scout-cli icon indicating copy to clipboard operation
scout-cli copied to clipboard

Published 20 hours ago verified publisher icon docker

False negative for CVE-2023-29383

Open jackap opened this issue 6 months ago • 3 comments

Shadow 4.13 is vulnerable to CVE-2023-29383. Docker container for python:3.10 comes with shadow 4.13 as a package dependency but the CVE-2023-29383 is not found.

Steps to reproduce:

  1. Verify shadow 4.13 is a package of python:3.10
docker scout cves python:3.10 --format spdx | grep "debian/shadow"
>     "referenceLocator": "pkg:deb/debian/shadow@1:4.13%2Bdfsg1-1?os_distro=bookworm&os_name=debian&os_version=12"
  1. Verify CVE-2023-29383 is not in the SBOM
docker scout cves python:3.10 --format spdx | grep "CVE-2023-29383"

May this be a case of false negative?

jackap avatar May 13 '25 09:05 jackap

As per Debian's own security team at https://security-tracker.debian.org/tracker/CVE-2023-29383, this is not treated as a Debian Security Advisory (DSA) (as indicated by [bookworm] - shadow <no-dsa> (Minor issue)). That's why Scout doesn't show this CVE.

cdupuis avatar May 13 '25 10:05 cdupuis

Thanks for your answer. Based on that, also https://security-tracker.debian.org/tracker/CVE-2023-3164 should not be treated as a vulnerability (Crash in CLI tool, no security impact) but it does. Am I missing something here?

jackap avatar May 13 '25 12:05 jackap

CVE-2023-3164 doesn't have the same structured meta data. Therefore it is not formally marked as no-dsa.

cdupuis avatar May 23 '25 15:05 cdupuis