Fals positive detection for CVE-2024-24806

[dhirschfeld]

IDs

CVE-2024-24806, GHSA-f74f-cvh7-c6q6

Description

This vulnerability has been fixed in version 1.48.0, as confirmed in the security reports and the upstream repo:

• https://github.com/libuv/libuv/releases/tag/v1.48.0

The patched version is available from Debian sid so I installed that but trivy still complains despite the fixed version 1.48.0-1 being installed:

┌─────────┬────────────────┬──────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │  Status  │ Installed Version │ Fixed Version │                            Title                             │
├─────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libuv1  │ CVE-2024-24806 │ CRITICAL │ affected │ 1.48.0-1          │               │ libuv: Improper Domain Lookup that potentially leads to SSRF │
│         │                │          │          │                   │               │ attacks                                                      │
│         │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-24806                   │
└─────────┴────────────────┴──────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Reproduction Steps

docker buildx build --tag demo:cve - <<'EOF'
# syntax=docker/dockerfile:1
FROM docker.io/library/python:3.10.13-slim-bookworm 

RUN <<EOT
sed -i 's/Suites: bookworm bookworm-updates/Suites: bookworm bookworm-updates unstable/' /etc/apt/sources.list.d/debian.sources
apt-get -qq -o Dpkg::Use-Pty=0 update --yes
apt-get -t unstable -qq -o Dpkg::Use-Pty=0 install --yes \
    libuv1
EOT
EOF

Target

Container Image

Scanner

Vulnerability

Target OS

Debian bookworm

Debug Output

It's in CI - I don't have `trivy` installed myself

Version

unknown

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @dhirschfeld
Thanks for your report!

Debian didn't release fix of CVE-2024-24806 for Debian 12 - https://security-tracker.debian.org/tracker/CVE-2024-24806

We can't detect info that installed package was derived from another release - This is why Trivy reports this CVE.

You can use VEX to filter this CVE yourself.

Regards, Dmitriy