False Positive for CVE-2019-3826 #840
Comments
willmurphyscode
added
ecosystem:java
|
Hi @anuragagarwal561994, thanks for reporting this! I've confirmed that Now I'll get some details about the issue. Here's some info from the match details: CVE-2019-3826 from https://nvd.nist.gov/vuln/detail/CVE-2019-3826 It looks to me like CVE-2019-3826 is a cross-site scripting vulnerability in the Prometheus front-end, which seems like it can't possibly affect a jar. I think the CPEs being generated, which include |
|
Thanks for looking into this @willmurphyscode The vulnerability was present in the prometheus server I believe, while this is more related to the client jar. |
tgerla
added
the
changelog-ignore
|
Hello, after upgrading to the latest Grype I can confirm that this false positive is no longer reported. Please see https://anchore.com/blog/say-goodbye-to-false-positives/ for more details. |
|
Thanks for update |
What happened:
Grype results in false positive for CVE-2019-3826
What you expected to happen:
No false positive for CVE-2019-3826
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
Environment:
grype version: 0.43.0cat /etc/os-releaseor similar): Mac M1{ "vulnerability": { "id": "CVE-2019-3826", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2019-3826", "namespace": "nvd:cpe", "severity": "Medium", "urls": [ "https://github.com/prometheus/prometheus/pull/5163", "https://github.com/prometheus/prometheus/commit/62e591f9", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3826", "https://access.redhat.com/errata/RHBA-2019:0327", "https://lists.apache.org/thread.html/rdf2a0d94c3b5b523aeff7741ae71347415276062811b687f30ea6573@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950eed7451ce70a65177@%3Ccommits.zookeeper.apache.org%3E", "https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8@%3Ccommits.zookeeper.apache.org%3E", "https://advisory.checkmarx.net/advisory/CX-2019-4297" ], "description": "A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts.", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "metrics": { "baseScore": 4.3, "exploitabilityScore": 8.6, "impactScore": 2.9 }, "vendorMetadata": {} }, { "version": "3.0", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "metrics": { "baseScore": 6.1, "exploitabilityScore": 2.8, "impactScore": 2.7 }, "vendorMetadata": {} } ], "fix": { "versions": [], "state": "unknown" }, "advisories": [] }, "relatedVulnerabilities": [], "matchDetails": [ { "type": "cpe-match", "matcher": "java-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:prometheus:prometheus:1.7.0:*:*:*:*:*:*:*" ] }, "found": { "versionConstraint": "< 2.7.1 (unknown)", "cpes": [ "cpe:2.3:a:prometheus:prometheus:*:*:*:*:*:*:*:*" ] } } ], "artifact": { "name": "resilience4j-prometheus", "version": "1.7.0", "type": "java-archive", "locations": [ { "path": "/app/libs/resilience4j-prometheus-1.7.0.jar", "layerID": "sha256:79e564ba8c4bf957e49b5da59fc1975455b66d2b4623d8ed87461c49240d41f5" } ], "language": "java", "licenses": [], "cpes": [ "cpe:2.3:a:resilience4j-prometheus:resilience4j-prometheus:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:resilience4j-prometheus:resilience4j_prometheus:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:resilience4j_prometheus:resilience4j-prometheus:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:resilience4j_prometheus:resilience4j_prometheus:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:resilience4j-prometheus:resilience4j:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:resilience4j:resilience4j-prometheus:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:resilience4j:resilience4j_prometheus:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:resilience4j_prometheus:resilience4j:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:prometheus:resilience4j-prometheus:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:prometheus:resilience4j_prometheus:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:resilience4j-prometheus:prometheus:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:resilience4j_prometheus:prometheus:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:github:resilience4j-prometheus:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:github:resilience4j_prometheus:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:resilience4j:resilience4j:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:prometheus:resilience4j:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:resilience4j:prometheus:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:prometheus:prometheus:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:github:resilience4j:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:github:prometheus:1.7.0:*:*:*:*:*:*:*" ], "purl": "pkg:maven/io.github.resilience4j.prometheus/[email protected]", "upstreams": [], "metadataType": "JavaMetadata", "metadata": { "virtualPath": "/app/libs/resilience4j-prometheus-1.7.0.jar", "pomArtifactID": "", "pomGroupID": "", "manifestName": "", "archiveDigests": [ { "algorithm": "sha1", "value": "53f32d840ac025a3813b7803a39829776e9b2927" } ] } } }The text was updated successfully, but these errors were encountered: