:21Z",
          "created_by": "ENV PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2023-06-06T15:50:21Z",
          "created_by": "ENV LANG=C.UTF-8",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2023-06-06T15:50:21Z",
          "created_by": "RUN /bin/sh -c set -eux; \tapk add --no-cache \t\tca-certificates \t\ttzdata \t; # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2023-06-06T15:50:21Z",
          "created_by": "ENV GPG_KEY=E3FF2839C048B25C084DEBE9B26995E310250568",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2023-06-06T15:50:21Z",
          "created_by": "ENV PYTHON_VERSION=3.8.17",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2023-06-06T15:50:21Z",
          "created_by": "RUN /bin/sh -c set -eux; \t\tapk add --no-cache --virtual .build-deps \t\tgnupg \t\ttar \t\txz \t\t\t\tbluez-dev \t\tbzip2-dev \t\tdpkg-dev dpkg \t\texpat-dev \t\tfindutils \t\tgcc \t\tgdbm-dev \t\tlibc-dev \t\tlibffi-dev \t\tlibnsl-dev \t\tlibtirpc-dev \t\tlinux-headers \t\tmake \t\tncurses-dev \t\topenssl-dev \t\tpax-utils \t\treadline-dev \t\tsqlite-dev \t\ttcl-dev \t\ttk \t\ttk-dev \t\tutil-linux-dev \t\txz-dev \t\tzlib-dev \t; \t\twget -O python.tar.xz \"https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz\"; \twget -O python.tar.xz.asc \"https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc\"; \tGNUPGHOME=\"$(mktemp -d)\"; export GNUPGHOME; \tgpg --batch --keyserver hkps://keys.openpgp.org --recv-keys \"$GPG_KEY\"; \tgpg --batch --verify python.tar.xz.asc python.tar.xz; \tgpgconf --kill all; \trm -rf \"$GNUPGHOME\" python.tar.xz.asc; \tmkdir -p /usr/src/python; \ttar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; \trm python.tar.xz; \t\tcd /usr/src/python; \tgnuArch=\"$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)\"; \t./configure \t\t--build=\"$gnuArch\" \t\t--enable-loadable-sqlite-extensions \t\t--enable-optimizations \t\t--enable-option-checking=fatal \t\t--enable-shared \t\t--with-system-expat \t\t--without-ensurepip \t; \tnproc=\"$(nproc)\"; \tEXTRA_CFLAGS=\"-DTHREAD_STACK_SIZE=0x100000\"; \tLDFLAGS=\"${LDFLAGS:--Wl},--strip-all\"; \tmake -j \"$nproc\" \t\t\"EXTRA_CFLAGS=${EXTRA_CFLAGS:-}\" \t\t\"LDFLAGS=${LDFLAGS:-}\" \t\t\"PROFILE_TASK=${PROFILE_TASK:-}\" \t; \trm python; \tmake -j \"$nproc\" \t\t\"EXTRA_CFLAGS=${EXTRA_CFLAGS:-}\" \t\t\"LDFLAGS=${LDFLAGS:--Wl},-rpath='\\$\\$ORIGIN/../lib'\" \t\t\"PROFILE_TASK=${PROFILE_TASK:-}\" \t\tpython \t; \tmake install; \t\tcd /; \trm -rf /usr/src/python; \t\tfind /usr/local -depth \t\t\\( \t\t\t\\( -type d -a \\( -name test -o -name tests -o -name idle_test \\) \\) \t\t\t-o \\( -type f -a \\( -name '*.pyc' -o -name '*.pyo' -o -name 'libpython*.a' \\) \\) \t\t\t-o \\( -type f -a -name 'wininst-*.exe' \\) \t\t\\) -exec rm -rf '{}' + \t; \t\tfind /usr/local -type f -executable -not \\( -name '*tkinter*' \\) -exec scanelf --needed --nobanner --format '%n#p' '{}' ';' \t\t| tr ',' '\\n' \t\t| sort -u \t\t| awk 'system(\"[ -e /usr/local/lib/\" $1 \" ]\") == 0 { next } { print \"so:\" $1 }' \t\t| xargs -rt apk add --no-network --virtual .python-rundeps \t; \tapk del --no-network .build-deps; \t\tpython3 --version # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2023-06-06T15:50:21Z",
          "created_by": "RUN /bin/sh -c set -eux; \tfor src in idle3 pydoc3 python3 python3-config; do \t\tdst=\"$(echo \"$src\" | tr -d 3)\"; \t\t[ -s \"/usr/local/bin/$src\" ]; \t\t[ ! -e \"/usr/local/bin/$dst\" ]; \t\tln -svT \"$src\" \"/usr/local/bin/$dst\"; \tdone # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2023-06-06T15:50:21Z",
          "created_by": "ENV PYTHON_PIP_VERSION=23.0.1",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2023-06-06T15:50:21Z",
          "created_by": "ENV PYTHON_SETUPTOOLS_VERSION=57.5.0",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2023-06-06T15:50:21Z",
          "created_by": "ENV PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/0d8570dc44796f4369b652222cf176b3db6ac70e/public/get-pip.py",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2023-06-06T15:50:21Z",
          "created_by": "ENV PYTHON_GET_PIP_SHA256=96461deced5c2a487ddc65207ec5a9cffeca0d34e7af7ea1afc470ff0d746207",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2023-06-06T15:50:21Z",
          "created_by": "RUN /bin/sh -c set -eux; \t\twget -O get-pip.py \"$PYTHON_GET_PIP_URL\"; \techo \"$PYTHON_GET_PIP_SHA256 *get-pip.py\" | sha256sum -c -; \t\texport PYTHONDONTWRITEBYTECODE=1; \t\tpython get-pip.py \t\t--disable-pip-version-check \t\t--no-cache-dir \t\t--no-compile \t\t\"pip==$PYTHON_PIP_VERSION\" \t\t\"setuptools==$PYTHON_SETUPTOOLS_VERSION\" \t; \trm -f get-pip.py; \t\tpip --version # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2023-06-06T15:50:21Z",
          "created_by": "CMD [\"python3\"]",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2023-07-31T09:47:59Z",
          "created_by": "RUN /bin/sh -c pip install aiohttp==3.8.5 # buildkit",
          "comment": "buildkit.dockerfile.v0"
        }
      ],
      "os": "linux",
      "rootfs": {
        "type": "layers",
        "diff_ids": [
          "sha256:61f2871f545a9b23a9340f96b331fb660b43008a9e84a03ad8564271bce5743b",
          "sha256:179c489c61319b15708a90943b8e884d93633b94e14664cca42612036de3aecc",
          "sha256:682d4811821df5d9d01b5195fe8a31e68501448e3fd8ac1d074c246d61adeb58",
          "sha256:17cf71780b51f2c716ec023cad7b085cb4e5c10c21ec31d17079f5933e0aec1a",
          "sha256:80a1f676175c07a504c4fc3211409f632dc9c434da0a0d49aa5aebd432745e36",
          "sha256:a8e9ce8505d6d3d7c2f2f25a44625f83855e155a4dc2a75c69fa25dc2db68b8d"
        ]
      },
      "config": {
        "Cmd": [
          "python3"
        ],
        "Env": [
          "PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
          "LANG=C.UTF-8",
          "GPG_KEY=E3FF2839C048B25C084DEBE9B26995E310250568",
          "PYTHON_VERSION=3.8.17",
          "PYTHON_PIP_VERSION=23.0.1",
          "PYTHON_SETUPTOOLS_VERSION=57.5.0",
          "PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/0d8570dc44796f4369b652222cf176b3db6ac70e/public/get-pip.py",
          "PYTHON_GET_PIP_SHA256=96461deced5c2a487ddc65207ec5a9cffeca0d34e7af7ea1afc470ff0d746207"
        ],
        "ArgsEscaped": true
      }
    }
  },
  "Results": [
    {
      "Target": "aiohttp-local (alpine 3.18.2)",
      "Class": "os-pkgs",
      "Type": "alpine",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2023-2975",
          "PkgName": "libcrypto3",
          "InstalledVersion": "3.1.1-r1",
          "FixedVersion": "3.1.1-r2",
          "Layer": {
            "DiffID": "sha256:61f2871f545a9b23a9340f96b331fb660b43008a9e84a03ad8564271bce5743b"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-2975",
          "DataSource": {
            "ID": "alpine",
            "Name": "Alpine Secdb",
            "URL": "https://secdb.alpinelinux.org/"
          },
          "Title": "AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries",
          "Description": "Issue summary: The AES-SIV cipher implementation contains a bug that causes\nit to ignore empty associated data entries which are unauthenticated as\na consequence.\n\nImpact summary: Applications that use the AES-SIV algorithm and want to\nauthenticate empty data entries as associated data can be mislead by removing\nadding or reordering such empty entries as these are ignored by the OpenSSL\nimplementation. We are currently unaware of any such applications.\n\nThe AES-SIV algorithm allows for authentication of multiple associated\ndata entries along with the encryption. To authenticate empty data the\napplication has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with\nNULL pointer as the output buffer and 0 as the input buffer length.\nThe AES-SIV implementation in OpenSSL just returns success for such a call\ninstead of performing the associated data authentication operation.\nThe empty data thus will not be authenticated.\n\nAs this issue does not affect non-empty associated data authentication and\nwe expect it to be rare for an application to use empty associated data\nentries this is qualified as Low severity issue.",
          "Severity": "MEDIUM",
          "CweIDs": [
            "CWE-287"
          ],
          "CVSS": {
            "nvd": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
              "V3Score": 5.3
