Incorrect mapping of Applicable versions for CVE-2023-28858 & CVE-2023-28859 #1355
Labels
data quality
Issues with data quality
Comments
oliverchang
added a commit
to pypa/advisory-database
that referenced
this issue
Jun 5, 2023
oliverchang
added a commit
to pypa/advisory-database
that referenced
this issue
Jun 5, 2023
* Fix ranges of redis advisories. Fixes google/osv.dev#1355 * another lower bound
|
Thanks for the report. I've merged pypa/advisory-database#127 to fix the PYSEC entries. Note that it seems GHSA-24wv-mv5m-xv4h still needs to be fixed on GitHub's advisory database to include the lower bound though. |
This comment was marked as spam.
This comment was marked as spam.
|
hi chang, thanks for the modification , github advisory is already modified , pull request here github/advisory-database#2335 |
|
github/advisory-database#2335 only covers GHSA-8fww-64cx-x8p5. GHSA-24wv-mv5m-xv4h may still need to be fixed up to fix the lower bound? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi Team,
we have reported anomaly with CVEs in discussion title to be applicable for higher versions i.e with 4.x & not impacted with versions running with 2.x which is updated under https://avd.aquasec.com/nvd/2023/cve-2023-28859/ , https://avd.aquasec.com/nvd/2023/cve-2023-28858 respectively on May17th 2023 both in NVD and also AVD. Can we know when would these changes reflect in Trivy DB so that we no more see these as findings from trivy report for older versions of redis Metadata async library running with 2.10.6 , 2.25.1 (2.x) .Thanks in advance,
Trivy Discussion : github/advisory-database#2335
More details :
CVE IDs: GHSA-24wv-mv5m-xv4h and GHSA-8fww-64cx-x8p5 , Title: "redis: Async command information disclosure" . Basically, data leakage across AsyncIO connections of redis-py library.
These CVEs are related to python redis-py library, with introduction of async support.
"Async support was introduced in redis-py 4.2.x ". Please check more details at: https://github.com/redis/redis-py/tree/v4.2.0 .
Async support was not available in "redis-py:2.10.6" version itself. But as part of CVEs scan, these CVE IDs (GHSA-24wv-mv5m-xv4h and GHSA-8fww-64cx-x8p5) were raised for redis-py library versions of 2.10.6 .
Could you please do update these CVEs starting effected versions above 4.2.x in https://nvd.nist.gov/vuln/detail/CVE-2023-28858 & https://nvd.nist.gov/vuln/detail/CVE-2023-28859.
So that, we will not get these CVEs for our redis-py library versions of 2.10.6.
Currently this CVE is asking us to upgrade python library from 2.10.6 to 4.x which is not straight forward and involves lot of effort in our case. But this CVE is not really valid for redis-py library versions of 2.10.6.
Thank you in advance, and also correct me if i am missing anything. Please contact me if any more details needed.
References:
More details on our python version using: https://github.com/redis/redis-py/tree/2.10.6
Best
Sreecharan Guduri
The text was updated successfully, but these errors were encountered: