grype icon indicating copy to clipboard operation
grype copied to clipboard

Published 20 hours ago verified publisher icon anchore

Grype doesn't detect CVE-2021-43798

Open awoodobvio opened this issue 3 years ago • 3 comments

What happened: Attempted to scan both the Grafana 8.2.2 Enterprise and Grafana 8.2.2 OSS releases and neither flagged this CVE. Verified that the CVE was present by using the blog post about it.

What you expected to happen: Grype was able to detect and report on this CVE from the docker image.

How to reproduce it (as minimally and precisely as possible): mkdir ${PWD}/work docker pull grafana/grafana-enterprise:8.2.2 docker save -o ${PWD}/work/grafana.tar grafana/grafana-enterprise:8.2.2 docker run --rm -v ${PWD}/work:/work anchore/grype /work/grafana.tar

Anything else we need to know?: https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/ https://j0vsec.com/post/cve-2021-43798/

Environment:

  • Output of grype version: Application: grype Version: 0.27.0 Syft Version: v0.32.0 BuildDate: 2021-12-08T22:17:50Z GitCommit: e62186725b8bfe3faddb78fa82b1ca44c747c9b6 GitTreeState: clean Platform: linux/amd64 GoVersion: go1.16.10 Compiler: gc Supported DB Schema: 3

  • OS Windows 10 WSL 2 Environment on Ubuntu: lsb_release -a:

Distributor ID: Ubuntu Description: Ubuntu 20.04.3 LTS Release: 20.04 Codename: focal

awoodobvio avatar Dec 13 '21 15:12 awoodobvio

Hey @awoodsprim I was able to recreate this locally with the information you provided.

I validated that CVE-2021-43798 is in the grype database so I'll start digging into why this is not surfacing a match.

Thanks for the report!

spiffcs avatar Dec 13 '21 17:12 spiffcs

So digging into this a bit more I think I'm starting to understand the mismatch.

Here are the current CPE that match for the vulnerability in the vulnerability database:

Can fetch the DB from here:

https://toolbox-data.anchore.io/grype/databases/vulnerability-db_v3_2021-12-13T08:14:38Z.tar.gz

[
  "cpe:2.3:a:grafana:grafana:8.0.0:beta1:*:*:*:*:*:*",
  "cpe:2.3:a:grafana:grafana:8.0.0:beta2:*:*:*:*:*:*",
  "cpe:2.3:a:grafana:grafana:8.0.0:beta3:*:*:*:*:*:*",
  "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
  "cpe:2.3:a:grafana:grafana:8.3.0:*:*:*:*:*:*:*"
]

If you examine the sbom generated when scanning grafana/grafana-enterprise:8.2.2 you can see that there are 13 matches for the string cpe:2.3:a:grafana.

alertmanager
go-mssqldb
grafana-aws-sdk
grafana-plugin-sdk-go
loki

I'm trying to see if there is a misalignment between the cpe to match being under grafana:grafana vs things like grafana:grafana-server where they would be picked up.

spiffcs avatar Dec 13 '21 18:12 spiffcs

I think we just need a "binary" Grafana detector for this. Thanks for the report.

kzantow avatar Jan 26 '23 21:01 kzantow