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "V3Score": 5.9
            }
          },
          "References": [
            "http://www.openwall.com/lists/oss-security/2023/07/15/1",
            "http://www.openwall.com/lists/oss-security/2023/07/19/5",
            "https://access.redhat.com/security/cve/CVE-2023-2975",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2975",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-2975",
            "https://security.netapp.com/advisory/ntap-20230725-0004/",
            "https://www.cve.org/CVERecord?id=CVE-2023-2975",
            "https://www.openssl.org/news/secadv/20230714.txt"
          ],
          "PublishedDate": "2023-07-14T12:15:00Z",
          "LastModifiedDate": "2023-07-27T13:02:00Z"
        },
        {
          "VulnerabilityID": "CVE-2023-3446",
          "PkgName": "libcrypto3",
          "InstalledVersion": "3.1.1-r1",
          "FixedVersion": "3.1.1-r3",
          "Layer": {
            "DiffID": "sha256:61f2871f545a9b23a9340f96b331fb660b43008a9e84a03ad8564271bce5743b"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-3446",
          "DataSource": {
            "ID": "alpine",
            "Name": "Alpine Secdb",
            "URL": "https://secdb.alpinelinux.org/"
          },
          "Title": "Excessive time spent checking DH keys and parameters",
          "Description": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.",
          "Severity": "MEDIUM",
          "CweIDs": [
            "CWE-1333"
          ],
          "CVSS": {
            "nvd": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
              "V3Score": 5.3
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
              "V3Score": 5.3
            }
          },
          "References": [
            "http://www.openwall.com/lists/oss-security/2023/07/19/4",
            "http://www.openwall.com/lists/oss-security/2023/07/19/5",
            "http://www.openwall.com/lists/oss-security/2023/07/19/6",
            "https://access.redhat.com/security/cve/CVE-2023-3446",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3446",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-3446",
            "https://www.cve.org/CVERecord?id=CVE-2023-3446",
            "https://www.openssl.org/news/secadv/20230719.txt"
          ],
          "PublishedDate": "2023-07-19T12:15:00Z",
          "LastModifiedDate": "2023-07-28T19:02:00Z"
        },
        {
          "VulnerabilityID": "CVE-2023-2975",
          "PkgName": "libssl3",
          "InstalledVersion": "3.1.1-r1",
          "FixedVersion": "3.1.1-r2",
          "Layer": {
            "DiffID": "sha256:61f2871f545a9b23a9340f96b331fb660b43008a9e84a03ad8564271bce5743b"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-2975",
          "DataSource": {
            "ID": "alpine",
            "Name": "Alpine Secdb",
            "URL": "https://secdb.alpinelinux.org/"
          },
          "Title": "AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries",
          "Description": "Issue summary: The AES-SIV cipher implementation contains a bug that causes\nit to ignore empty associated data entries which are unauthenticated as\na consequence.\n\nImpact summary: Applications that use the AES-SIV algorithm and want to\nauthenticate empty data entries as associated data can be mislead by removing\nadding or reordering such empty entries as these are ignored by the OpenSSL\nimplementation. We are currently unaware of any such applications.\n\nThe AES-SIV algorithm allows for authentication of multiple associated\ndata entries along with the encryption. To authenticate empty data the\napplication has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with\nNULL pointer as the output buffer and 0 as the input buffer length.\nThe AES-SIV implementation in OpenSSL just returns success for such a call\ninstead of performing the associated data authentication operation.\nThe empty data thus will not be authenticated.\n\nAs this issue does not affect non-empty associated data authentication and\nwe expect it to be rare for an application to use empty associated data\nentries this is qualified as Low severity issue.",
          "Severity": "MEDIUM",
          "CweIDs": [
            "CWE-287"
          ],
          "CVSS": {
            "nvd": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
              "V3Score": 5.3
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "V3Score": 5.9
            }
          },
          "References": [
            "http://www.openwall.com/lists/oss-security/2023/07/15/1",
            "http://www.openwall.com/lists/oss-security/2023/07/19/5",
            "https://access.redhat.com/security/cve/CVE-2023-2975",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2975",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-2975",
            "https://security.netapp.com/advisory/ntap-20230725-0004/",
            "https://www.cve.org/CVERecord?id=CVE-2023-2975",
            "https://www.openssl.org/news/secadv/20230714.txt"
          ],
          "PublishedDate": "2023-07-14T12:15:00Z",
          "LastModifiedDate": "2023-07-27T13:02:00Z"
        },
        {
          "VulnerabilityID": "CVE-2023-3446",
          "PkgName": "libssl3",
          "InstalledVersion": "3.1.1-r1",
          "FixedVersion": "3.1.1-r3",
          "Layer": {
            "DiffID": "sha256:61f2871f545a9b23a9340f96b331fb660b43008a9e84a03ad8564271bce5743b"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-3446",
          "DataSource": {
            "ID": "alpine",
            "Name": "Alpine Secdb",
            "URL": "https://secdb.alpinelinux.org/"
          },
          "Title": "Excessive time spent checking DH keys and parameters",
          "Description": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.",
          "Severity": "MEDIUM",
          "CweIDs": [
            "CWE-1333"
          ],
          "CVSS": {
            "nvd": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
              "V3Score": 5.3
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
              "V3Score": 5.3
            }
          },
          "References": [
            "http://www.openwall.com/lists/oss-security/2023/07/19/4",
            "http://www.openwall.com/lists/oss-security/2023/07/19/5",
            "http://www.openwall.com/lists/oss-security/2023/07/19/6",
            "https://access.redhat.com/security/cve/CVE-2023-3446",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3446",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-3446",
            "https://www.cve.org/CVERecord?id=CVE-2023-3446",
            "https://www.openssl.org/news/secadv/20230719.txt"
          ],
          "PublishedDate": "2023-07-19T12:15:00Z",
          "LastModifiedDate": "2023-07-28T19:02:00Z"
        }
      ]
    },
    {
      "Target": "Python",
      "Class": "lang-pkgs",
      "Type": "python-pkg",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2023-37276",
          "PkgName": "aiohttp",
          "PkgPath": "usr/local/lib/python3.8/site-packages/aiohttp-3.8.5.dist-info/METADATA",
          "InstalledVersion": "3.8.5",
          "Layer": {
            "DiffID": "sha256:a8e9ce8505d6d3d7c2f2f25a44625f83855e155a4dc2a75c69fa25dc2db68b8d"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-37276",
          "DataSource": {
            "ID": "osv",
            "Name": "Python Packaging Advisory Database",
            "URL": "https://github.com/pypa/advisory-db"
          },
          "Title": "HTTP request smuggling via llhttp HTTP request parser",
          "Description": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`). Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. This issue has been addressed in version 3.8.5. Users are advised to upgrade. Users unable to upgrade can reinstall aiohttp using `AIOHTTP_NO_EXTENSIONS=1` as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable.",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-444"
          ],
          "CVSS": {
            "ghsa": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
              "V3Score": 5.3
            },
            "nvd": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "V3Score": 7.5
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
              "V3Score": 5.3
