Fals positive detection for CVE-2024-24806 #6180
-
IDs
DescriptionThis vulnerability has been fixed in version 1.48.0, as confirmed in the security reports and the upstream repo: The patched version is available from Debian sid so I installed that but
Reproduction Stepsdocker buildx build --tag demo:cve - <<'EOF'
# syntax=docker/dockerfile:1
FROM docker.io/library/python:3.10.13-slim-bookworm
RUN <<EOT
sed -i 's/Suites: bookworm bookworm-updates/Suites: bookworm bookworm-updates unstable/' /etc/apt/sources.list.d/debian.sources
apt-get -qq -o Dpkg::Use-Pty=0 update --yes
apt-get -t unstable -qq -o Dpkg::Use-Pty=0 install --yes \
libuv1
EOT
EOF TargetContainer Image ScannerVulnerability Target OSDebian bookworm Debug OutputIt's in CI - I don't have `trivy` installed myself Versionunknown Checklist
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
Hello @dhirschfeld Debian didn't release fix of We can't detect info that installed package was derived from another release - This is why Trivy reports this CVE. You can use VEX to filter this CVE yourself. Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
Hello @dhirschfeld
Thanks for your report!
Debian didn't release fix of
CVE-2024-24806
for Debian 12 - https://security-tracker.debian.org/tracker/CVE-2024-24806We can't detect info that installed package was derived from another release - This is why Trivy reports this CVE.
You can use VEX to filter this CVE yourself.
Regards, Dmitriy