Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positive: GHSA-f9vj-2wh5-fj8j (CVE-2024-49766) NOT affected in SUSE 16 SP6 and SP5 #2566

Open
sekveaja opened this issue Mar 27, 2025 · 0 comments
Open

False Positive: GHSA-f9vj-2wh5-fj8j (CVE-2024-49766) NOT affected in SUSE 16 SP6 and SP5 #2566

sekveaja opened this issue Mar 27, 2025 · 0 comments
Labels
bug Something isn't working false-positive

Comments

@sekveaja
Copy link

sekveaja commented Mar 27, 2025
edited
Loading

What happened:

Scan on image that has python3-Werkzeug-1.0.1-150300.3.8.1.noarch and python311-Werkzeug-2.3.6-150400.6.12.1 installed.
It generates the following vulnerabilities:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
werkzeug 1.0.1 3.0.3 python GHSA-2g68-c3qc-8985 High
werkzeug 1.0.1 2.2.3 python GHSA-xg9f-g7g7-2323 High
werkzeug 1.0.1 3.0.6 python GHSA-f9vj-2wh5-fj8j Medium --> CVE-2024-49766
werkzeug 1.0.1 2.3.8 python GHSA-hrfv-mqp8-q5rw Medium
werkzeug 1.0.1 3.0.6 python GHSA-q34m-jh98-gwm2 Medium
werkzeug 1.0.1 2.2.3 python GHSA-px8h-6qxv-m22q Low
werkzeug 2.3.6 3.0.3 python GHSA-2g68-c3qc-8985 High
werkzeug 2.3.6 3.0.6 python GHSA-f9vj-2wh5-fj8j Medium
werkzeug 2.3.6 2.3.8 python GHSA-hrfv-mqp8-q5rw Medium
werkzeug 2.3.6 3.0.6 python GHSA-q34m-jh98-gwm2 Medium

What you expected to happen:

According to SUSE Security Advisory, SLES 15 SP6 and SP5 are not affected.

https://www.suse.com/security/cve/CVE-2024-49766.html

SUSE Linux Enterprise Desktop 15 SP5 python-Werkzeug Not affected
SUSE Linux Enterprise Desktop 15 SP6 python-Werkzeug Not affected

If compare to the OS vendor, it is not affected. Therefore, it is a false positive.

How to reproduce it (as minimally and precisely as possible):

Create the Dockerfile with this content:
FROM registry.suse.com/suse/sle15:15.6
RUN zypper in -y --no-recommends python3-Werkzeug=1.0.1-150300.3.8.1
RUN zypper in -y --no-recommends python311-Werkzeug=2.3.6-150400.6.12.1

ENTRYPOINT [""]
CMD ["bash"]

Build an image from Dockerfile
$ docker build --network=host -t "suse15.6_python-werkzeug:v1" .

Test with Grype now
$ grype --distro sles:15.6 suse15.6_python-werkzeug:v1

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
werkzeug 1.0.1 3.0.3 python GHSA-2g68-c3qc-8985 High
werkzeug 1.0.1 2.2.3 python GHSA-xg9f-g7g7-2323 High
werkzeug 1.0.1 3.0.6 python GHSA-f9vj-2wh5-fj8j Medium (problem is reproduced)
werkzeug 1.0.1 2.3.8 python GHSA-hrfv-mqp8-q5rw Medium
werkzeug 1.0.1 3.0.6 python GHSA-q34m-jh98-gwm2 Medium
werkzeug 1.0.1 2.2.3 python GHSA-px8h-6qxv-m22q Low
werkzeug 2.3.6 3.0.3 python GHSA-2g68-c3qc-8985 High
werkzeug 2.3.6 3.0.6 python GHSA-f9vj-2wh5-fj8j Medium
werkzeug 2.3.6 2.3.8 python GHSA-hrfv-mqp8-q5rw Medium
werkzeug 2.3.6 3.0.6 python GHSA-q34m-jh98-gwm2 Medium

Environment:
$ grype --version
grype 0.88.0

In container image eco-system:
NAME="SLES"
VERSION="15-SP6"
VERSION_ID="15.6"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP6"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp6"
DOCUMENTATION_URL="https://documentation.suse.com/"
@sekveaja sekveaja added the bug Something isn't working label Mar 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working false-positive
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wagoodman @sekveaja