CVE-2019-8457 - False positive detection

[cgargas]

IDs

CVE-2019-8457

Description

I have the results of a container image scan stating that the version of libdb5.3 that I'm running in a Debian container is vulnerable to CVE-2019-8457. The running version is 5.3.28+dfsg2-4 which has been reported as fixed per their security tracker: https://security-tracker.debian.org/tracker/CVE-2019-8457

Reproduction Steps

1. trivy image -f json <imagename:tag> --debug

Target

Container Image

Scanner

Vulnerability

Target OS

Debian 11.8

Debug Output

`        {
          "VulnerabilityID": "CVE-2019-8457",
          "PkgID": "[email protected]+dfsg2-4",
          "PkgName": "libdb5.3",
          "InstalledVersion": "5.3.28+dfsg2-4",
          "Status": "affected",
          "Layer": {
            "Digest": "sha256:REDACT",
            "DiffID": "sha256:REDACT"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-8457",
          "DataSource": {
            "ID": "debian",
            "Name": "Debian Security Tracker",
            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
          },
          "Title": "heap out-of-bound read in function rtreenode()",
          "Description": "SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.",
          "Severity": "CRITICAL",
          "CweIDs": [
            "CWE-125"
          ],
          "CVSS": {
            "nvd": {
              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "V2Score": 7.5,
              "V3Score": 9.8
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 7.5
            }
          },
          "References": [
            "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00074.html",
            "https://access.redhat.com/security/cve/CVE-2019-8457",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457",
            "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365",
            "https://linux.oracle.com/cve/CVE-2019-8457.html",
            "https://linux.oracle.com/errata/ELSA-2020-1810.html",
            "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OPKYSWCOM3CL66RI76TYVIG6TJ263RXH/",
            "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SJPFGA45DI4F5MCF2OAACGH3HQOF4G3M/",
            "https://nvd.nist.gov/vuln/detail/CVE-2019-8457",
            "https://security.netapp.com/advisory/ntap-20190606-0002/",
            "https://ubuntu.com/security/notices/USN-4004-1",
            "https://ubuntu.com/security/notices/USN-4004-2",
            "https://ubuntu.com/security/notices/USN-4019-1",
            "https://ubuntu.com/security/notices/USN-4019-2",
            "https://usn.ubuntu.com/4004-1/",
            "https://usn.ubuntu.com/4004-2/",
            "https://usn.ubuntu.com/4019-1/",
            "https://usn.ubuntu.com/4019-2/",
            "https://www.cve.org/CVERecord?id=CVE-2019-8457",
            "https://www.oracle.com/security-alerts/cpuapr2020.html",
            "https://www.oracle.com/security-alerts/cpujan2020.html",
            "https://www.oracle.com/security-alerts/cpujul2020.html",
            "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
            "https://www.sqlite.org/releaselog/3_28_0.html",
            "https://www.sqlite.org/src/info/90acdbfce9c08858"
          ],
          "PublishedDate": "2019-05-30T16:29:00Z",
          "LastModifiedDate": "2023-11-07T03:13:00Z"
        }`

Version

Version: 0.47.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-12-11 18:11:01.766139561 +0000 UTC
  NextUpdate: 2023-12-12 00:11:01.76613918 +0000 UTC
  DownloadedAt: 2023-12-11 19:45:29.356522 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-12-11 00:49:01.121535103 +0000 UTC
  NextUpdate: 2023-12-14 00:49:01.121534983 +0000 UTC
  DownloadedAt: 2023-12-11 16:22:53.503885 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @cgargas
Thanks for your report!

Target OS
Debian 11.8

Debian 11 is "bullseye" - https://www.debian.org/News/2021/20210814.en.html
bullseys doesn't have fix for this CVE:

If you downloaded and installed version from another version of Debian, Trivy will not be able to detect this.
We check OS version for your image and only accept advisories for that version.

Regards, Dmitriy