false positive redhat unpatched vulnerability #1906
Assignees
Labels
Comments
|
There is no binary package called [vagrant@rhel8 ~]$ rpm -qa --queryformat "%{NAME} %{EPOCHNUM} %{VERSION} %{RELEASE} %{ARCH} %{MODULARITYLABEL} %{SOURCERPM}\n" | grep vim
vim-minimal 2 8.0.1763 19.el8_6.4 x86_64 (none) vim-8.0.1763-19.el8_6.4.src.rpm
vim-filesystem 2 8.0.1763 19.el8_6.4 noarch (none) vim-8.0.1763-19.el8_6.4.src.rpm
vim-common 2 8.0.1763 19.el8_6.4 x86_64 (none) vim-8.0.1763-19.el8_6.4.src.rpm
vim-enhanced 2 8.0.1763 19.el8_6.4 x86_64 (none) vim-8.0.1763-19.el8_6.4.src.rpmIn gost, it seems that vulnerabilities are tied to source package names. OVAL includes a binary package and, for some reason, a source package. <definition class="vulnerability" id="oval:com.redhat.cve:def:202020703" version="636">
<metadata>
<title>vim: buffer overflow (low)</title>
<reference ref_id="CVE-2020-20703" ref_url="https://access.redhat.com/security/cve/CVE-2020-20703" source="CVE"/>
<description>DOCUMENTATION: A use-after-free flaw was found in Vim. This issue allows a heap buffer overflow leading to a write access violation. This flaw allows the attacker to possibly have control over the write address and value, which may lead to an application crash.
STATEMENT: Red Hat Product Security has rated this issue as having a Low security impact, because the "victim" has to run an untrusted file IN SCRIPT MODE. Someone who is running untrusted files in script mode is equivalent to someone just taking a random python script and running it.
For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/
MITIGATION: Untrusted vim scripts with -s [scriptin] are not recommended to run.</description>
<advisory from="secalert@redhat.com">
<severity>Low</severity>
<updated date="2024-02-07"/>
<cve cvss3="5.5/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" cwe="CWE-416->CWE-119" href="https://access.redhat.com/security/cve/CVE-2020-20703" impact="low" public="20230620">CVE-2020-20703</cve>
<affected>
<resolution state="Affected">
<component>vim</component>
<component>vim-X11</component>
<component>vim-common</component>
<component>vim-enhanced</component>
<component>vim-filesystem</component>
<component>vim-minimal</component>
</resolution>
</affected>
<affected_cpe_list>
<cpe>cpe:/a:redhat:enterprise_linux:8</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::appstream</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::crb</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::highavailability</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::nfv</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::realtime</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::resilientstorage</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::sap</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::sap_hana</cpe>
<cpe>cpe:/a:redhat:enterprise_linux:8::supplementary</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:8</cpe>
<cpe>cpe:/o:redhat:enterprise_linux:8::baseos</cpe>
</affected_cpe_list>
</advisory>
</metadata>
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux must be installed" test_ref="oval:com.redhat.cve:tst:20052541004"/>
<criteria operator="AND">
<criterion comment="Red Hat Enterprise Linux 8 is installed" test_ref="oval:com.redhat.cve:tst:20052541003"/>
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="vim-minimal is installed" test_ref="oval:com.redhat.cve:tst:201820786009"/>
<criterion comment="vim-minimal is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:201820786010"/>
</criteria>
<criteria operator="AND">
<criterion comment="vim is installed" test_ref="oval:com.redhat.cve:tst:201820786011"/>
<criterion comment="vim is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:201820786012"/>
</criteria>
<criteria operator="AND">
<criterion comment="vim-common is installed" test_ref="oval:com.redhat.cve:tst:201820786003"/>
<criterion comment="vim-common is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:201820786004"/>
</criteria>
<criteria operator="AND">
<criterion comment="vim-X11 is installed" test_ref="oval:com.redhat.cve:tst:201820786013"/>
<criterion comment="vim-X11 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:201820786014"/>
</criteria>
<criteria operator="AND">
<criterion comment="vim-enhanced is installed" test_ref="oval:com.redhat.cve:tst:201820786007"/>
<criterion comment="vim-enhanced is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:201820786008"/>
</criteria>
<criteria operator="AND">
<criterion comment="vim-filesystem is installed" test_ref="oval:com.redhat.cve:tst:201820786005"/>
<criterion comment="vim-filesystem is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:201820786006"/>
</criteria>
</criteria>
</criteria>
</criteria>
</definition>In the case of a modular package, it must be specified as |
|
There are two possible corrections.
In case 1, as before, OVAL is in charge of Patched, and gost is in charge of Unpatched, but you must update vuls scanner. |
9 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What did you do? (required. The issue will be closed when not provided.)
Unpatched vulnerabilities are supposed to be detected by gost, but in the gost data source, vulnerabilities are linked to source packages.
Therefore, there is a possibility of false positives or missed positives.
What did you expect to happen?
Accurately detect unpatched vulnerabilities.
What happened instead?
I have installed vim-common and others, but an unpatched vulnerability in vim: CVE-2020-20703 is not detected.
https://access.redhat.com/security/cve/CVE-2020-20703
Steps to reproduce the behaviour
vuls scan json: vagrant.json
Configuration (MUST fill this out):
Go version (
go version):go version go1.22.0 linux/amd64
Go environment (
go env):Vuls environment:
Hash : f3f6671
The text was updated successfully, but these errors were encountered: