grype
grype copied to clipboard
anchore
False positive CVE-2021-29281 GFI Mail Archiver matching archiverjs/node-archiver
What happened: We have node-archiver in our dependencies. When scanning our repository we get a false positive on GFI Mail Archiver
archiver 5.3.0 15.2 npm CVE-2021-29281 Critical
Looks like it matched the following CPEs
"cpes": [
"cpe:2.3:a:archiver:archiver:5.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:*:archiver:5.3.0:*:*:*:*:*:*:*"
],
What you expected to happen: I expect node-archiver not to match CVEs against "GFI Mail Archiver". Such as CVE-2021-29281.
How to reproduce it (as minimally and precisely as possible): Create a node project, add chainsaw 5.3.0 to your dependencies, scan.
Anything else we need to know?: Full match object
{
"vulnerability": {
"id": "CVE-2021-29281",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-29281",
"namespace": "nvd:cpe",
"severity": "Critical",
"urls": [
"https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload",
"https://www.exploit-db.com/exploits/50181",
"https://cwe.mitre.org/data/definitions/434.html",
"https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-archiver",
"https://aminbohio.com/gfi-mail-archiver-15-1-telerik-ui-component-arbitrary-file-upload-unauthenticated-exploit/"
],
"description": "File upload vulnerability in GFI Mail Archiver versions up to and including 15.1 via insecure implementation of Telerik Web UI plugin which is affected by CVE-2014-2217, and CVE-2017-11317.",
"cvss": [{
"version": "2.0",
"vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"metrics": {
"baseScore": 7.5,
"exploitabilityScore": 10,
"impactScore": 6.4
},
"vendorMetadata": {}
},
{
"version": "3.1",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"metrics": {
"baseScore": 9.8,
"exploitabilityScore": 3.9,
"impactScore": 5.9
},
"vendorMetadata": {}
}
],
"fix": {
"versions": [
"15.2"
],
"state": "fixed"
},
"advisories": []
},
"relatedVulnerabilities": [],
"matchDetails": [{
"type": "cpe-match",
"matcher": "javascript-matcher",
"searchedBy": {
"namespace": "nvd:cpe",
"cpes": [
"cpe:2.3:a:*:archiver:5.3.0:*:*:*:*:*:*:*"
]
},
"found": {
"versionConstraint": "< 15.2 (unknown)",
"cpes": [
"cpe:2.3:a:gfi:archiver:*:*:*:*:*:*:*:*"
]
}
}],
"artifact": {
"name": "archiver",
"version": "5.3.0",
"type": "npm",
"locations": [{
"path": "/app/node_modules/archiver/package.json",
"layerID": "sha256:a10127f692e4bab8340396c6053bad2f50c11afda310829af08d6fdf522dfc92"
}],
"language": "javascript",
"licenses": [
"MIT"
],
"cpes": [
"cpe:2.3:a:archiver:archiver:5.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:*:archiver:5.3.0:*:*:*:*:*:*:*"
],
"purl": "pkg:npm/[email protected]",
"upstreams": []
}
},
Environment:
- Output of
grype version:
Application: grype
Version: 0.48.0
Syft Version: v0.54.0
BuildDate: 2022-08-24T15:42:08Z
GitCommit: e9df59b4b1bd56c370500b5072eeace3ab51f8b3
GitDescription: v0.48.0
Platform: linux/amd64
GoVersion: go1.18.5
Compiler: gc
Supported DB Schema: 4
- OS (e.g:
cat /etc/os-releaseor similar):
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.17_alpha20220715
PRETTY_NAME="Alpine Linux edge"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"