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2023-37276",
            "https://github.com/advisories/GHSA-45c4-8wx5-qw6w",
            "https://github.com/aio-libs/aiohttp",
            "https://github.com/aio-libs/aiohttp/blob/v3.8.4/.gitmodules",
            "https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40",
            "https://github.com/aio-libs/aiohttp/commit/9c13a52c21c23dfdb49ed89418d28a5b116d0681",
            "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w",
            "https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-120.yaml",
            "https://hackerone.com/reports/2001873",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-37276",
            "https://www.cve.org/CVERecord?id=CVE-2023-37276"
          ],
          "PublishedDate": "2023-07-19T20:15:00Z",
          "LastModifiedDate": "2023-07-28T15:55:00Z"
        },
        {
          "VulnerabilityID": "CVE-2022-40897",
          "PkgName": "setuptools",
          "PkgPath": "usr/local/lib/python3.8/site-packages/setuptools-57.5.0.dist-info/METADATA",
          "InstalledVersion": "57.5.0",
          "FixedVersion": "65.5.1",
          "Layer": {
            "DiffID": "sha256:80a1f676175c07a504c4fc3211409f632dc9c434da0a0d49aa5aebd432745e36"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-40897",
          "DataSource": {
            "ID": "osv",
            "Name": "Python Packaging Advisory Database",
            "URL": "https://github.com/pypa/advisory-db"
          },
          "Title": "Regular Expression Denial of Service (ReDoS) in package_index.py",
          "Description": "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.",
          "Severity": "MEDIUM",
          "CVSS": {
            "ghsa": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 7.5
            },
            "nvd": {
              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 5.9
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 5.9
            }
          },
          "References": [
            "https://access.redhat.com/errata/RHSA-2023:0952",
            "https://access.redhat.com/security/cve/CVE-2022-40897",
            "https://bugzilla.redhat.com/2158559",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2158559",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897",
            "https://errata.almalinux.org/9/ALSA-2023-0952.html",
            "https://errata.rockylinux.org/RLSA-2023:0952",
            "https://github.com/advisories/GHSA-r9hx-vwmv-q579",
            "https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200",
            "https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be",
            "https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1",
            "https://github.com/pypa/setuptools/issues/3659",
            "https://linux.oracle.com/cve/CVE-2022-40897.html",
            "https://linux.oracle.com/errata/ELSA-2023-12348.html",
            "https://lists.fedoraproject.org/archives/list/[email protected]/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/",
            "https://lists.fedoraproject.org/archives/list/[email protected]/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-40897",
            "https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/",
            "https://pyup.io/vulnerabilities/CVE-2022-40897/52495/",
            "https://security.netapp.com/advisory/ntap-20230214-0001/",
            "https://setuptools.pypa.io/en/latest/",
            "https://ubuntu.com/security/notices/USN-5817-1",
            "https://www.cve.org/CVERecord?id=CVE-2022-40897"
          ],
          "PublishedDate": "2022-12-23T00:15:00Z",
          "LastModifiedDate": "2023-05-01T06:15:00Z"
        }
      ]
    }
  ]
}

Version

Version: 0.32.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-07-31 12:11:21.008299068 +0000 UTC
  NextUpdate: 2023-07-31 18:11:21.008298468 +0000 UTC
  DownloadedAt: 2023-07-31 12:20:45.901046 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[bassamicius]

Hello, second this, it is blocking our delivery pipeline :(

[nikpivkin]

Hi @rubur-webbeds . Thank you for your report!
I've created an #4920 to track it.