fleet
fleet copied to clipboard
Published
20 hours ago •
fleetdm
fleetdm
Software vuln count off
Fleet version: v4.65.0 Web browser and operating system:
💥 Actual behavior
API call:
/api/latest/fleet/vulnerabilities?team_id=8&order_key=hosts_count&order_direction=desc&page=0&per_page=20&exploit=true&query=202
(Yes, 202 is the query, I was going for a year and just typed 202)
API returning:
{
"vulnerabilities": [
{
"cve": "CVE-2024-44308",
"details_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44308",
"cvss_score": 8.8,
"epss_probability": 0.0549,
"cisa_known_exploit": true,
"cve_published": "2024-11-20T00:15:00Z",
"cve_description": "The issue was addressed with improved checks. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, macOS Sequoia 15.1.1, iOS 18.1.1 and iPadOS 18.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.",
"hosts_count": 50,
"hosts_count_updated_at": "2025-03-27T17:06:29Z",
"created_at": "2024-12-17T18:25:02Z"
},
{
"cve": "CVE-2025-24201",
"details_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-24201",
"cvss_score": 8.8,
"epss_probability": 0.00206,
"cisa_known_exploit": true,
"cve_published": "2025-03-11T18:15:00Z",
"cve_description": "An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in visionOS 2.3.2, iOS 18.3.2 and iPadOS 18.3.2, macOS Sequoia 15.3.2, Safari 18.3.1. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).",
"hosts_count": 50,
"hosts_count_updated_at": "2025-03-27T17:06:29Z",
"created_at": "2025-03-12T14:06:31Z"
},
{
"cve": "CVE-2025-24085",
"details_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-24085",
"cvss_score": 7.8,
"epss_probability": 0.07839,
"cisa_known_exploit": true,
"cve_published": "2025-01-27T22:15:00Z",
"cve_description": "A use after free issue was addressed with improved memory management. This issue is fixed in visionOS 2.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3. A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2.",
"hosts_count": 50,
"hosts_count_updated_at": "2025-03-27T17:06:29Z",
"created_at": "2025-01-28T15:26:19Z"
},
{
"cve": "CVE-2024-23222",
"details_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-23222",
"cvss_score": 8.8,
"epss_probability": 0.00132,
"cisa_known_exploit": true,
"cve_published": "2024-01-23T01:15:00Z",
"cve_description": "A type confusion issue was addressed with improved checks. This issue is fixed in iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, tvOS 17.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited.",
"hosts_count": 49,
"hosts_count_updated_at": "2025-03-27T17:06:29Z",
"created_at": "2024-12-30T16:25:00Z"
},
{
"cve": "CVE-2024-23296",
"details_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-23296",
"cvss_score": 7.8,
"epss_probability": 0.05242,
"cisa_known_exploit": true,
"cve_published": "2024-03-05T20:16:00Z",
"cve_description": "A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 17.4 and iPadOS 17.4. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.",
"hosts_count": 49,
"hosts_count_updated_at": "2025-03-27T17:06:29Z",
"created_at": "2024-12-30T16:25:00Z"
},
{
"cve": "CVE-2024-23225",
"details_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-23225",
"cvss_score": 7.8,
"epss_probability": 0.05242,
"cisa_known_exploit": true,
"cve_published": "2024-03-05T20:16:00Z",
"cve_description": "A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 16.7.6 and iPadOS 16.7.6, iOS 17.4 and iPadOS 17.4. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.",
"hosts_count": 49,
"hosts_count_updated_at": "2025-03-27T17:06:29Z",
"created_at": "2024-12-30T16:25:00Z"
},
{
"cve": "CVE-2023-23397",
"details_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-23397",
"cvss_score": 9.8,
"epss_probability": 0.93567,
"cisa_known_exploit": true,
"cve_published": "2023-03-14T17:15:00Z",
"cve_description": "Microsoft Outlook Elevation of Privilege Vulnerability",
"hosts_count": 8,
"hosts_count_updated_at": "2025-03-27T17:06:29Z",
"created_at": "2024-12-30T16:24:53Z"
},
{
"cve": "CVE-2023-35311",
"details_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-35311",
"cvss_score": 8.8,
"epss_probability": 0.24384,
"cisa_known_exploit": true,
"cve_published": "2023-07-11T18:15:00Z",
"cve_description": "Microsoft Outlook Security Feature Bypass Vulnerability",
"hosts_count": 8,
"hosts_count_updated_at": "2025-03-27T17:06:29Z",
"created_at": "2024-12-30T16:24:56Z"
},
{
"cve": "CVE-2024-38226",
"details_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38226",
"cvss_score": 7.3,
"epss_probability": 0.70819,
"cisa_known_exploit": true,
"cve_published": "2024-09-10T17:15:00Z",
"cve_description": "Microsoft Publisher Security Feature Bypass Vulnerability",
"hosts_count": 7,
"hosts_count_updated_at": "2025-03-27T17:06:29Z",
"created_at": "2024-12-30T16:24:57Z"
},
{
"cve": "CVE-2023-36761",
