search

greenbone / gvmd

Greenbone Vulnerability Manager - The database backend for the Greenbone Community Edition
GNU Affero General Public License v3.0
290 stars 157 forks source link

CVE-scan seems to not be able to handle “Running on/with” constraint #2258

Open FairFight24 opened 4 months ago

FairFight24 commented 4 months ago

Expected behavior

CVE-2015-8960 is showing up when CVE-scanning, for a lot of scans. I would expect CVE-2015-8960 not to show up, when the only CPE matching CPE is cpe:/a:ietf:transport_layer_security:1.2.

Actual behavior

The CVE shows up, even though there is not any other matching CPEs. It seems like the CPE scanner does not honor “Running on/with” constraints. https://nvd.nist.gov/vuln/detail/CVE-2015-8960 image

Steps to reproduce

  1. Start a scan of a target that uses TLS 1.2
  2. After the scan is finished, start a CVE-scan
  3. The results should now show CVE-2015-8960 as being present, even though it is not running with any of the other mentioned CPEs.

GVM versions

gsa: 22.09.0

gvm: 23.2.0

openvas-scanner: 23.0.1

gvm-libs: 22.8.0

Environment

Operating system: Linux localhost 6.1.0-22-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.94-1 (2024-06-21) x86_64 GNU/Linux

Installation method / source: source installation

bigahuna commented 4 months ago

Same here, there are lots of false alarms for the 9 year old CVE-2015-8960 on up to date Rocky9 and Debian 12 machines.