CVE-2021-40528 is reported as High severity when it is Medium severity

[yansifw]

Description

CVE-2021-40528 is being reported by trivy as High severity, when it is ranked as Medium/Moderate severity. Besides, that CVE is still flagged for https://oraclelinux.pkgs.org/8/ol8-baseos-latest-aarch64/libgcrypt-1.8.5-7.el8_6.aarch64.rpm.html latest version when it was already fixed (2021-06-28)

What did you expect to happen?

CVE-2021-40528 should be reported as Medium.

What happened instead?

CVE-2021-40528 was reported for a fixed version and with higher severity as mentioned above.

Output of run with -debug:

trivy image --debug --vuln-type os --severity HIGH,CRITICAL --ignore-unfixed --scanners vuln mysql:8.0
2023-03-29T15:45:32.139+0200	DEBUG	Severities: ["HIGH" "CRITICAL"]
2023-03-29T15:45:32.154+0200	DEBUG	cache dir: <split>
2023-03-29T15:45:32.155+0200	DEBUG	DB update was skipped because the local DB is the latest
2023-03-29T15:45:32.155+0200	DEBUG	DB Schema: 2, UpdatedAt: 2023-03-29 12:24:35.955154233 +0000 UTC, NextUpdate: 2023-03-29 18:24:35.955154033 +0000 UTC, DownloadedAt: 2023-03-29 12:41:33.305039 +0000 UTC
2023-03-29T15:45:32.155+0200	INFO	Vulnerability scanning is enabled
2023-03-29T15:45:32.155+0200	DEBUG	Vulnerability type:  [os]
2023-03-29T15:45:35.189+0200	DEBUG	Image ID: sha256:<split>
2023-03-29T15:45:35.189+0200	DEBUG	Diff IDs: [sha256:<split> sha256:<split> sha256:<split> sha256:<split> sha256:<split> sha256:<split> sha256:<split> sha256:<split> sha256:<split> sha256:<split> sha256:<split>]
2023-03-29T15:45:35.189+0200	DEBUG	Base Layers: [sha256:<split>]
2023-03-29T15:45:35.198+0200	INFO	Detected OS: oracle
2023-03-29T15:45:35.199+0200	INFO	Detecting Oracle Linux vulnerabilities...
2023-03-29T15:45:35.199+0200	DEBUG	Oracle Linux: os version: 8
2023-03-29T15:45:35.199+0200	DEBUG	Oracle Linux: the number of packages: 122

mysql:8.0 (oracle 8.7)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌───────────┬────────────────┬──────────┬───────────────────┬───────────────────────┬─────────────────────────────────────────────────────────────┐
│  Library  │ Vulnerability  │ Severity │ Installed Version │     Fixed Version     │                            Title                            │
├───────────┼────────────────┼──────────┼───────────────────┼───────────────────────┼─────────────────────────────────────────────────────────────┤
│ libgcrypt │ CVE-2021-40528 │ HIGH     │ 1.8.5-7.el8_6     │ 10:1.8.5-7.el8_6_fips │ libgcrypt: ElGamal implementation allows plaintext recovery │
│           │                │          │                   │                       │ https://avd.aquasec.com/nvd/cve-2021-40528                  │
└───────────┴────────────────┴──────────┴───────────────────┴───────────────────────┴─────────────────────────────────────────────────────────────┘

Output of trivy -v:

trivy -v
Version: 0.38.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-03-29 12:24:35.955154233 +0000 UTC
  NextUpdate: 2023-03-29 18:24:35.955154033 +0000 UTC
  DownloadedAt: 2023-03-29 12:41:33.305039 +0000 UTC

Additional details (base image name, container registry info...):

[DmitriyLewen]

Hello @yansifw
Thanks for your report!

GHSA-8m2v-68m9-q2c7 is being reported by trivy as High severity, when it is ranked as Medium/Moderate severity

For OS packages we use information from OS vendors. More information here.
Oracle marked this CVE as HIGH - https://linux.oracle.com/cve/CVE-2021-40528.html

Besides, that CVE is still flagged for https://oraclelinux.pkgs.org/8/ol8-baseos-latest-aarch64/libgcrypt-1.8.5-7.el8_6.aarch64.rpm.html latest version when it was already fixed (2021-06-28)

We have already worked on splitting fips and similar packages for Oracle Linux(#221). But these changes require a lot of changes in DB. We didn't have time for this.
Until we add these changes you can skip CVE-2021-40528.

Regards, Dmitriy

[github-actions]

This issue is stale because it has been labeled with inactivity.