False positive for CVE-2023-1108 undertow-core

[bvahdat]

IDs

CVE-2023-1108

Description

Scanning a custom Docker image finds a vulnerability by the maven artifact io.undertow:undertow-core:2.2.24.Final

┌───────────────────────────────────────────────────┬──────────────────┬──────────┬───────────────────┬──────────────────────────────────┬────────────────────────────────────────────────────────────┐
│                      Library                      │  Vulnerability   │ Severity │ Installed Version │          Fixed Version           │                           Title                            │
├───────────────────────────────────────────────────┼──────────────────┼──────────┼───────────────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ io.undertow:undertow-core (my-app.jar)            │ CVE-2023-1108    │ HIGH     │ 2.2.24.Final      │ 2.3.5.Final                      │ Infinite loop in SslConduit during close                   │
│                                                   │                  │          │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-1108                  │
├───────────────────────────────────────────────────┼──────────────────┼──────────┼───────────────────┼──────────────────────────────────┼────────────────────────────────────────────────────────────┤

However starting from undertow 2.2.24.Final CVE-2023-1108 is already fixed and has been tracked through:

https://issues.redhat.com/browse/UNDERTOW-2239

This can be verified through this GitHub blame link on the 2.2.24.Final tagged codebase.

More details available by the following links:

• https://bugzilla.redhat.com/show_bug.cgi?id=2174246#c0
• [UNDERTOW-2207][UNDERTOW-2212][UNDERTOW-2239][UNDERTOW-2252] 2.2.x backport bug fixes undertow-io/undertow#1457
• [FP]: CVE-2023-1108 in undertow-core-2.2.24.Final.jar jeremylong/DependencyCheck#5713 (comment)

Reproduction Steps

1.
2.
3.
...

Target

Filesystem

Scanner

License

Target OS

No response

Debug Output

.

Version

v0.42.0

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @bvahdat
Thanks for your report!

Looks like GitHub advisory database contains mistake:

Can you create an improvement for this advisory? (https://github.com/advisories/GHSA-m4mm-pg93-fv78/improve)

Regards, Dmitriy

[knqyf263]

I'll close this discussion as it is not our issue.