Closed moon2263 closed 10 months ago
When I scanned the redis:7.0.11-alpine image by grype, the output is like below:
{ "vulnerability": { "id": "CVE-2022-0543", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0543", "namespace": "nvd:cpe", "severity": "Critical", "urls": [ "http://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.html", "https://bugs.debian.org/1005787", "https://lists.debian.org/debian-security-announce/2022/msg00048.html", "https://security.netapp.com/advisory/ntap-20220331-0004/", "https://www.debian.org/security/2022/dsa-5081", "https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce" ], "description": "It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "metrics": { "baseScore": 10, "exploitabilityScore": 10, "impactScore": 10 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "metrics": { "baseScore": 10, "exploitabilityScore": 3.9, "impactScore": 6 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "stock-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:redis:redis:7.0.11:*:*:*:*:*:*:*" ] }, "found": { "vulnerabilityID": "CVE-2022-0543", "versionConstraint": "none (unknown)", "cpes": [ "cpe:2.3:a:redis:redis:-:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "redis", "version": "7.0.11", "type": "binary", "locations": [ { "path": "/usr/local/bin/redis-server", "layerID": "sha256:7936e9b38dabf03a21001015fa0c87fe0a895c24fbb25acbb305a5a03ef54594" } ], "language": "", "licenses": [], "cpes": [ "cpe:2.3:a:redislabs:redis:7.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:redis:redis:7.0.11:*:*:*:*:*:*:*" ], "purl": "pkg:generic/redis@7.0.11", "upstreams": [] } }
The results said redis-server binary is affected by cve-2022-0543. But I couldn't find patched version. Is this CVE is false positive? Or if not, can you tell me which version is patched?
This seems like a false positive, CVE-2022-0543 only applies to the Debian packaging of Redis which has nothing to do with this image.
@yossigo Thank you for reply!
When I scanned the redis:7.0.11-alpine image by grype, the output is like below:
The results said redis-server binary is affected by cve-2022-0543. But I couldn't find patched version. Is this CVE is false positive? Or if not, can you tell me which version is patched?