Open awoodobvio opened 2 years ago
spiffcs
commented
2 years ago Hey @awoodsprim I was able to recreate this locally with the information you provided.
I validated that CVE-2021-43798 is in the grype database so I'll start digging into why this is not surfacing a match.
Thanks for the report!
spiffcs
commented
2 years ago So digging into this a bit more I think I'm starting to understand the mismatch.
Here are the current CPE that match for the vulnerability in the vulnerability database:
Can fetch the DB from here:
https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v3_2021-12-13T08:14:38Z.tar.gz[
"cpe:2.3:a:grafana:grafana:8.0.0:beta1:*:*:*:*:*:*",
"cpe:2.3:a:grafana:grafana:8.0.0:beta2:*:*:*:*:*:*",
"cpe:2.3:a:grafana:grafana:8.0.0:beta3:*:*:*:*:*:*",
"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe:2.3:a:grafana:grafana:8.3.0:*:*:*:*:*:*:*"
]If you examine the sbom generated when scanning grafana/grafana-enterprise:8.2.2 you can see that there are 13 matches for the string cpe:2.3:a:grafana.
alertmanager
go-mssqldb
grafana-aws-sdk
grafana-plugin-sdk-go
lokiI'm trying to see if there is a misalignment between the cpe to match being under grafana:grafana vs things like grafana:grafana-server where they would be picked up.
kzantow
commented
1 year ago I think we just need a "binary" Grafana detector for this. Thanks for the report.
What happened: Attempted to scan both the Grafana 8.2.2 Enterprise and Grafana 8.2.2 OSS releases and neither flagged this CVE. Verified that the CVE was present by using the blog post about it.
What you expected to happen: Grype was able to detect and report on this CVE from the docker image.
How to reproduce it (as minimally and precisely as possible): mkdir ${PWD}/work docker pull grafana/grafana-enterprise:8.2.2 docker save -o ${PWD}/work/grafana.tar grafana/grafana-enterprise:8.2.2 docker run --rm -v ${PWD}/work:/work anchore/grype /work/grafana.tar
Anything else we need to know?: https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/ https://j0vsec.com/post/cve-2021-43798/
Environment:
Output of
grype version: Application: grype Version: 0.27.0 Syft Version: v0.32.0 BuildDate: 2021-12-08T22:17:50Z GitCommit: e62186725b8bfe3faddb78fa82b1ca44c747c9b6 GitTreeState: clean Platform: linux/amd64 GoVersion: go1.16.10 Compiler: gc Supported DB Schema: 3OS Windows 10 WSL 2 Environment on Ubuntu: lsb_release -a:
Distributor ID: Ubuntu Description: Ubuntu 20.04.3 LTS Release: 20.04 Codename: focal