"details_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-36761",
"cvss_score": 6.5,
"epss_probability": 0.79089,
"cisa_known_exploit": true,
"cve_published": "2023-09-12T17:15:00Z",
"cve_description": "Microsoft Word Information Disclosure Vulnerability",
"hosts_count": 4,
"hosts_count_updated_at": "2025-03-27T17:06:29Z",
"created_at": "2024-12-30T16:24:53Z"
},
{
"cve": "CVE-2024-38189",
"details_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-38189",
"cvss_score": 8.8,
"epss_probability": 0.87181,
"cisa_known_exploit": true,
"cve_published": "2024-08-13T18:15:00Z",
"cve_description": "Microsoft Project Remote Code Execution Vulnerability",
"hosts_count": 4,
"hosts_count_updated_at": "2025-03-27T17:06:29Z",
"created_at": "2024-12-30T16:24:54Z"
},
{
"cve": "CVE-2024-21413",
"details_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-21413",
"cvss_score": 9.8,
"epss_probability": 0.92563,
"cisa_known_exploit": true,
"cve_published": "2024-02-13T18:16:00Z",
"cve_description": "Microsoft Outlook Remote Code Execution Vulnerability",
"hosts_count": 4,
"hosts_count_updated_at": "2025-03-27T17:06:29Z",
"created_at": "2024-12-30T16:24:55Z"
},
{
"cve": "CVE-2021-42292",
"details_link": "https://nvd.nist.gov/vuln/detail/CVE-2021-42292",
"epss_probability": 0.55708,
"cisa_known_exploit": true,
"cve_published": "2021-11-10T01:19:00Z",
"cve_description": "Microsoft Excel Security Feature Bypass Vulnerability",
"hosts_count": 4,
"hosts_count_updated_at": "2025-03-27T17:06:29Z",
"created_at": "2024-12-30T16:24:55Z"
},
{
"cve": "CVE-2023-44487",
"details_link": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487",
"cvss_score": 7.5,
"epss_probability": 0.91023,
"cisa_known_exploit": true,
"cve_published": "2023-10-10T14:15:00Z",
"cve_description": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.",
"hosts_count": 1,
"hosts_count_updated_at": "2025-03-27T17:06:29Z",
"created_at": "2024-12-17T18:25:02Z"
},
{
"cve": "CVE-2024-44309",
"details_link": "https://nvd.nist.gov/vuln/detail/CVE-2024-44309",
"cvss_score": 6.1,
"epss_probability": 0.00954,
"cisa_known_exploit": true,
"cve_published": "2024-11-20T00:15:00Z",
"cve_description": "A cookie management issue was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, macOS Sequoia 15.1.1, iOS 18.1.1 and iPadOS 18.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.",
"hosts_count": 1,
"hosts_count_updated_at": "2025-03-27T17:06:29Z",
"created_at": "2024-12-17T18:25:02Z"
},
{
"cve": "CVE-2025-22226",
"details_link": "https://nvd.nist.gov/vuln/detail/CVE-2025-22226",
"cvss_score": 6,
"epss_probability": 0.08037,
"cisa_known_exploit": true,
"cve_published": "2025-03-04T12:15:00Z",
"cve_description": "VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. A malicious actor with administrative privileges to a virtual machine may be able to exploit this issue to leak memory from the vmx process.",
"hosts_count": 1,
"hosts_count_updated_at": "2025-03-27T17:06:29Z",
"created_at": "2025-03-05T15:25:02Z"
}
],
"count": 22,
"counts_updated_at": "2025-03-27T17:06:29Z",
"meta": {
"has_next_results": false,
"has_previous_results": false
}
}
Note the count says 22, but there's only 16 CVEs
🧑💻 Steps to reproduce
- Go to Software > Vulnerabilities tab > Add those same filters above, look at count mismatching the vulns
- Here's an example: it's showing a count of 100 but there's only 14. https://dogfood.fleetdm.com/software/vulnerabilities?exploit=true&query=2025&order_direction=desc&order_key=hosts_count&page=0
🕯️ More info (optional)
N/A
🛠️ To fix
Show correct vulnerability count.
@mostlikelee @eugkuo @RachelElysia is this one relatively easy to fix? This is blocking a QA Wolf test and would be great to have it fixed if we can fit it in. Thanks!
@jmwatts This is is backend FWIW, and probably not something super obvious on the backend. I might be able to take this later in the sprint (can put it at the top of the Estimated column) but I figure the solution for this won't be trivial.
Confirmed the fix by grabbing a copy of the Dogfood DB and running the vulns list endpoint call against it. Pre-fix I was getting an artificially high count. After the fix I got a count that matched the number of rows (one per CVE) returned.
Issue was one of deduplicating rows. Specifically, if a CVE got reported at different times or from different sources we'd get multiple entries. For example, a cross-platform CVE that was reported via OVAL for Linux and NVD for macOS, or a CVE that affected multiple pieces of software, where a host installed a new piece of affected software after the CVE was first found.
QA Notes
Tested a number of different combinations of filters and search terms and confirmed that all counts are now correct.
API calls, counting, Enhance Fleet's trusted guarding, Clouds of safety forming.
